Docker-1.8.2 can't create container, due to apparmor denying 'disconnected path'

Bug #1496430 reported by Kick In on 2015-09-16
8
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
High
John Johansen
linux (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned
linux-lts-utopic (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned

Bug Description

I'm trying to get docker-1.8.2-rc1 to work on snappy, while doing so I got this apparmor denial:

Sep 10 09:12:35 localhost.localdomain audit[1320]: AVC apparmor="DENIED" operation="mount" info="Failed name lookup - disconnected path" error=-13 profile="docker_docker-daemon_IAUSSaDNVTJR" name="/run/docker/netns/6901f2b6dd4c/" pid=1320 comm="exe" srcname="" flags="rw, bind"

and trying to chase it I got:
http://paste.ubuntu.com/12341612/

so docker is trying to issue this mount:
syscall.Mount("/proc/self/ns/net", /var/run/docker/netns/5b9b1ba4437b, "bind", 4096 (syscall.MS_BIND), "")

from https://golang.org/pkg/syscall/#Mount
func Mount(source string, target string, fstype string, flags uintptr, data string) (err error)

which is denied as if there wasn't a source?

Tyler Hicks (tyhicks) on 2015-09-16
Changed in apparmor:
status: New → Triaged
importance: Undecided → High
assignee: nobody → John Johansen (jjohansen)
status: Triaged → In Progress
Luis Henriques (henrix) on 2015-10-01
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-utopic (Ubuntu Vivid):
status: New → Invalid
Changed in linux-lts-utopic (Ubuntu):
status: New → Invalid
Changed in linux (Ubuntu):
status: New → Invalid
Changed in linux (Ubuntu Precise):
status: New → Fix Committed
Changed in linux (Ubuntu Trusty):
status: New → Fix Committed
Luis Henriques (henrix) on 2015-10-01
Changed in linux-lts-utopic (Ubuntu Trusty):
status: New → Fix Committed
Changed in linux (Ubuntu Vivid):
status: New → Fix Committed
Luis Henriques (henrix) on 2015-10-01
Changed in linux (Ubuntu Wily):
status: Invalid → New

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1496430

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise verification-needed-trusty verification-needed-vivid
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Launchpad Janitor (janitor) wrote :
Download full text (5.2 KiB)

This bug was fixed in the package linux - 4.2.0-15.18

---------------
linux (4.2.0-15.18) wily; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1503692

  [ Andy Whitcroft ]

  * Revert "SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()"
    Was incorrectly backported.

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - CVE-2015-7312

  [ Tim Gardner ]

  * [Debian] config-check and prepare using ${DEBIAN}/config/annotations
    Makes the LTS update script work better.

linux (4.2.0-15.17) wily; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1503016
  * rebase to v4.2.3

  [ Andrew Donnellan ]

  * SAUCE: cxl: fix leak of IRQ names in cxl_free_afu_irqs()
  * SAUCE: cxl: fix leak of ctx->irq_bitmap when releasing context via
    kernel API
  * SAUCE: cxl: fix leak of ctx->mapping when releasing kernel API contexts

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - CVE-2015-7312

  [ Dan Carpenter ]

  * SAUCE: (noup) cxlflash: a couple off by one bugs
    - LP: #1499849

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: fix mount not handling disconnected paths
    - LP: #1496430

  [ Manoj Kumar ]

  * SAUCE: (noup) cxlflash: Fix to avoid invalid port_sel value
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Replace magic numbers with literals
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix read capacity timeout
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to double the delay each time
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to escalate to LINK_RESET on login timeout
    - LP: #1499849

  [ Matthew R. Ochs ]

  * SAUCE: (noup) cxlflash: Fix potential oops following LUN removal
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix data corruption when vLUN used over
    multiple cards
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid sizeof(bool)
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix context encode mask width
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid CXL services during EEH
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Correct naming of limbo state and waitq
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Make functions static
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Refine host/device attributes
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid spamming the kernel log
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid stall while waiting on TMF
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix location of setting resid
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix host link up event handling
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix async interrupt bypass logic
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Remove dual port online dependency
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix AFU version access/storage and add check
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Correct usage of scsi_host_put()
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to prevent workq from accessing freed
    memory
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Correct behavior in device reset handler
    ...

Read more...

Changed in linux (Ubuntu Wily):
status: Incomplete → Fix Released
tags: added: verification-done-trusty verification-done-vivid
removed: verification-needed-trusty verification-needed-vivid
tags: added: verification-done-precise
removed: verification-needed-precise
Launchpad Janitor (janitor) wrote :
Download full text (5.6 KiB)

This bug was fixed in the package linux - 3.13.0-66.108

---------------
linux (3.13.0-66.108) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1503713

  [ Andy Whitcroft ]

  * Revert "SAUCE: aufs3: mmap: Fix races in madvise_remove() and
    sys_msync()"
    - LP: #1503655

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - LP: #1503655
    - CVE-2015-7312

linux (3.13.0-66.107) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1503021

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - CVE-2015-7312

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: fix mount not handling disconnected paths
    - LP: #1496430

  [ Upstream Kernel Changes ]

  * mmc: sdhci-pci: set the clear transfer mode register quirk for O2Micro
    - LP: #1472843
  * mmc: sdhci: Add a quirk for AMD SDHC transfer mode register need to be
    cleared for cmd without data
    - LP: #1472843
  * n_tty: Fix poll() when TIME_CHAR and MIN_CHAR == 0
    - LP: #1397976
  * net: make skb_gso_segment error handling more robust
    - LP: #1497048
  * net: gso: use feature flag argument in all protocol gso handlers
    - LP: #1497048
  * md/raid10: always set reshape_safe when initializing reshape_position.
    - LP: #1500810
  * md: flush ->event_work before stopping array.
    - LP: #1500810
  * ipv6: addrconf: validate new MTU before applying it
    - LP: #1500810
  * virtio-net: drop NETIF_F_FRAGLIST
    - LP: #1500810
  * RDS: verify the underlying transport exists before creating a
    connection
    - LP: #1500810
  * xen/gntdev: convert priv->lock to a mutex
    - LP: #1500810
  * xen/gntdevt: Fix race condition in gntdev_release()
    - LP: #1500810
  * PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition
    - LP: #1500810
  * nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem
    - LP: #1500810
  * crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer
    - LP: #1500810
  * xen-blkfront: don't add indirect pages to list when !feature_persistent
    - LP: #1500810
  * xen-blkback: replace work_pending with work_busy in
    purge_persistent_gnt()
    - LP: #1500810
  * USB: sierra: add 1199:68AB device ID
    - LP: #1500810
  * regmap: regcache-rbtree: Clean new present bits on present bitmap
    resize
    - LP: #1500810
  * target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT
    - LP: #1500810
  * rbd: fix copyup completion race
    - LP: #1500810
  * md/raid1: extend spinlock to protect raid1_end_read_request against
    inconsistencies
    - LP: #1500810
  * target: REPORT LUNS should return LUN 0 even for dynamic ACLs
    - LP: #1500810
  * MIPS: Fix sched_getaffinity with MT FPAFF enabled
    - LP: #1500810
  * xhci: fix off by one error in TRB DMA address boundary check
    - LP: #1500810
  * perf: Fix fasync handling on inherited events
    - LP: #1500810
  * mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations
    - LP: #1500810
  * MIPS: Make set_pte() SMP safe.
    - LP: #1500810
  * ipc: modify message queue accounting to not take kernel data structures
    into account
    - ...

Read more...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (11.2 KiB)

This bug was fixed in the package linux-lts-utopic - 3.16.0-51.69~14.04.1

---------------
linux-lts-utopic (3.16.0-51.69~14.04.1) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1503717

  [ Andy Whitcroft ]

  * Revert "SAUCE: aufs3: mmap: Fix races in madvise_remove() and
    sys_msync()"
    - LP: #1503655

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - LP: #1503655
    - CVE-2015-7312

linux-lts-utopic (3.16.0-51.68~14.04.1) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1503239

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - CVE-2015-7312

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: fix mount not handling disconnected paths
    - LP: #1496430

  [ Leann Ogasawara ]

  * [Config] d-i -- Add sfc to nic-modules udeb
    - LP: #1481490

  [ Upstream Kernel Changes ]

  * mmc: sdhci-pci: set the clear transfer mode register quirk for O2Micro
    - LP: #1472843
  * mmc: sdhci: Add a quirk for AMD SDHC transfer mode register need to be
    cleared for cmd without data
    - LP: #1472843
  * md: use kzalloc() when bitmap is disabled
    - LP: #1500484
  * sparc64: Fix userspace FPU register corruptions.
    - LP: #1500484
  * ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc
    - LP: #1500484
  * ASoC: pcm1681: Fix setting de-emphasis sampling rate selection
    - LP: #1500484
  * iscsi-target: Fix use-after-free during TPG session shutdown
    - LP: #1500484
  * iscsi-target: Fix iscsit_start_kthreads failure OOPs
    - LP: #1500484
  * iscsi-target: Fix iser explicit logout TX kthread leak
    - LP: #1500484
  * ARM: dts: i.MX35: Fix can support.
    - LP: #1500484
  * ALSA: hda - Apply fixup for another Toshiba Satellite S50D
    - LP: #1500484
  * vhost: actually track log eventfd file
    - LP: #1500484
  * arm64/efi: map the entire UEFI vendor string before reading it
    - LP: #1500484
  * xfs: remote attribute headers contain an invalid LSN
    - LP: #1500484
  * xfs: remote attributes need to be considered data
    - LP: #1500484
  * ALSA: hda - Apply a fixup to Dell Vostro 5480
    - LP: #1500484
  * ALSA: usb-audio: add dB range mapping for some devices
    - LP: #1500484
  * drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop
    - LP: #1500484
  * drm/radeon/combios: add some validation of lvds values
    - LP: #1500484
  * x86/efi: Use all 64 bit of efi_memmap in setup_e820()
    - LP: #1500484
  * ipr: Fix locking for unit attention handling
    - LP: #1500484
  * ipr: Fix incorrect trace indexing
    - LP: #1500484
  * ipr: Fix invalid array indexing for HRRQ
    - LP: #1500484
  * ALSA: hda - Fix MacBook Pro 5,2 quirk
    - LP: #1500484
  * x86/xen: Probe target addresses in set_aliased_prot() before the
    hypercall
    - LP: #1500484
  * netfilter: ctnetlink: put back references to master ct and expect
    objects
    - LP: #1500484
  * ipvs: do not use random local source address for tunnels
    - LP: #1500484
  * ipvs: fix crash if scheduler is changed
    - LP: #1500484
  * ipvs: fix crash with sync protocol v0 and FTP
    - ...

