← Back to team overview

touch-packages team mailing list archive

[Bug 1446906] Re: lxc container with postfix, permission denied on mailq

 

** Description changed:

+ [Impact]
+ 
+  * Users may encounter situations where they use applications, confined by
+    AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
+    stream sockets.
+ 
+  * These failures typically occur when the confined applications attempts to
+    read from an AF_UNIX stream socket when the other end of the socket has
+    already been closed.
+ 
+  * AppArmor is mistakenly denying the socket operations due to the socket
+    shutdown operation making the sun_path no longer being available for
+    AppArmor mediation after the socket is shutdown.
+ 
+ [Test Case]
+ 
+  The expected test case is:
+ 
+  $ sudo apt-get install postfix # installing in 'local only' config is fine
+  $ cat > bug-profile << EOF
+  profile bug-profile flags=(attach_disconnected) {
+    network,
+    file,
+  }
+  EOF
+  $ sudo apparmor_parser -r bug.profile 
+  $ aa-exec -p bug-profile -- mailq
+  Mail queue is empty
+ 
+  A failed test case will see the mailq command exit with an error:
+ 
+  $ aa-exec -p bug-profile -- mailq
+  postqueue: warning: close: Permission denied
+ 
+  and these denials will be found in the syslog:
+ 
+  Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+  Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+ 
+ [Regression Potential]
+ 
+  * The changes are local to the path-based AF_UNIX stream socket mediation code
+    so that limits the regression potential to some degree.
+ 
+  * John Johansen authored the patch and I reviewed it. It is small and there's
+    no obvious areas of concern to me regarding potential regressions.
+ 
+ [Other Info]
+ 
+  * None at this time
+ 
+ [Original bug report]
+ 
  Hello,
  
  on three Vivid host, all of them up-to-date, I have the problem
  described here:
  
  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223
  
  That bug report shows the problem was fixed, but it is not (at least on
  current Vivid)
  
- 
  ii  linux-image-generic 3.19.0.15.14   amd64          Generic Linux kernel image
  ii  lxc                 1.1.2-0ubuntu3 amd64          Linux Containers userspace tools
  ii  apparmor            2.9.1-0ubuntu9 amd64          User-space parser utility for AppArmor
- 
  
  Reproducible with:
  
  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test
  
  (inside container)
  
  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied
  
- 
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
- --- 
+ ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
-  USER        PID ACCESS COMMAND
-  /dev/snd/controlC0:  zoolook    1913 F.... pulseaudio
+  USER        PID ACCESS COMMAND
+  /dev/snd/controlC0:  zoolook    1913 F.... pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
-  linux-restricted-modules-3.19.0-15-generic N/A
-  linux-backports-modules-3.19.0-15-generic  N/A
-  linux-firmware                             1.143
+  linux-restricted-modules-3.19.0-15-generic N/A
+  linux-backports-modules-3.19.0-15-generic  N/A
+  linux-firmware                             1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 31900004WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr31900004WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  [Impact]

   * Users may encounter situations where they use applications, confined by
     AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
     stream sockets.

   * These failures typically occur when the confined applications attempts to
     read from an AF_UNIX stream socket when the other end of the socket has
     already been closed.

   * AppArmor is mistakenly denying the socket operations due to the socket
     shutdown operation making the sun_path no longer being available for
     AppArmor mediation after the socket is shutdown.

  [Test Case]

   The expected test case is:

   $ sudo apt-get install postfix # installing in 'local only' config is fine
   $ cat > bug-profile << EOF
   profile bug-profile flags=(attach_disconnected) {
     network,
     file,
   }
   EOF
   $ sudo apparmor_parser -r bug.profile 
   $ aa-exec -p bug-profile -- mailq
   Mail queue is empty

   A failed test case will see the mailq command exit with an error:

   $ aa-exec -p bug-profile -- mailq
   postqueue: warning: close: Permission denied

   and these denials will be found in the syslog:

   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [Regression Potential]

   * The changes are local to the path-based AF_UNIX stream socket mediation code
     so that limits the regression potential to some degree.

   * John Johansen authored the patch and I reviewed it. It is small and there's
     no obvious areas of concern to me regarding potential regressions.

  [Other Info]

   * None at this time

  [Original bug report]

  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  ii  linux-image-generic 3.19.0.15.14   amd64          Generic Linux kernel image
  ii  lxc                 1.1.2-0ubuntu3 amd64          Linux Containers userspace tools
  ii  apparmor            2.9.1-0ubuntu9 amd64          User-space parser utility for AppArmor

  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook    1913 F.... pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware                             1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 31900004WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr31900004WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions