kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #182519
[Bug 1465724] Missing required logs.
This bug is missing log files that will aid in diagnosing the problem.
>From a terminal window please run:
apport-collect 1465724
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1465724
Title:
net_admin apparmor denial when using Go
Status in Snappy:
In Progress
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Committed
Bug description:
SRU Justification:
Impact: A noisy AppArmor denial is reported to the system logs when a
go program is run as a privileged user. The denial is non-fatal and is
simply the result of the proc net systctl code determining what
permissions a new inode should have. This noisy denial has a high
potential to confuse snap packagers because they may think that their
application is not working under Snappy confinement. It has a high
potential to confuse Snappy users because they may think that the
snaps running on their system are malicious.
Fix: The fix was authored by Tyler Hicks and acked by Serge Hallyn. It
creates a new ns_capable() function that calls into the LSM hooks with
the noaudit flag set so that the LSM doesn't generate a denial if the
application under confinement is missing the CAP_NET_ADMIN capability
Testcase:
# Load a test AppArmor profile
$ echo "profile test { file, }" | sudo apparmor_parser -rq
# Read a proc net sysctl file as root under confinement:
$ sudo aa-exec -p test -- cat /proc/sys/net/core/somaxconn
128
# Manually inspect /var/log/syslog (or, if auditd is running, /var/log/audit/audit.log) to verify that the following denial is *NOT* present:
# audit: type=1400 audit(1462575670.000:29): apparmor="DENIED" operation="capable" profile="test" pid=1161 comm="cat" capability=12 capname="net_admin"
Original report:
Somewhere in the following code, this denial gets thrown. It's
difficult to tell where because the report of the denial seems to be
asynchronous, as it comes interspersed with all the other debug
information being printed to stdout.
http://bazaar.launchpad.net/~rick-rickspencer3/+junk/go-
uploader/view/head:/main.go
Jun 16 14:21:51 localhost kernel: [ 7488.856306] audit: type=1400
audit(1434464511.427:41): apparmor="DENIED" operation="capable"
profile="go-uploader.sideload_go-uploader_0.3" pid=1493 comm="go-
uploader" capability=12 capname="net_admin"
I can fix it by adding capability net_admin to
/var/lib/apparmor/profiles/click_go-uploader.sideload_go-uploader_0.3
and rerunning apparmor_parser
To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1465724/+subscriptions