apparmor prevents custom printer driver from executing

Bug #1187970 reported by Janos G. Komaromi on 2013-06-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
CUPS
New
Undecided
Unassigned
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

I'm trying to make my Lexmark Z2420 work on Xubuntu > = 10.04. The Lexmark provided installation does not work, package is bad, etc. I worked around it because I was able to extract either the deb or rpm package. In fact, the printer works on an old version of Linux installation (Fedore-3 based), on the same machine. So the driver is OK. It is basically a ppd and a related proprietary printer driver written by Lexmark.

The problem is with Ubuntu, or specifically with some security system tyhat is part of 10.04, 12.04 or 13.04. Here is the output of dmesg. It explains the problem, but I'm new to debian (or Ubuntu), and therefore I don't know how to open up the security to enable running the printer driver.

Quote:

[ 2615.809241] type=1400 audit(1370314741.028:21): apparmor="DENIED" operation="exec" parent=720 profile="/usr/sbin/cupsd" name="/usr/local/lexmark/08zero/bin/printdriver" pid=2175 comm="cupsd" requested_mask="x" denied_mask="x" fsuid=7 ouid=0

Unquote

Thanks,

Janos

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1187970/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
affects: ubuntu → apparmor (Ubuntu)
Janos G. Komaromi (jankom) wrote :

I tried to change the source package but the link above gave me "error ID OOPS-a8afe36a1ef5ba57464e91d12a39c578"

Anyway, based on the description of the problem the package is either cups or apparmor or both.

John Johansen (jjohansen) wrote :

AppArmor is denying access permission to the Lexmark print driver, to fix this we need to update the apparmor profile that is used to confine cups.

Janos, can you perform the following test. Please add the following rule to the /etc/apparmor.d/usr.sbin.cupsd file (this will require admin permissions so use sudo).

    /usr/local/lexmark/08zero/bin/printdriver rix,

I would do it so that it is next to the
   /usr/local/lib/cups/** rix,

rule, so that the file looks like
    ...
    /usr/local/lib/cups/** rix,
    /usr/local/lexmark/08zero/bin/printdriver rix,
    /usr/share/** r,
    ...

after this you may do either of the following
  from the cmdline reload the apparmor profile and restart cups
    sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd
    sudo restart cups

or
   reboot your computer this will reload apparmor policy and restart cups

Adding this rule may not grant enough permissions to get the Lexmark printer to work. If it fails check dmesg and apparmor will log a new message for any new denials it is causing.

Janos G. Komaromi (jankom) wrote :

Re John Johansen's suggestion:

I did it with reboot, but dmesg still reports denial, see below:

[ 104.569090] audit_printk_skb: 24 callbacks suppressed
[ 104.569100] type=1400 audit(1370659781.774:26): apparmor="DENIED" operation="exec" parent=831 profile="/usr/sbin/cupsd" name="/usr/local/lexmark/08zero/bin/printdriver" pid=1911 comm="cupsd" requested_mask="x" denied_mask="x" fsuid=7 ouid=0

Excerpt from the modified usr/sbin.cupsd file after reboot and trying the print operation:

/usr/local/** rm,
  /usr/local/lib/cups/** rix,
  /usr/local/lexmark/08zero/bin/printdriver rix,
  /usr/share/** r,
  /{,var/}run/** rm,

Btw, I tried before reading your suggestion to modify the file based on the Brother entry, such as

/usr/lexinjkjet/** Ux,
/usr/local/lexmark/** Ux,

because /usr/lexinkjet/ has the 08zero directory (symlinked from /usr/local/lexmark) containing the "printdriver" file and a lib directory housing so files. The /usr/lexinkjet has an etc directory housing various ppd files for various other lexmark printers as well.

This did not work either.

Something else in the apparmor scheme still denies execution.

Janos

John Johansen (jjohansen) wrote :

Either of those should have worked for that denial message. Perhaps the compiled policy cache is not being updated correctly

with either of the above changes to the /etc/apparmor.d/usr.sbin.cupsd file and with out rebooting can you try

  sudo apparmor_parser -vTWr /etc/apparmor.d/usr.sbin.cupsd

and then try printing. You may have to do
  sudo restart cups

but I don't believe that should be necessary.

Janos G. Komaromi (jankom) wrote :

Thanks. We are getting there, but the solution is still elusive.

I did the apparmor_parser command, then tried to print.
   Result: printer not connected error

So I deleted and reinstalled printer, and rebooted.
   Surprise: apparmor again denied execution after reboot. So I did apparmor_parser
   Result: almost OK. Printer came to life, tried to do something, then cups reported error

dmesg indicated segmentation fault in print driver

I verified the printdriver file with diff comparing it with the same file on my FC3 installation where the printer works - no difference. My FC3 installation is all bastardized. It is my sandbox. I compiled cups from source, it is 1.4.6 - but it works.

