wifi not working on Saucy Salamander

Bug #1231778 reported by Federico Briata on 2013-09-27
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
AC100_enablement
Undecided
Unassigned
AppArmor
Medium
Tyler Hicks
apparmor (Ubuntu)
Medium
Tyler Hicks
Saucy
Medium
Tyler Hicks
Trusty
Medium
Tyler Hicks
network-manager (Ubuntu)
Medium
Unassigned
Saucy
Undecided
Unassigned
Trusty
Medium
Unassigned

Bug Description

[Impact]

On older kernels that are missing certain AppArmor patches related to AppArmor D-Bus mediation, the presence of dbus rules in the binary AppArmor policy will result in policy load failures and, as a result, applications may run unconfined. On newer kernels that are missing the same patches mentioned above, the policy load will succeed but the dbus rules will be quietly ignored.

[Automated Test Case]

* test_lp1231778 has been added to QRT's test-apparmor.py script
* Run the test under the latest Saucy, Raring, and Lucid kernels to excercise all possible test load scenarios

[Manual Test Case]

* Install and reboot into older, unpatched mainline kernel (such as 3.1.10-030110-generic)

* Bad test results on the mainline 3.1.10 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol

* Good test results on the mainline 3.1.10 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced

* Install and reboot into newer, unpatched mainline kernel (such as 3.12.0-031200-generic)

* Bad test results on the mainline 3.12.0 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin

* Good test results on the mainline 3.12.0 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced

* Reboot into Ubuntu 3.11.0-12-generic kernel

* Good test results on the Ubuntu 3.11.0-12-generic kernel with or without a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin

* Verify that dbus mediation occurs under the Ubuntu 3.11.0-12-generic kernel:
$ echo "profile nodbus { file, }" | sudo apparmor_parser -rq
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames | head
method return sender=org.freedesktop.DBus -> dest=:1.51 reply_serial=2
   array [
      string "org.freedesktop.DBus"
...
$ aa-exec -p nodbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)

[Regression Potential]

* The regression potential is minor because the fix is small and easy to test

[Original Bug Report]

Note that apparmor_parser warns that the dbus rule(s) will not be enforced and then loads the binary policy without any dbus rules.

Lubuntu 13.10 installed from daily image have wifi not working, even with BT disabled.

confirmed by stuw on IRC at Sun Sep 22
15:40 < stuw> iz1glg, I saw similar problem, but I don't know the reason and solution.

Marc Dietrich (marvin24) wrote :

can you attache the output of dmesg please?

I forgot an important information.: wifi is recognized by kernel, it's finds networks but won't connect it.

In attach dmesg.

Marc Dietrich (marvin24) wrote :

seems you ap sends on channel 13 (2472 MHz) which gets disable by your country (cfg80211: Disabling freq 2472 MHz) setting. Can you try to change your AP to something in between 1 and 11? I'm not sure how to change the regulatory country (US->IT?).

New attach, new access point, different country, same reported behavior.
With Lubuntu 12.10 wifi is working without any problem.

Please note that this log don't contain any Disabling freq, so the problem have to be found elsewhere.

Marc Dietrich (marvin24) wrote :

mmh, doesn't look like a kernel problem to me. Googleing around I found that killing wpa_supplicant or disabling ipv6 may help. Also you could try to remove network-manager and ifup the device manually to check.

HelmutPod (helmut-podhaisky) wrote :

networking in lubuntu 13.10 doesn't work for me either. No ip address with wifi and with eth0 (usb to ethernet, see dmesg1.txt). lubuntu 13.04 works perfectly (same router, same ssid etc.)

I haven't tried gsm, though.

I disable ipv6 temporarily ( sudo /sbin/ip addr del <ipv6address>/<prefixlength> dev ethX ) but it had no effect on the bug.

HelmutPod (helmut-podhaisky) wrote :

gsm: same behaviour, device and signal strength visible, connection failed with "wwan0: no IPv6 routers preset"

Marc Dietrich (marvin24) wrote :

Try killing wpa_supplicant or uninstall network-manager please.

HelmutPod (helmut-podhaisky) wrote :

First attempt (unsucessful):
After "apt-get remove network-manager" and reboot I lost "eth0" and "wlan0" in the output of "ifconfig -a". I re-installed network-manger and kill wpa_suplicant for wlan0 but it did not help (still no IP).

Second attempt (seems to work):
"apt-get install wicd" and /etc/network/interface with "auto eth0 \n iface eth0 inet dhcp".
I can connect wifi via wicd-gtk now.

(To install wicd I had to wget the deb-files on a second machine and to copy them to /var/caches/apt/archives)

Oliver Grawert (ogra) on 2013-10-18
Changed in network-manager (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Oliver Grawert (ogra) wrote :

[ 59.264921] type=1400 audit(1380291018.856:28): apparmor="STATUS" info="failed to unpack profile" error=-71 pid=781 comm="apparmor_parser" name="/usr/lib/NetworkManager/nm-dhcp-client.action" offset=155

this line from dmesg looks very suspicious ... adding "apparmor.enable=0" to the kernel cmdline (to diable apparmor completely) might help

John Johansen (jjohansen) wrote :

Can you please provide the contents of

  sudo aa-status

  /etc/apparmor.d/cache/.features

  /etc/apparmor.d/cache/sbin.dhclient

  ls -a /sys/kernel/security/apparmor/

if present (and dependent on whether its a dir or file)
  ls -a /sys/kernel/security/apparmor/features
or
  cat -s /sys/kernel/security/apparmor/features

Tyler Hicks (tyhicks) wrote :

This is most likely due to the apparmor_parser errors. They are caused by having a new apparmor_parser, new policy (which now includes dbus rules), and old kernel.

The parser should be checking to see if the kernel supports dbus rules. Looking at the mount rule support in the parser,

* in parser/parser_main.c:get_match_string():
  - if apparmorfs/features/mount exists, the kernel_supports_mount global is set to 1
* in parser/parser_regex.c:post_process_mnt_ents():
  - mount rule entries are only processed if kernel_supports_mount is not 0
  - if kernel_supports_mount is 0, then a warning is emitted and the mount rule is ignored

The dbus rule support in the parser needs similar logic.

Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) on 2013-10-26
Changed in apparmor:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) on 2013-11-04
description: updated
Tyler Hicks (tyhicks) on 2013-11-05
description: updated
description: updated
Tyler Hicks (tyhicks) wrote :

Here's a Saucy debdiff for apparmor to fix this bug and bug 1243932. I've tested it using the manual tests mentioned in the description of both bugs, as well as with QRT's test-apparmor.py test script.

Changed in network-manager (Ubuntu):
status: Confirmed → Invalid
Tyler Hicks (tyhicks) wrote :

Here's a Trusty debdiff for apparmor to fix this bug, bug 1243932, and bug 1247269. I've tested it using the manual tests mentioned in the description of the first two bugs, as well as with QRT's test-apparmor.py test script.

I've smoke tested the chromium-browser profile changes and manually verified the Python abstraction fix, as well.

The attachment "apparmor_2.8.0-0ubuntu31.1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Changed in network-manager (Ubuntu Saucy):
status: New → Invalid
Changed in apparmor (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) wrote :

I've added tests for this bug and bug 1243932 to QRT's test-apparmor.py. I've successfully ran the new tests on Trusty and Saucy. I ran the tests under a Trusty/Saucy, Raring, and Lucid kernels to test all potential policy load scenarios. All scenarios pass.

description: updated
Sebastien Bacher (seb128) wrote :

Unsusubscribing sponsors, Marc said that the security team is going to take care of sponsoring that one

Jamie Strandboge (jdstrand) wrote :

Uploaded 2.8.0-0ubuntu31.1. Tyler, can you make sure you follow any of the other steps in https://wiki.ubuntu.com/StableReleaseUpdates so it shows up on the SRU team's radar?

Jamie Strandboge (jdstrand) wrote :

apparmor 2.8.0-0ubuntu34 is awaiting landing team approval.

Tyler Hicks (tyhicks) on 2013-11-07
Changed in apparmor (Ubuntu Trusty):
status: Triaged → In Progress
Changed in apparmor (Ubuntu Saucy):
status: Triaged → In Progress
Changed in apparmor:
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

apparmor 2.8.0-0ubuntu34 uploaded to trusty.

Changed in apparmor (Ubuntu Trusty):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu34

---------------
apparmor (2.8.0-0ubuntu34) trusty; urgency=low

  [ Tyler Hicks ]
  * 0078-parser-check-for-dbus-kernel-support.patch: The parser should not
    include D-Bus rules in the binary policy that it loads into the kernel if
    the kernel does not support D-Bus rules (LP: #1231778)
  * 0079-utils-ignore-unsupported-log-events.patch: aa-logprof should ignore
    audit events that it does not yet support instead of treating them as
    errors (LP: #1243932)
  * 0080-tests-use-ldconfig-for-library-detection.patch: Fix libapparmor
    detection in regression tests after the multiarch changes

  [ Jamie Strandboge ]
  * 0081-python-abstraction-updates.patch: Add rules in support of Python 3.3

  [ Chad Miller ]
  * debian/patches/0001-add-chromium-browser.patch: Follow new chromium-browser
    sandbox name. Keep old name for now to allow transition. LP: #1247269
 -- Tyler Hicks <email address hidden> Mon, 04 Nov 2013 15:57:30 -0800

Changed in apparmor (Ubuntu Trusty):
status: Fix Committed → Fix Released
Marc Dietrich (marvin24) wrote :

what about Saucy?

Hello Federico, or anyone else affected,

Accepted apparmor into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apparmor/2.8.0-0ubuntu31.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apparmor (Ubuntu Saucy):
status: In Progress → Fix Committed
tags: added: verification-needed

Ciao Stéphane,
precisely today I decided to test if the fix solves my issue on Saucy. :)

Because Ac100 can access to network only by wifi, I had to download all debs on a usb stick and install offline.

After install apparmor wifi is working, tested from LXDE and with network-manager , THANK YOU!!!

best regards and thanks again

tags: added: verification-done
removed: patch verification-needed

verification done, Tag updated.
version tested: apparmor_2.8.0-0ubuntu31.1-ubuntu

Tested apparmor_2.8.0-0ubuntu31.1-ubuntu, works!
Thanks!

Tyler Hicks (tyhicks) wrote :

I've verified that the test added to QRT's test-apparmor.py succeeds under Ubuntu Saucy kernel 3.11.0-13.20-generic, using the 2.8.0-0ubuntu31.1 package from -proposed.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu31.1

---------------
apparmor (2.8.0-0ubuntu31.1) saucy-proposed; urgency=low

  * 0078-parser-check-for-dbus-kernel-support.patch: The parser should not
    include D-Bus rules in the binary policy that it loads into the kernel if
    the kernel does not support D-Bus rules (LP: #1231778)
  * 0079-utils-ignore-unsupported-log-events.patch: aa-logprof should ignore
    audit events that it does not yet support instead of treating them as
    errors (LP: #1243932)
 -- Tyler Hicks <email address hidden> Mon, 04 Nov 2013 13:22:22 -0800

Changed in apparmor (Ubuntu Saucy):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

dvvb (pinkman) on 2013-12-01
Changed in apparmor:
status: Fix Committed → Fix Released
Tyler Hicks (tyhicks) wrote :

Hi min-soo-cho - this fix has not yet been released in the upstream apparmor project so I'm changing this back to 'fix committed'

Changed in apparmor:
status: Fix Released → Fix Committed
Changed in apparmor:
milestone: none → 2.9.0
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in ac100:
status: New → Fix Released
Changed in apparmor:
status: Fix Committed → Fix Released
Changed in network-manager (Ubuntu):
status: Invalid → Fix Released
Changed in network-manager (Ubuntu Saucy):
status: Invalid → Fix Released
Changed in network-manager (Ubuntu Trusty):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers