Apparmor related regression on access to unix sockets on a candidate 3.16 backport kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
John Johansen | ||
Utopic |
Won't Fix
|
Medium
|
John Johansen | ||
Vivid |
Won't Fix
|
Medium
|
John Johansen |
Bug Description
I recently noticed a bunch of containers failing in a rather odd way when running postfix.
The most visible example is when running mailq on an empty queue. Without apparmor (unconfined container) I see that the queue is empty, with apparmor, I get Permission denied.
That's all running as root so the permission denied looks a tiny bit odd. Also, running the 3.13 kernel, I don't get any of that weirdness.
My guess is that it has to do with the work that went into the 3.16 kernel for socket mediation. In theory only systems that run the utopic apparmor (which I DO NOT) should be seeing that kind of behavior, but it looks like some code path isn't checking things properly :)
== strace in unconfined container ==
chdir("
rt_sigaction(
getuid() = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 4
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=
poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=
read(4, "Mail queue is empty\n", 4096) = 20
poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=
read(4, "", 4096) = 0
write(1, "Mail queue is empty\n", 20Mail queue is empty
) = 20
close(4) = 0
exit_group(0) = ?
+++ exited with 0 +++
== strace in confined container ==
chdir("
rt_sigaction(
getuid() = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 4
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=
poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=
read(4, 0x7ffe65b35c00, 4096) = -1 EACCES (Permission denied)
close(4) = 0
write(2, "postqueue: warning: close: Permi"..., 45postqueue: warning: close: Permission denied
) = 45
sendto(3, "<20>Nov 6 20:40:42 postfix/post"..., 78, MSG_NOSIGNAL, NULL, 0) = 78
exit_group(0) = ?
Kernel is a slightly outdated version of the kernel from the kernel team PPA:
Linux shell01 3.16.0-23-generic #31-Ubuntu SMP Thu Oct 23 20:13:35 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
If you think the latest build will improve this, I can test it, but seeing how this is a production server, I can't just flip kernels every 5 minutes (I'm running 3.16 to avoid a nasty btrfs bug on 3.13).
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
status: | Incomplete → Confirmed |
tags: | added: kernel-da-key |
Changed in linux (Ubuntu): | |
assignee: | nobody → John Johansen (jjohansen) |
Changed in linux (Ubuntu Utopic): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
assignee: | nobody → John Johansen (jjohansen) |
Changed in linux (Ubuntu Vivid): | |
status: | Confirmed → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in linux (Ubuntu Vivid): | |
status: | Confirmed → Fix Committed |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1390223
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.