snaps with classic + jailmode confinement started to fail on zesty

Bug #1666897 reported by Zygmunt Krynicki on 2017-02-22
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
High
Zygmunt Krynicki
linux (Ubuntu)
High
Andy Whitcroft
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

We just noticed that zesty stated to fail when a snap using classic confinement is installed in jailmode.

$ snap install --jailmode --classic python0
$ python0 (doesn't work)
/snap/python0/2/usr/bin/python0: error while loading shared libraries: libm.so.6: failed to map segment from shared object

And in the system log you can see:

[ 2929.841318] audit: type=1400 audit(1487770576.927:40): apparmor="DENIED" operation="file_mmap" profile="snap.python0.python0" name="/snap/core/1264/lib/x86_64-linux-gnu/libm-2.23.so" pid=5235 comm="python0" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

Zygmunt Krynicki (zyga) on 2017-02-22
Changed in snapd:
importance: Undecided → High
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

This appears related to the recent zesty kernel update. If I use a xenial VM and update to the zesty kernel, I can reproduce. Eg:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

$ cat /proc/version_signature
Ubuntu 4.4.0-62.83-generic 4.4.40

$ sudo snap install --jailmode --classic python0
python0 0.9.1 from 'zygoon' installed

$ python0
>>> ctrl-D # it worked

Now install the zesty kernel and reboot:

$ cat /proc/version_signature
Ubuntu 4.10.0-8.10-generic 4.10.0-rc8

$ python0
/snap/python0/2/usr/bin/python0: error while loading shared libraries: libm.so.6: failed to map segment from shared object

with this denial:
apparmor="DENIED" operation="file_mmap" profile="snap.python0.python0" name="/snap/core/x1/lib/x86_64-linux-gnu/libm-2.23.so" pid=1299 comm="python0" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

While '--classic' with '--jailmode' is a bit of a corner case, the change in mediation needs to be looked at.

Looking at the policy, we see this:

  # Read-only access to the core snap.
  @{INSTALL_DIR}/core/** r,

If we add this rule to classicJailmodeSnippet in interfaces/apparmor/template.go it works:

  @{INSTALL_DIR}/core/*/{,usr/}lib/@{multiarch}/{,**/}lib*.so* m,

This rule is fine to add to there, but it's a curious difference of behavior between 4.4 and 4.10. @jjohansen, can you comment?

John Johansen (jjohansen) wrote :

AppArmor wise the zesty kernel has a set of fixes on that have not been released yet for xenial, or yakkety. However I wouldn't expect that set of patches to result in a change around file_mmap (at least not directly).

We could try a xenial kernel with the set of patches on it that are in zesty
http://people.canonical.com/~jj/linux+jj/

and I can try bisecting zesty to identify what is causing this change

Zygmunt Krynicki (zyga) on 2017-02-23
Changed in snapd:
assignee: nobody → Zygmunt Krynicki (zyga)
Andy Whitcroft (apw) wrote :

@John -- i have accepted the same snapd into yakkety to allow some comparative testing.

John Johansen (jjohansen) wrote :

I'll right I have chased this down

It is being caused by
a7409fe3 UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on cache check

it appears that bug could also affect mmap checks on certain files.

The patch is correct and the enforcement must remain. This means the template needs to be updated as suggested.

Zygmunt Krynicki (zyga) wrote :

Thank you for confirming this. I will make it happen.

John Johansen (jjohansen) wrote :

Note: this same fix will be landing in xenial, yakkety, and trusty-hwe kernels. So the template will need to be updated everywhere.

The template change can land before the kernel change lands as it won't break policy on old kernels.

Zygmunt Krynicki (zyga) on 2017-02-24
Changed in snapd:
status: Confirmed → Fix Committed
Zygmunt Krynicki (zyga) wrote :

This was released in snapd 2.22.7 although only for new installs. Fix for existing installation will come in a 2.2x release (either 23 or 24)

Changed in snapd:
status: Fix Committed → Fix Released
Andy Whitcroft (apw) wrote :

We need to Breaks: snapd (<< 2.23.1~) to ensure this is upgraded before the new breaking kernels can hit.

affects: linux (Ubuntu) → linux-meta (Ubuntu)
Changed in linux-meta (Ubuntu):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
Brad Figg (brad-figg) on 2017-03-14
affects: linux-meta (Ubuntu) → linux (Ubuntu)
Denis Bernard (db47h) wrote :

This fix breaks Ubuntu 16.04: update-manager did a partial update. It elected to keep snapd (2.22.6) and remove linux-generic and linux-image-generic. This plus a kernel update (4.4.0.67), I ended up with kernel 4.4.0.67 without linux-image-extras of the same version. After reboot, no network, no sound, and so on.

Andy Whitcroft (apw) wrote :

@Denis -- your issue was caused by an attempt to back out the snapd update to 2.23.1 in the archive without also backing out the linux updates that depended on it. These have now been rolled back also pending a fix for the underlying issue (a dpkg bug trigging upgrade failures).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-70.91

---------------
linux (4.4.0-70.91) xenial; urgency=low

  * linux: 4.4.0-70.91 -proposed tracker (LP: #1674938)

  * snaps with classic + jailmode confinement started to fail on zesty
    (LP: #1666897)
    - Revert "UBUNTU: SAUCE: apparmor: fix link auditing failure due to,
      uninitialized var"
    - Revert "UBUNTU: SAUCE: fix regression with domain change in complain mode"
    - Revert "UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on
      cache check"
    - Revert "UBUNTU: SAUCE: apparmor: null profiles should inherit parent control
      flags"
    - Revert "UBUNTU: SAUCE: apparmor: fix ns ref count link when removing
      profiles from policy"
    - Revert "UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec
      when using stacked namespaces"
    - Revert "UBUNTU: SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup
      fails"
    - Revert "UBUNTU: SAUCE: apparmor: Don't audit denied access of special
      apparmor .null file"
    - Revert "UBUNTU: SAUCE: apparmor: fix label leak when new label is unused"
    - Revert "UBUNTU: SAUCE: apparmor: fix reference count bug in
      label_merge_insert()"
    - Revert "UBUNTU: SAUCE: apparmor: fix replacement race in reading rawdata"
    - Revert "UBUNTU: SAUCE: apparmor: fix cross ns perm of unix domain sockets"

 -- Stefan Bader <email address hidden> Wed, 22 Mar 2017 09:28:43 +0100

Changed in linux (Ubuntu Xenial):
status: New → Fix Released
status: New → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (7.7 KiB)

This bug was fixed in the package linux - 4.8.0-44.47

---------------
linux (4.8.0-44.47) yakkety; urgency=low

  * linux: 4.8.0-44.47 -proposed tracker (LP: #1674986)

  * snaps with classic + jailmode confinement started to fail on zesty
    (LP: #1666897)
    - Revert "UBUNTU: SAUCE: apparmor: fix link auditing failure due to,
      uninitialized var"
    - Revert "UBUNTU: SAUCE: fix regression with domain change in complain mode"
    - Revert "UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on
      cache check"
    - Revert "UBUNTU: SAUCE: apparmor: null profiles should inherit parent control
      flags"
    - Revert "UBUNTU: SAUCE: apparmor: fix ns ref count link when removing
      profiles from policy"
    - Revert "UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec
      when using stacked namespaces"
    - Revert "UBUNTU: SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup
      fails"
    - Revert "UBUNTU: SAUCE: apparmor: Don't audit denied access of special
      apparmor .null file"
    - Revert "UBUNTU: SAUCE: apparmor: fix label leak when new label is unused"
    - Revert "UBUNTU: SAUCE: apparmor: fix reference count bug in
      label_merge_insert()"
    - Revert "UBUNTU: SAUCE: apparmor: fix replacement race in reading rawdata"
    - Revert "UBUNTU: SAUCE: apparmor: fix cross ns perm of unix domain sockets"

linux (4.8.0-42.45) yakkety; urgency=low

  * linux: 4.8.0-42.45 -proposed tracker (LP: #1671176)

  * Regression in 4.4.0-65-generic causes very frequent system crashes
    (LP: #1669611)
    - Revert "UBUNTU: SAUCE: apparmor: fix lock ordering for mkdir"
    - Revert "UBUNTU: SAUCE: apparmor: fix leak on securityfs pin count"
    - Revert "UBUNTU: SAUCE: apparmor: fix reference count leak when
      securityfs_setup_d_inode() fails"
    - Revert "UBUNTU: SAUCE: apparmor: fix not handling error case when
      securityfs_pin_fs() fails"

  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * shaking screen (LP: #1651981)
    - drm/radeon: drop verde dpm quirks

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * In Ubuntu 17.04 : after reboot getting message in console like Unable to
    open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
    - SAUCE: ima: Downgrade error to warning

  * 16.04.2: Extra patches for POWER9 (LP: #1664564)
    - powerpc/mm: Fix no execute fault handling on pre-POWER5
    - powerpc/mm: Fix spurrious segfaults on radix with autonuma

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the restriction on max segment size
    - scsi: storvsc: Enable multi-queue support
    - scsi: s...

Read more...

Changed in linux (Ubuntu Yakkety):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers