AppArmor

kernel WARN with enabled confined init (AppArmor WARN __add_profile: ((!mutex_is_locked(&profile->ns->lock))

Bug #1692504 reported by Mikhail Kurinnoi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

I play around confined init (disabled SECURITY_APPARMOR_UNCONFINED_INIT kernel config option). And just found, that if I have SECURITY_APPARMOR_UNCONFINED_INIT disabled, kernel log WARN on each boot. I use 4.8.17 kernel with latest apparmor module from git://kernel.ubuntu.com/ubuntu/ubuntu-zesty.git
Looks like default system profile created ok during boot, I can reload it later on custom default profile. So, I don't see any issues with confined init work.
I know, you don't suppor custom kernels, but, I just want let you know. Hope this helps in your work.

May 22 13:44:01 totoro kernel: [ 0.023113] Security Framework initialized
May 22 13:44:01 totoro kernel: [ 0.023219] ------------[ cut here ]------------
May 22 13:44:01 totoro kernel: [ 0.023225] WARNING: CPU: 0 PID: 0 at security/apparmor/policy.c:136 __add_profile+0x180/0x1b0
May 22 13:44:01 totoro kernel: [ 0.023226] AppArmor WARN __add_profile: ((!mutex_is_locked(&profile->ns->lock))):
May 22 13:44:01 totoro kernel: [ 0.023227] Modules linked in:
May 22 13:44:01 totoro kernel: [ 0.023229] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.17-hardened-r2 #844
May 22 13:44:01 totoro kernel: [ 0.023230] Hardware name: Gigabyte Technology Co., Ltd. EP35-DS3L/EP35-DS3L, BIOS F6 06/19/2009
May 22 13:44:01 totoro kernel: [ 0.023233] 0000000000000000 ca094ea0ca094e88 0000000000000286 0000000000000000
May 22 13:44:01 totoro kernel: [ 0.023235] ffffffff8143ce0e ffffffff81148b8e ca094ea0ca094e88 ffffffff81e03e48
May 22 13:44:01 totoro kernel: [ 0.023237] 0000000000000000 ffffffff810d4c24 ffffffff81ba88c3 ffffffff81e03eb8
May 22 13:44:01 totoro kernel: [ 0.023239] Call Trace:
May 22 13:44:01 totoro kernel: [ 0.023245] [<ffffffff8143ce0e>] ? dump_stack+0x64/0xa6
May 22 13:44:01 totoro kernel: [ 0.023248] [<ffffffff81148b8e>] ? print_modules+0x5e/0xb0
May 22 13:44:01 totoro kernel: [ 0.023251] [<ffffffff810d4c24>] ? __warn+0xb4/0xd0
May 22 13:44:01 totoro kernel: [ 0.023253] [<ffffffff810d4cae>] ? warn_slowpath_fmt+0x6e/0x90
May 22 13:44:01 totoro kernel: [ 0.023254] [<ffffffff813c5e30>] ? __add_profile+0x180/0x1b0
May 22 13:44:01 totoro kernel: [ 0.023255] [<ffffffff813c668b>] ? aa_setup_default_label+0x7b/0xb0
May 22 13:44:01 totoro kernel: [ 0.023259] [<ffffffff81fea3b8>] ? apparmor_init+0x398/0x5ca
May 22 13:44:01 totoro kernel: [ 0.023261] [<ffffffff81fe96c5>] ? security_init+0x53/0x83
May 22 13:44:01 totoro kernel: [ 0.023264] [<ffffffff81fa8b82>] ? start_kernel+0x566/0x5df
May 22 13:44:01 totoro kernel: [ 0.023265] [<ffffffff81fa7120>] ? early_idt_handler_array+0x120/0x120
May 22 13:44:01 totoro kernel: [ 0.023267] [<ffffffff81fa74b7>] ? x86_64_start_kernel+0x10c/0x14d
May 22 13:44:01 totoro kernel: [ 0.023269] ---[ end trace f68728a0d3053b52 ]---
May 22 13:44:01 totoro kernel: [ 0.023273] AppArmor: AppArmor initialized

My kernel AppArmor configuration:

CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
# CONFIG_SECURITY_APPARMOR_STATS is not set
# CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT is not set
# CONFIG_SECURITY_APPARMOR_HASH is not set
# CONFIG_SECURITY_LOADPIN is not set

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.