touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #131294
[Bug 1446906] Re: lxc container with postfix, permission denied on mailq
** Description changed:
+ [Impact]
+
+ * Users may encounter situations where they use applications, confined by
+ AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
+ stream sockets.
+
+ * These failures typically occur when the confined applications attempts to
+ read from an AF_UNIX stream socket when the other end of the socket has
+ already been closed.
+
+ * AppArmor is mistakenly denying the socket operations due to the socket
+ shutdown operation making the sun_path no longer being available for
+ AppArmor mediation after the socket is shutdown.
+
+ [Test Case]
+
+ The expected test case is:
+
+ $ sudo apt-get install postfix # installing in 'local only' config is fine
+ $ cat > bug-profile << EOF
+ profile bug-profile flags=(attach_disconnected) {
+ network,
+ file,
+ }
+ EOF
+ $ sudo apparmor_parser -r bug.profile
+ $ aa-exec -p bug-profile -- mailq
+ Mail queue is empty
+
+ A failed test case will see the mailq command exit with an error:
+
+ $ aa-exec -p bug-profile -- mailq
+ postqueue: warning: close: Permission denied
+
+ and these denials will be found in the syslog:
+
+ Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+ Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+
+ [Regression Potential]
+
+ * The changes are local to the path-based AF_UNIX stream socket mediation code
+ so that limits the regression potential to some degree.
+
+ * John Johansen authored the patch and I reviewed it. It is small and there's
+ no obvious areas of concern to me regarding potential regressions.
+
+ [Other Info]
+
+ * None at this time
+
+ [Original bug report]
+
Hello,
on three Vivid host, all of them up-to-date, I have the problem
described here:
https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223
That bug report shows the problem was fixed, but it is not (at least on
current Vivid)
-
ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image
ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools
ii apparmor 2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor
-
Reproducible with:
$ sudo lxc-create -n test -t ubuntu
$ sudo lxc-start -n test
(inside container)
$ sudo apt-get install postfix
$ mailq
postqueue: warning: close: Permission denied
-
dmesg shows:
[82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
- ---
+ ---
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
AudioDevicesInUse:
- USER PID ACCESS COMMAND
- /dev/snd/controlC0: zoolook 1913 F.... pulseaudio
+ USER PID ACCESS COMMAND
+ /dev/snd/controlC0: zoolook 1913 F.... pulseaudio
CurrentDesktop: Unity
DistroRelease: Ubuntu 15.04
HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
InstallationDate: Installed on 2015-02-27 (53 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
MachineType: LENOVO 20150
Package: linux (not installed)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7
ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
RelatedPackageVersions:
- linux-restricted-modules-3.19.0-15-generic N/A
- linux-backports-modules-3.19.0-15-generic N/A
- linux-firmware 1.143
+ linux-restricted-modules-3.19.0-15-generic N/A
+ linux-backports-modules-3.19.0-15-generic N/A
+ linux-firmware 1.143
Tags: vivid
Uname: Linux 3.19.0-15-generic x86_64
UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
UserGroups: adm docker libvirtd lpadmin sambashare sudo
_MarkForUpload: True
dmi.bios.date: 12/19/2012
dmi.bios.vendor: LENOVO
dmi.bios.version: 5ECN95WW(V9.00)
dmi.board.asset.tag: No Asset Tag
dmi.board.name: INVALID
dmi.board.vendor: LENOVO
dmi.board.version: 31900004WIN8 STD SGL
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Lenovo G580
dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr31900004WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
dmi.product.name: 20150
dmi.product.version: Lenovo G580
dmi.sys.vendor: LENOVO
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906
Title:
lxc container with postfix, permission denied on mailq
Status in lxc package in Ubuntu:
Confirmed
Bug description:
[Impact]
* Users may encounter situations where they use applications, confined by
AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
stream sockets.
* These failures typically occur when the confined applications attempts to
read from an AF_UNIX stream socket when the other end of the socket has
already been closed.
* AppArmor is mistakenly denying the socket operations due to the socket
shutdown operation making the sun_path no longer being available for
AppArmor mediation after the socket is shutdown.
[Test Case]
The expected test case is:
$ sudo apt-get install postfix # installing in 'local only' config is fine
$ cat > bug-profile << EOF
profile bug-profile flags=(attach_disconnected) {
network,
file,
}
EOF
$ sudo apparmor_parser -r bug.profile
$ aa-exec -p bug-profile -- mailq
Mail queue is empty
A failed test case will see the mailq command exit with an error:
$ aa-exec -p bug-profile -- mailq
postqueue: warning: close: Permission denied
and these denials will be found in the syslog:
Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Regression Potential]
* The changes are local to the path-based AF_UNIX stream socket mediation code
so that limits the regression potential to some degree.
* John Johansen authored the patch and I reviewed it. It is small and there's
no obvious areas of concern to me regarding potential regressions.
[Other Info]
* None at this time
[Original bug report]
Hello,
on three Vivid host, all of them up-to-date, I have the problem
described here:
https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223
That bug report shows the problem was fixed, but it is not (at least
on current Vivid)
ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image
ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools
ii apparmor 2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor
Reproducible with:
$ sudo lxc-create -n test -t ubuntu
$ sudo lxc-start -n test
(inside container)
$ sudo apt-get install postfix
$ mailq
postqueue: warning: close: Permission denied
dmesg shows:
[82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
---
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: zoolook 1913 F.... pulseaudio
CurrentDesktop: Unity
DistroRelease: Ubuntu 15.04
HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
InstallationDate: Installed on 2015-02-27 (53 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
MachineType: LENOVO 20150
Package: linux (not installed)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7
ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
RelatedPackageVersions:
linux-restricted-modules-3.19.0-15-generic N/A
linux-backports-modules-3.19.0-15-generic N/A
linux-firmware 1.143
Tags: vivid
Uname: Linux 3.19.0-15-generic x86_64
UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
UserGroups: adm docker libvirtd lpadmin sambashare sudo
_MarkForUpload: True
dmi.bios.date: 12/19/2012
dmi.bios.vendor: LENOVO
dmi.bios.version: 5ECN95WW(V9.00)
dmi.board.asset.tag: No Asset Tag
dmi.board.name: INVALID
dmi.board.vendor: LENOVO
dmi.board.version: 31900004WIN8 STD SGL
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Lenovo G580
dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr31900004WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
dmi.product.name: 20150
dmi.product.version: Lenovo G580
dmi.sys.vendor: LENOVO
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions