The SRU of apparmor stacking for the Ubuntu 16.04 LTS kernel causes a regression in cups-browsed (shipped by cups) which now fails to start and gets respawned in a loop by systemd until it completely gives up.
To reproduce:
- lxc launch ubuntu:16.04 xen
- lxc exec xen -- apt update
- lxc exec xen -- apt dist-upgrade -y
- lxc exec xen -- apt install cups -y
You'll get:
root@xen:~# systemctl status cups-browsed
● cups-browsed.service - Make remote CUPS printers available locally
Loaded: loaded (/lib/systemd/system/cups-browsed.service; enabled; vendor preset: enabled)
Active: failed (Result: signal) since Thu 2017-01-12 14:09:38 UTC; 8min ago
Main PID: 7725 (code=killed, signal=SEGV)
Jan 12 14:09:38 xen systemd[1]: Started Make remote CUPS printers available locally.
Jan 12 14:09:38 xen systemd[1]: cups-browsed.service: Main process exited, code=killed, status=11/SEGV
Jan 12 14:09:38 xen systemd[1]: cups-browsed.service: Unit entered failed state.
Jan 12 14:09:38 xen systemd[1]: cups-browsed.service: Failed with result 'signal'.
And in dmesg (in a loop):
[95217.312576] audit: type=1400 audit(1484230171.171:1004): apparmor="STATUS" operation="profile_load" label="lxd-xen_</var/lib/lxd>//&:lxd-xen_<var-lib-lxd>://unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=16941 comm="apparmor_parser"
[95217.313011] audit: type=1400 audit(1484230171.171:1005): apparmor="STATUS" operation="profile_load" label="lxd-xen_</var/lib/lxd>//&:lxd-xen_<var-lib-lxd>://unconfined" name="/usr/sbin/cupsd" pid=16941 comm="apparmor_parser"
[95217.313202] audit: type=1400 audit(1484230171.171:1006): apparmor="STATUS" operation="profile_load" label="lxd-xen_</var/lib/lxd>//&:lxd-xen_<var-lib-lxd>://unconfined" name="/usr/sbin/cupsd//third_party" pid=16941 comm="apparmor_parser"
[95218.126005] audit: type=1400 audit(1484230171.983:1007): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" profile="/usr/sbin/cupsd" name="/run/systemd/journal/stdout" pid=17074 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=100000 ouid=100000
[95218.126018] audit: type=1400 audit(1484230171.983:1008): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" profile="/usr/sbin/cupsd" name="/run/systemd/journal/stdout" pid=17074 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=100000 ouid=100000
[95222.686493] audit: type=1400 audit(1484230176.542:1009): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" profile="/usr/sbin/cupsd" name="/run/systemd/journal/stdout" pid=17553 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=100000 ouid=100000
[95222.686624] audit: type=1400 audit(1484230176.542:1010): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" profile="/usr/sbin/cupsd" name="/run/systemd/journal/stdout" pid=17553 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=100000 ouid=100000
[95224.324494] audit: type=1400 audit(1484230178.182:1011): apparmor="STATUS" operation="profile_load" label="lxd-xen_</var/lib/lxd>//&:lxd-xen_<var-lib-lxd>://unconfined" name="/usr/sbin/cups-browsed" pid=17681 comm="apparmor_parser"
[95224.610016] audit: type=1400 audit(1484230178.466:1012): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" profile="/usr/sbin/cups-browsed" name="/run/systemd/journal/stdout" pid=17765 comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[95224.610029] audit: type=1400 audit(1484230178.466:1013): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" profile="/usr/sbin/cups-browsed" name="/run/systemd/journal/stdout" pid=17765 comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[95224.610046] audit: type=1400 audit(1484230178.466:1014): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-xen_<var-lib-lxd>" profile="/usr/sbin/cups-browsed" name="/usr/sbin/cups-browsed" pid=17765 comm="cups-browsed" requested_mask="rm" denied_mask="rm" fsuid=100000 ouid=100000
FYI, http:// bazaar. launchpad. net/~apparmor- dev/apparmor/ master/ revision/ 3658 fixes the /run/systemd/ journal/ stdout denials. It seems like the real cause of this bug is this denial:
[95224.610046] audit: type=1400 audit(148423017 8.466:1014) : apparmor="DENIED" operation= "file_mmap" namespace= "root// lxd-xen_ <var-lib- lxd>" profile= "/usr/sbin/ cups-browsed" name="/ usr/sbin/ cups-browsed" pid=17765 comm="cups-browsed" requested_mask="rm" denied_mask="rm" fsuid=100000 ouid=100000
Suspecting this had something to do with the flock and mmap mediation fixes, I tried the reproducer with an updated 16.04 kernel (4.4.0- 77.98-generic) . This fixes the file_mmap denial, but we still have a file_mprotect 'r' denial:
[ 825.339262] audit: type=1400 audit(149390865 4.440:86) : apparmor="DENIED" operation= "file_mprotect" namespace= "root// lxd-xen_ <var-lib- lxd>" profile= "/usr/sbin/ cups-browsed" name="/ usr/sbin/ cups-browsed" pid=14249 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=165536 ouid=165536
I'm not sure if this indicates a bug in the apparmor policy or apparmor itself. If the policy, adjusting /etc/apparmor. d/usr.sbin. cups-browsed to have:
/usr/ sbin/cups- browsed r,
resolves the issue.