Attached are two files: (1) dmsg outputs, and (2) print troubleshooter saved

Aside from this it looks like reboot restores apparmor behaviour to original state and we have to do manual apparmor_parser which is definitely a bug.

Thanks for your interest in this problem.

Janos G. Komaromi (jankom) wrote :

Don't know how to add multiple attachments, so here is the 2nd one

John Johansen (jjohansen) wrote :

Interesting, denials can result in strange behaviors/bugs/crashes but I am going to atm just focus on fixing the apparmor confinement. Which rule addition did you try?

If you haven't tried it yet, does using
   /usr/local/lexmark/** Ux,
instead of
    /usr/local/lexmark/08zero/bin/printdriver rix,
result in a different behavior?

Also can you provide some timestamps, and md5sums of the cache file?

do the following after reboot, and then again after the apparmor_parser command
  ls -l /etc/apparmor.d/cache/usr.sbin.cupsd
  md5sum /etc/apparmor.d/cache/usr.sbin.cupsd

Janos G. Komaromi (jankom) wrote :

I already did the /usr/local/lexmark thing, no difference.

Here is an excerpt from my usr.sbin.cupsd

...
  # FIXME: no policy ATM for hplip and Brother drivers
  /usr/bin/hpijs Ux,
  /usr/Brother/** Ux,
## JGK 6/9/13 begin
  /usr/lexinkjet/** Ux,
  /usr/local/lexmark/** Ux,
## JGK 6/9/13 end

  # Kerberos authentication
...
Note: I think we need both lexinkjet and lexmard dierctories because the way lexmark installs files and symlinks within. These two directories have printer setups for an entire family of lexmark printers.

(A) Here is the cache after boot today, print producing denial:

janos@Andraslinux:~$ ls -l /etc/apparmor.d/cache/usr.sbin.cupsd
-rw------- 1 root root 87010 Jun 9 09:35 /etc/apparmor.d/cache/usr.sbin.cupsd
janos@Andraslinux:~$ sudo md5sum /etc/apparmor.d/cache/usr.sbin.cupsd
[sudo] password for janos:
04e342575436f1477a3f292e4043938a /etc/apparmor.d/cache/usr.sbin.cupsd

(B) Here is the cache after applying apparmor_parser command:

janos@Andraslinux:~$ sudo apparmor_parser -vTWr /etc/apparmor.d/usr.sbin.cupsd
Warning from /etc/apparmor.d/usr.sbin.cupsd (/etc/apparmor.d/usr.sbin.cupsd line 180): profile /usr/lib/cups/backend/cups-pdf network rules not enforced
Replacement succeeded for "/usr/lib/cups/backend/cups-pdf".
Warning from /etc/apparmor.d/usr.sbin.cupsd (/etc/apparmor.d/usr.sbin.cupsd line 180): profile /usr/sbin/cupsd network rules not enforced
Replacement succeeded for "/usr/sbin/cupsd".
janos@Andraslinux:~$ ls -l /etc/apparmor.d/cache/usr.sbin.cupsd
-rw------- 1 root root 87010 Jun 10 17:51 /etc/apparmor.d/cache/usr.sbin.cupsd
janos@Andraslinux:~$ sudo md5sum /etc/apparmor.d/cache/usr.sbin.cupsd
04e342575436f1477a3f292e4043938a /etc/apparmor.d/cache/usr.sbin.cupsd

printer came to life, but then error and dmesg segfault

(C) After reboot:

janos@Andraslinux:~$ ls -l /etc/apparmor.d/cache/usr.sbin.cupsd
-rw------- 1 root root 87010 Jun 10 17:51 /etc/apparmor.d/cache/usr.sbin.cupsd
janos@Andraslinux:~$ sudo md5sum /etc/apparmor.d/cache/usr.sbin.cupsd
[sudo] password for janos:
04e342575436f1477a3f292e4043938a /etc/apparmor.d/cache/usr.sbin.cupsd

printer denied

John Johansen (jjohansen) wrote :

Hrmm alright lets test and see if the printer works without apparmor confinement involved at all

  sudo apparmor_parser -R /etc/init.d/usr.sbin.cupsd
  sudo restart cups
  ps -Z `pidof cupsd`

ensure that ps -Z reports a label of unconfined like
LABEL PID TTY STAT TIME COMMAND
unconfined 1246 ? Ss 0:00 /usr/sbin/cupsd -F

and now test the printer

Janos G. Komaromi (jankom) wrote :

another step closer - see below:

janos@Andraslinux:~$ sudo apparmor_parser -R /etc/init.d/usr.sbin.cupsd
[sudo] password for janos:
Error: Could not read profile /etc/init.d/usr.sbin.cupsd: No such file or directory.
janos@Andraslinux:~$

Could this be the problem (bug)?

John Johansen (jjohansen) wrote :

sigh, no its just me that should have been
  sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.cupsd

Janos G. Komaromi (jankom) wrote :

No problem. I had a little suspicion, but copied it anyway since I'm not familiar with Ubuntu's (or debian) file structure.

