touch-packages team mailing list archive

Thread
Date
[Bug 1446906] Re: lxc container with postfix, permission denied on mailq

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Wolfgang <1446906@xxxxxxxxxxxxxxxxxx>
Date: Tue, 03 Nov 2015 11:13:15 -0000
Reply-to: Bug 1446906 <1446906@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
*** This bug is a duplicate of bug 1390223 ***
    https://bugs.launchpad.net/bugs/1390223

This is not actually a container problem but an apparmor3 problem. You can reproduce it by using aa-exec on the host (with any profile) starting with commit b3c3d641f1de (UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot) of the wily kernel: see https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/wily/log/security/apparmor
Also if I change my postfix service files on my host to use aa-exec so they're even in the same profile and then run mailq with aa-exec, or even just socat on that socket, the connect() will succeed, the read() will EACCESS.
We also managed to hit the case described in 1390223 where executing mailq in a loop will *sometimes* succeed (though I could not myself reproduce this on my host machine.)
We do have a server where it fails in only *some* containers (the only significant difference between them is that one set is 32 bit and one is 64 bit, but I couldn't reproduce that by simply running 32 bit postfix binaries on the host, so the differences might go beyond that).

Here's an example session with the wily kernel and postfix on a host
modified to spawn with aa-exec:

# ps aux |grep postfix
root       556  0.0  0.5 108108  5124 ?        Ss   10:21   0:00 /usr/lib/postfix/bin/master -w
postfix    557  0.0  0.6 110176  6868 ?        S    10:21   0:00 pickup -l -t unix -u
postfix    558  0.0  0.6 110224  6768 ?        S    10:21   0:00 qmgr -l -t unix -u
postfix    560  0.0  0.6 110176  6808 ?        S    10:21   0:00 showq -t unix -u
# aa-status  |grep -A5 'processes are in enforce mode.' 
4 processes are in enforce mode.
   lxc-container-default (556) 
   lxc-container-default (557) 
   lxc-container-default (558) 
   lxc-container-default (560) 
0 processes are in complain mode.
# lsof -n |grep showq                                  
master    556                 root   61u     unix 0xffff88003c99e000      0t0      12486 public/showq type=STREAM
# aa-exec -p lxc-container-default -- mailq                                       
postqueue: warning: close: Permission denied
# aa-exec -p lxc-container-default -- socat UNIX:/var/spool/postfix/public/showq -
2015/11/03 10:23:48 socat[597] E read(5, 0x2103a00, 8192): Permission denied
# strace -f -- aa-exec -p lxc-container-default -- mailq
(...)
socket(PF_LOCAL, SOCK_STREAM, 0)        = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR)               = 0
connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0
poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
read(4, 0x5606d5407f00, 4096)           = -1 EACCES (Permission denied)


log:
Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 03 10:25:08 akern audit[643]: SYSCALL arch=c000003e syscall=0 success=no exit=-13 a0=4 a1=55bdbc538f00 a2=1000 a3=3dc items=0 ppid=433 pid=643 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=75 sgid=75 fsgid=75 tty=pts3 ses=3 comm="postqueue" exe="/usr/bin/postqueue" key=(null)
Nov 03 10:25:08 akern audit: PROCTITLE proctitle=706F73747175657565002D70
Nov 03 10:25:08 akern postfix/postqueue[643]: warning: close: Permission denied

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64          Generic Linux kernel image
  ii  lxc                 1.1.2-0ubuntu3 amd64          Linux Containers userspace tools
  ii  apparmor            2.9.1-0ubuntu9 amd64          User-space parser utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook    1913 F.... pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware                             1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 31900004WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr31900004WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions