Apport

apport fails with PermissionError for dump mode 2 in containers

Bug #1982487 reported by Benjamin Drung
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apport
Fix Released
Medium
Unassigned
Apport 2.23.0
apport (Ubuntu)
Fix Released
Medium
Unassigned
Bionic
New
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

Apport will fail for processes with dump mode 2 inside of containers.

[Test plan]

Run following testcase script inside a LXC container:

```
#!/bin/sh
sudo rm -rf /var/crash/* /var/log/apport.log

sudo -u mail sh -c "ping 127.0.0.1 > /dev/null" &
sleep 0.3
killall -11 ping

sleep 0.3
cat /var/log/apport.log
```

apport.log for the affected version:

```
ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: called for pid 6449, signal 11, core limit 0, dump mode 2
ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: not creating core for pid with dump mode of 2
ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: Unhandled exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/apport/report.py", line 681, in add_proc_info
    self["ExecutablePath"] = _read_proc_link(
  File "/usr/lib/python3/dist-packages/apport/report.py", line 92, in _read_proc_link
    return os.readlink(path, dir_fd=dir_fd)
PermissionError: [Errno 13] Permission denied: 'exe'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/apport/apport", line 862, in <module>
    info.add_proc_info(proc_pid_fd=proc_pid_fd)
  File "/usr/lib/python3/dist-packages/apport/report.py", line 686, in add_proc_info
    raise ValueError("not accessible")
ValueError: not accessible
ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: pid: 6452, uid: 0, gid: 0, euid: 8, egid: 8
ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: environment: environ({'LANG': 'C.UTF-8', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin', 'LISTEN_PID': '6452', 'LISTEN_FDS': '1', 'LISTEN_FDNAMES': 'connection', 'INVOCATION_ID': '1352c67b4a21480a9b35db8012dafb42', 'JOURNAL_STREAM': '8:29587491', 'SYSTEMD_EXEC_PID': '6452'})
```

The apport log should not show a Traceback.

[Where problems could occur]

The apport binary is called by the kernel when a process crashes. Worst case scenarios include breaking the apport binary and no problem report is generated any more (or apport uses too much resources). Users will see problems reports inside the container which cause additional load or disk usage. The fix is accompanied by a test case (run in autopkgtest).

[Other Info]

The autopkgtest for armhf are run inside a LXC container and some test cases like test_crash_setuid_drop trigger this bug.

Due to the huge amount of broken autopkgtest tests, the diff for the SRUs are bigger than desired. The individual commits in https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/ are probably easier to review.

* jammy SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=1fa042cc27714c407494b3d6dfd0730bb984f3eb
* focal SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=eaa92037c7dfba621719c6f81fd75f6a09e90881

See original description
Benjamin Drung (bdrung)
Changed in apport:
milestone: none → 2.23.0
description: updated
Changed in apport (Ubuntu):
status: New → Triaged
Changed in apport:
status: New → Triaged
Revision history for this message
Benjamin Drung (bdrung) wrote :

Fixed upstream: https://github.com/canonical/apport/commit/ba4d0e4ee52743b6564f0a13dda448e370a3d943

Changed in apport:
status: Triaged → Fix Committed
Changed in apport (Ubuntu):
importance: Undecided → Medium
Changed in apport:
importance: Undecided → Medium
Benjamin Drung (bdrung)
Changed in apport:
status: Fix Committed → Fix Released
Benjamin Drung (bdrung)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.23.0-0ubuntu1

---------------
apport (2.23.0-0ubuntu1) kinetic; urgency=medium

  * New upstream release:
    - apport-gtk:
      - Gracefully handle import failure of gi (LP: #1980561)
      - Catch AssertionError when importing Gdk (LP: #1980238)
    - data/apport:
      - Fix PermissionError for setuid programs inside container (LP: #1982487)
      - Fix reading from stdin inside containers (LP: #1982555)
    - apport-kde:
      - Fix inverse order of choices (LP: #1967965)
      - Import apport before usage (LP: #1980553)
      - Drop old workaround for bug in SIP destructor (LP: #1980553)
    - apport-unpack: Fix ValueError: ['separator'] has no binary content
      (LP: #1889443)
    - Fix _run_hook getting called with ui=None (LP: #1983481)
  * Refresh patches and drop backported patches
  * Fix pydocstyle and pylint complains in patches

 -- Benjamin Drung <email address hidden> Mon, 22 Aug 2022 22:31:55 +0200

Changed in apport (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package upload rejected

An upload of apport to jammy-proposed has been rejected from the upload queue for the following reason: "contains bugfixes without bug references or test cases, does not meet SRU policy".

Benjamin Drung (bdrung)
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Benjamin, or anyone else affected,

Accepted apport into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu82.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apport (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Benjamin, or anyone else affected,

Accepted apport into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu27.25 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apport (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Benjamin Drung (bdrung) wrote :

I ran the test case in a focal LXC container (on jammy host) and successfully created /var/crash/_usr_bin_ping.0.crash.

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Benjamin Drung (bdrung) wrote :

I ran the test case in a jammy LXC container (on jammy host) and it successfully created /var/crash/_usr_bin_ping.0.crash.

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for apport has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu27.25

---------------
apport (2.20.11-0ubuntu27.25) focal; urgency=medium

  * Point Vcs-* URIs to git
  * whoopsie-upload-all: Catch FileNotFoundError during process_report
    (LP: #1867204)
  * Grab a slice of JournalErrors around the crash time (LP: #1962454)
  * data/apport:
    - Initialize error log as first step (LP: #1989467)
    - Fix PermissionError for setuid programs inside container (LP: #1982487)
    - Fix reading from stdin inside containers (LP: #1982555)
  * Fix autopkgtest test case failures (LP: #1989467):
    - Mark autopkgtest with isolation-container restriction
    - Fix failure if kernel module isofs is not installed
    - Do not check recommended dependencies
    - Skip UI test if kernel thread is not found
    - Fix race in test_crash_system_slice
    - Fix check for not running test executable
    - Use shadow in *_different_binary_source
    - Mock kernel package version in UI test
    - Fix test_kerneloops_nodetails if kernel is not installed
    - Drop broken test_crash_setuid_drop_and_kill
    - Expect linux-signed on arm64/s390x as well
    - Skip SegvAnalysis for non x86 architectures
    - Use unlimited core ulimit for SIGQUIT test
    - Fix race with progress window in GTK UI tests
    - Use sleep instead of yes for tests
    - Fix test_add_gdb_info_script on armhf
    - Fix wrong Ubuntu archive URI on ports
    - Fix KeyError in test_install_packages_unversioned
    - Depend on python3-systemd for container tests
    - Depend on psmisc for killall binary
    - Replace missing oxideqt-codecs
    - Drop broken test_install_packages_from_launchpad
    - Fix test_install_packages_permanent_sandbox* for s390x

 -- Benjamin Drung <email address hidden> Thu, 15 Sep 2022 14:43:39 +0200

Changed in apport (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu82.2

---------------
apport (2.20.11-0ubuntu82.2) jammy; urgency=medium

  * Point Vcs-* URIs to git
  * Grab a slice of JournalErrors around the crash time (LP: #1962454)
  * data/apport:
    - Initialize error log as first step (LP: #1989467)
    - Fix PermissionError for setuid programs inside container (LP: #1982487)
    - Fix reading from stdin inside containers (LP: #1982555)
  * Fix autopkgtest test case failures (LP: #1989467):
    - Mark autopkgtest with isolation-container restriction
    - Fix failure if kernel module isofs is not installed
    - Do not check recommended dependencies
    - Skip UI test if kernel thread is not found
    - Fix race in test_crash_system_slice
    - Fix check for not running test executable
    - Use shadow in *_different_binary_source
    - Mock kernel package version in UI test
    - Fix test_kerneloops_nodetails if kernel is not installed
    - Drop broken test_crash_setuid_drop_and_kill
    - Expect linux-signed on arm64/s390x as well
    - Skip SegvAnalysis for non x86 architectures
    - Use unlimited core ulimit for SIGQUIT test
    - Fix race with progress window in GTK UI tests
    - Use sleep instead of yes for tests
    - Fix test_add_gdb_info_script on armhf
    - Fix wrong Ubuntu archive URI on ports
    - Fix KeyError in test_install_packages_unversioned
    - Depend on python3-systemd for container tests
    - Depend on psmisc for killall binary
    - Replace missing oxideqt-codecs
    - Drop broken test_install_packages_from_launchpad
    - Fix test_install_packages_permanent_sandbox* for s390x

 -- Benjamin Drung <email address hidden> Wed, 14 Sep 2022 18:28:26 +0200

Changed in apport (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

I have reviewed and approved SRUs for the corresponding upload to focal and jammy. However, the bionic upload includes a lot more changes from previous SRUs, making this more difficult and time-consuming to review appropriately. Given that bionic will reach the end of standard support in 2 weeks and some of these bugs have evidently been present for 5 years, I am not sure it is worth pushing this through as an SRU.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.