kernel-packages team mailing list archive

Thread
Date

[Bug 1390223] Re: Apparmor related regression on access to unix sockets on a candidate 3.16 backport kernel

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1390223@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Dec 2015 16:16:26 -0000
Reply-to: Bug 1390223 <1390223@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package linux - 4.3.0-1.10

---------------
linux (4.3.0-1.10) xenial; urgency=low

  [ Andy Whitcroft ]

  * [Config] make IBMVETH consistent on powerpc/ppc64el
    - LP: #1521712
  * [Config] follow ibmvscsi name change
    - LP: #1521712
  * [Config] move ibm disk and ethernet drivers to linux-image
    - LP: #1521712
  * [Config] include ibmveth in nic-modules for ppc64el
    - LP: #1521712
  * [Config] s390x -- disable abi/module checks for s390x

  [ Tim Gardner ]

  * [Config] Add spl/zfs provides to generic and powerpc64-smp
  * [Config] Add zfs to d-i fs-core-modules

  [ Upstream Kernel Changes ]

  * KVM: x86: work around infinite loop in microcode when #AC is delivered
  * KVM: svm: unconditionally intercept #DB
  * Btrfs: fix truncation of compressed and inlined extents
  * staging/dgnc: fix info leak in ioctl
  * [media] media/vivid-osd: fix info leak in ioctl
  * crypto: asymmetric_keys - remove always false comparison
  * X.509: Fix the time validation [ver #2]
  * isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
  * ppp, slip: Validate VJ compression slot parameters completely

 -- Andy Whitcroft <apw@xxxxxxxxxxxxx>  Tue, 01 Dec 2015 21:37:13 +0000

** Changed in: linux (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1390223

Title:
  Apparmor related regression on access to unix sockets on a candidate
  3.16 backport kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Utopic:
  Confirmed
Status in linux source package in Vivid:
  Fix Committed

Bug description:
  I recently noticed a bunch of containers failing in a rather odd way
  when running postfix.

  The most visible example is when running mailq on an empty queue.
  Without apparmor (unconfined container) I see that the queue is empty,
  with apparmor, I get Permission denied.

  That's all running as root so the permission denied looks a tiny bit
  odd. Also, running the 3.13 kernel, I don't get any of that weirdness.

  My guess is that it has to do with the work that went into the 3.16
  kernel for socket mediation. In theory only systems that run the
  utopic apparmor (which I DO NOT) should be seeing that kind of
  behavior, but it looks like some code path isn't checking things
  properly :)

  == strace in unconfined container ==
  chdir("/var/spool/postfix")             = 0
  rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7f8963a62c30}, {SIG_IGN, [], 0}, 8) = 0
  getuid()                                = 0
  socket(PF_LOCAL, SOCK_STREAM, 0)        = 4
  fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
  fcntl(4, F_SETFL, O_RDWR)               = 0
  connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0
  poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
  read(4, "Mail queue is empty\n", 4096)  = 20
  poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
  read(4, "", 4096)                       = 0
  write(1, "Mail queue is empty\n", 20Mail queue is empty
  )   = 20
  close(4)                                = 0
  exit_group(0)                           = ?
  +++ exited with 0 +++

  == strace in confined container ==
  chdir("/var/spool/postfix")             = 0
  rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7ffe62de4c30}, {SIG_IGN, [], 0}, 8) = 0
  getuid()                                = 0
  socket(PF_LOCAL, SOCK_STREAM, 0)        = 4
  fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
  fcntl(4, F_SETFL, O_RDWR)               = 0
  connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0
  poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
  read(4, 0x7ffe65b35c00, 4096)           = -1 EACCES (Permission denied)
  close(4)                                = 0
  write(2, "postqueue: warning: close: Permi"..., 45postqueue: warning: close: Permission denied
  ) = 45
  sendto(3, "<20>Nov  6 20:40:42 postfix/post"..., 78, MSG_NOSIGNAL, NULL, 0) = 78
  exit_group(0)                           = ?

  Kernel is a slightly outdated version of the kernel from the kernel team PPA:
  Linux shell01 3.16.0-23-generic #31-Ubuntu SMP Thu Oct 23 20:13:35 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

  If you think the latest build will improve this, I can test it, but
  seeing how this is a production server, I can't just flip kernels
  every 5 minutes (I'm running 3.16 to avoid a nasty btrfs bug on 3.13).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1390223/+subscriptions

References

[Bug 1390223] [NEW] Apparmor related regression on access to unix sockets on a candidate 3.16 backport kernel
From: Stéphane Graber, 2014-11-06