Changed in linux-lts-utopic (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.2.0-92.130

---------------
linux (3.2.0-92.130) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1500854

  [ <email address hidden> ]

  * [Config] HOTPLUG_PCI_ACPI=y
    - LP: #1479031

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: fix mount not handling disconnected paths
    - LP: #1496430

  [ Upstream Kernel Changes ]

  * RDS: verify the underlying transport exists before creating a
    connection
    - LP: #1496232
    - CVE-2015-6937
  * virtio-net: drop NETIF_F_FRAGLIST
    - LP: #1484793
    - CVE-2015-5156

 -- Brad Figg <email address hidden> Mon, 05 Oct 2015 13:50:43 -0700

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (10.5 KiB)

This bug was fixed in the package linux - 3.19.0-31.36

---------------
linux (3.19.0-31.36) vivid; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1503703

  [ Andy Whitcroft ]

  * Revert "SAUCE: aufs3: mmap: Fix races in madvise_remove() and
    sys_msync()"
    - LP: #1503655

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - LP: #1503655
    - CVE-2015-7312

linux (3.19.0-31.35) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1503005

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - CVE-2015-7312

  [ Craig Magina ]

  * [Config] Add XGENE_EDAC, EDAC_SUPPORT and EDAC_ATOMIC_SCRUB
    - LP: #1494357

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: fix mount not handling disconnected paths
    - LP: #1496430

  [ Laurent Dufour ]

  * SAUCE: powerpc/hvsi: Fix endianness issues in the HVSI driver
    - LP: #1499357

  [ Tim Gardner ]

  * [Config] CONFIG_RTC_DRV_XGENE=y for only arm64
    - LP: #1499869

  [ Upstream Kernel Changes ]

  * Revert "sit: Add gro callbacks to sit_offload"
    - LP: #1500493
  * ipmi/powernv: Fix minor locking bug
    - LP: #1493017
  * mmc: sdhci-pci: set the clear transfer mode register quirk for O2Micro
    - LP: #1472843
  * perf probe ppc: Fix symbol fixup issues due to ELF type
    - LP: #1485528
  * perf probe ppc: Use the right prefix when ignoring SyS symbols on ppc
    - LP: #1485528
  * perf probe ppc: Enable matching against dot symbols automatically
    - LP: #1485528
  * perf probe ppc64le: Fix ppc64 ABIv2 symbol decoding
    - LP: #1485528
  * perf probe ppc64le: Prefer symbol table lookup over DWARF
    - LP: #1485528
  * perf probe ppc64le: Fixup function entry if using kallsyms lookup
    - LP: #1485528
  * perf probe: Improve detection of file/function name in the probe
    pattern
    - LP: #1485528
  * perf probe: Ignore tail calls to probed functions
    - LP: #1485528
  * seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO
    - LP: #1496073
  * EDAC: Cleanup atomic_scrub mess
    - LP: #1494357
  * arm64: Enable EDAC on ARM64
    - LP: #1494357
  * MAINTAINERS: Add entry for APM X-Gene SoC EDAC driver
    - LP: #1494357
  * Documentation: Add documentation for the APM X-Gene SoC EDAC DTS
    binding
    - LP: #1494357
  * EDAC: Add APM X-Gene SoC EDAC driver
    - LP: #1494357
  * arm64: Add APM X-Gene SoC EDAC DTS entries
    - LP: #1494357
  * EDAC, edac_stub: Drop arch-specific include
    - LP: #1494357
  * NVMe: Fix blk-mq hot cpu notification
    - LP: #1498778
  * blk-mq: Shared tag enhancements
    - LP: #1498778
  * blk-mq: avoid access hctx->tags->cpumask before allocation
    - LP: #1498778
  * x86/ldt: Make modify_ldt synchronous
    - LP: #1500493
  * x86/ldt: Correct LDT access in single stepping logic
    - LP: #1500493
  * x86/ldt: Correct FPU emulation access to LDT
    - LP: #1500493
  * md: flush ->event_work before stopping array.
    - LP: #1500493
  * ipv6: addrconf: validate new MTU before applying it
    - LP: #1500493
  * virtio-net: drop NETIF_F_FRAGLIST
    - LP: #1500493
  * RDS: verify the underlying transport exists bef...

Changed in linux (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers