apparmor breaks lxc-start-ephemeral (apparmor+overlayfs returns -EINVAL)

lxc-start: Invalid argument - failed to open /var/lib/lxc/pp1-temp-nZopjKs/config

type=AVC msg=audit(1328124899.479:187): apparmor="ALLOWED" operation="open" info="Failed name lookup" error=-22 parent=18229 profile="/usr/bin/lxc-start" name="" pid=18230 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1328124899.479:187): arch=c000003e syscall=2 success=no exit=-22 a0=1b48120 a1=0 a2=1b6 a3=7fff7b243290 items=0 ppid=18229 pid=18230 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=29 comm="lxc-start" exe="/usr/bin/lxc-start" key=(null)

But /var/lib/lxc/pp1-temp-nZopjKs/config does exist.

Oh, of course,

none on /var/lib/lxc/pp1-temp-nZopjKs type overlayfs (rw,upperdir=/tmp/lxc-lp-ncNu1hk,lowerdir=/var/lib/lxc/pp1)

There is apparently still a bug in overlayfs with apparmor. If I do

mkdir /tmp/lower
mount -t overlayfs -o rw,upperdir=/tmp/lower,lowerdir=/ overlay /mnt

I can ls /mnt and see the overlay of / jsut fine. Then I create /etc/apparmor.d/sergebashtest which contains:

===============
#include <tunables/global>

/bin/bash2 flags=(attach_disconnected) {
  network,

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability kill,
  capability setgid,
  capability setuid,
  capability setpcap,
  capability linux_immutable,
  capability net_bind_service,
  capability net_broadcast,
  capability net_admin,
  capability net_raw,
  capability ipc_lock,
  capability ipc_owner,
  capability sys_module,
  capability sys_rawio,
  capability sys_chroot,
  capability sys_ptrace,
  capability sys_pacct,
  capability sys_admin,
  capability sys_boot,
  capability sys_nice,
  capability sys_resource,
  capability sys_time,
  capability sys_tty_config,
  capability mknod,
  capability lease,
  capability audit_write,
  capability audit_control,
  capability setfcap,
  capability mac_override,
  capability mac_admin,
  capability syslog,

  / rwklix,
  /** rwklix,

}

==================
and insert that with 'apparmor_parser /etc/apparmor.d/sergebashtest, and cp /bin/bash /bin/bash2.

Then I do /bin/bash2 and ls /mnt from there, and get:

root@sergelap:/etc/apparmor.d# ls /mnt
ls: cannot access /mnt: Invalid argument

though I can ls /tmp/lower and / just fine.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 925028

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

Thank you for taking the time to file a bug report on this issue.

However, given the number of bugs that the Kernel Team receives during any development cycle it is impossible for us to review them all. Therefore, we occasionally resort to using automated bots to request further testing. This is such a request.

We have noted that there is a newer version of the development kernel than the one you last tested when this issue was found. Please test again with the newer kernel and indicate in the bug if this issue still exists or not.

You can update to the latest development kernel by simply running the following commands in a terminal window:

    sudo apt-get update
    sudo apt-get upgrade

If the bug still exists, change the bug status from Incomplete to Confirmed. If the bug no longer exists, change the bug status from Incomplete to Fix Released.

If you want this bot to quit automatically requesting kernel tests, add a tag named: bot-stop-nagging.

 Thank you for your help, we really do appreciate it.

I have uploaded some test kernels with a fix

http://people.canonical.com/~jj/linux-image-3.2.0-12-generic_3.2.0-12.21~aadentry_amd64.deb
http://people.canonical.com/~jj/linux-headers-3.2.0-12-generic_3.2.0-12.21~aadentry_amd64.deb

The new kernel for me fixes both this bug as well as bug 925024.

This bug was fixed in the package linux - 3.2.0-18.28

---------------
linux (3.2.0-18.28) precise; urgency=low

  [ Andy Whitcroft ]

  * ubuntu: AUFS -- adapt to the new changelog handling
  * ubuntu: AUFS -- sort out the relative header paths
  * ubuntu: AUFS -- update to d266b0c5d0693d6383976ee54b9e2c0fa9a3f5b0

  [ Chase Douglas ]

  * SAUCE: (drop after 3.3) HID: hid-magicmouse: Add pointer and buttonpad
    properties for Magic Trackpad
  * SAUCE: Input: synaptics - add second variant of two-button clickpad
  * SAUCE: Input: synapticss - Set buttonpad property for all clickpads

  [ Johannes Berg ]

  * SAUCE: iwlwifi: fix key removal
    - LP: #911059

  [ John Johansen ]

  * Revert "SAUCE: AppArmor: Fix unpack of network tables."
  * Revert "SAUCE: AppArmor: Allow dfa backward compatibility with broken
    userspace"
  * SAUCE: AppArmor: Add mising end of structure test to caps unpacking
  * SAUCE: AppArmor: Fix dropping of allowed operations that are force
    audited
  * SAUCE: AppArmor: Fix underflow in xindex calculation
  * SAUCE: AppArmor: fix mapping of META_READ to audit and quiet flags
  * SAUCE: AppArmor: Fix the error case for chroot relative path name
    lookup
    - LP: #925028
  * SAUCE: AppArmor: Retrieve the dentry_path for error reporting when path
    lookup fails
    - LP: #925028
  * SAUCE: AppArmor: Minor cleanup of d_namespace_path to consolidate error
    handling
  * SAUCE: AppArmor: Update dfa matching routines.
  * SAUCE: AppArmor: Move path failure information into aa_get_name and
    rename
  * SAUCE: AppArmor: Make chroot relative the default path lookup type
  * SAUCE: AppArmor: Add ability to load extended policy
  * SAUCE: AppArmor: basic networking rules
  * SAUCE: AppArmor: Add profile introspection file to interface
  * SAUCE: AppArmor: Add the ability to mediate mount
  * SAUCE: AppArmor: Add mount information to apparmorfs

  [ Kees Cook ]

  * SAUCE: AppArmor: refactor securityfs to use structures
  * SAUCE: AppArmor: add initial "features" directory to securityfs
  * SAUCE: AppArmor: add "file" details to securityfs
  * SAUCE: AppArmor: export known rlimit names/value mappings in securityfs

  [ Leann Ogasawara ]

  * Revert "[Config] Enable CONFIG_NVRAM=m"
    - LP: #942193
  * Rebase to v3.2.7
  * [Config] Enable CONFIG_USB_SERIAL_QUATECH2=m on arm and powerpc
  * [Config] Enable CONFIG_USB_SERIAL_QUATECH_USB2=m on arm and powerpc
  * [Config] Add CONFIG_NVRAM to config enforcer
    - LP: #942193
  * [Config] Enable CONFIG_SCSI_IBMVSCSI=m for powerpc
    - LP: #943090
  * [Config] Enable CONFIG_SCSI_IPR=m for powerpc
    - LP: #943090
  * provide ipmi udeb
    - LP: #942926
  * Rebase to v3.2.9
  * Add ibmveth to d-i/modules-powerpc/nic-modules
    - LP: #712188
  * [Config] Enable CONFIG_SCSI_IBMVFC=m for powerpc
    - LP: #712188
  * Add ibmvfc and ibmvscsic to d-i/modules-powerpc/nic-modules
    - LP: #712188

  [ Seth Heasley ]

  * SAUCE: ALSA: hda - Add Lynx Point HD Audio Controller DeviceIDs
    - LP: #900119
  * SAUCE: ahci: AHCI-mode SATA patch for Intel Lynx Point DeviceIDs
    - LP: #900119
  * SAUCE: ata_piix: IDE-mode SATA patch for Intel Lynx Point DeviceIDs
    - LP: #900119
...

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.