Here is my terminal output now:

janos@Andraslinux:~$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.cupsd
[sudo] password for janos:
janos@Andraslinux:~$ sudo restart cups
cups start/running, process 2033
janos@Andraslinux:~$ ps -Z `pidof cupsd`
LABEL PID TTY STAT TIME COMMAND
/usr/sbin/cupsd 2033 ? Ss 0:00 /usr/sbin/cupsd -F

Aparently the "unconfined" label is not there.

Printing process is still the same: printer comes alive, then failure is reported and dmesg says "...segfault at 0 ip..."

John Johansen (jjohansen) wrote :

Okay this just isn't right, can you provide output for the following

    apparmor_parser -v
    ps -Z `pidof cupsd`

    sudo bash -c "echo /usr/sbin/cupsd >/sys/kernel/security/apparmor/.remove"
    sudo bash -c "echo /usr/lib/cups/backend/cups-pdf >/sys/kernel/security/apparmor/.remove"

    sudo aa-status
    ps -Z `pidof cupsd`

    sudo restart cups
    ps -Z `pidof cupsd`

Janos G. Komaromi (jankom) wrote :

I got stuck at the first command, here is the output:

janos@Andraslinux:~$ sudo apparmor_parser -v
[sudo] password for janos:
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin

^Cjanos@Andraslinux:~$

Note: I had to do sudo for the command, and then do Ctr-C to get back to prompt. I don't know what else should I have had to respond to the "force-complain via stdin" message.

Recap: this is a virgin install of 13.04, and I have not really messed with it, just appled the occasional updates as they were announced.

I did not do the rest of the commands in your message awaiting for your comments on the first one.

John Johansen (jjohansen) wrote :

congratulations on discovering yet another bug :/

It looks like the version check is broken, I haven't used it for a while, but I just wanted to check for which version of the parser was involved. We can skip this command and move on as 13.04 should be the 2.8.0 parser. If you care you can use the command without sudo you should get the following output

> apparmor_parser -v
apparmor_parser: Sorry. You need root privileges to run this program.

AppArmor parser version 2.8.0
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.

Usage: apparmor_parser [options] [profile]

Options:
--------
-a, --add Add apparmor definitions [default]
-r, --replace Replace apparmor definitions
-R, --remove Remove apparmor definitions
-C, --Complain Force the profile into complain mode
-B, --binary Input is precompiled profile
-N, --names Dump names of profiles in input.
-S, --stdout Dump compiled profile to stdout
-o n, --ofile n Write output to file n
-b n, --base n Set base dir and cwd
-I n, --Include n Add n to the search path
-f n, --subdomainfs n Set location of apparmor filesystem
-m n, --match-string n Use only match features n
-n n, --namespace n Set Namespace for the profile
-X, --readimpliesX Map profile read permissions to mr
-k, --show-cache Report cache hit/miss details
-K, --skip-cache Do not attempt to load or save cached profiles
-T, --skip-read-cache Do not attempt to load cached profiles
-W, --write-cache Save cached profile (force with -T)
-L, --cache-loc n Set the location of the profile cache
-q, --quiet Don't emit warnings
-v, --verbose Show profile names as they load
-Q, --skip-kernel-load Do everything except loading into kernel
-V, --version Display version info and exit
-d, --debug Debug apparmor definitions
-p, --preprocess Dump preprocessed profile
-D [n], --dump Dump internal info for debugging
-O [n], --Optimize Control dfa optimizations
-h [cmd], --help[=cmd] Display this text or info about cmd

Which is still not right as it should not be complaining about root, nor dumping the help text but at least it is dumping the version

Janos G. Komaromi (jankom) wrote :

Correct!

That was exactly what I got last night. So I thought - excuse me - that you may have forgotten the sudo prefix. So I did not even bother to post this lengthy output. But this is exactly what I got without sudo.

Could this explain the other problem I have (listed as confirmed bug) that my scanner does not work? See bug #1184165

John Johansen (jjohansen) wrote :

So the apparmor_parser -v bug? No.

That apparmor is causing a failure for your scanner, that is a possibility I can't rule out yet but haven't seen anything to indicate it is causing the issue.

can you try running through

ps -Z `pidof cupsd`

    sudo bash -c "echo /usr/sbin/cupsd >/sys/kernel/security/apparmor/.remove"
    sudo bash -c "echo /usr/lib/cups/backend/cups-pdf >/sys/kernel/security/apparmor/.remove"

    sudo aa-status
    ps -Z `pidof cupsd`

    sudo restart cups
    ps -Z `pidof cupsd`

Janos G. Komaromi (jankom) wrote :

OK, let's fix apparmor first.

I ran the commands, but as you see from the output the "remove" stuff failed.

janos@Andraslinux:~$ ps -Z `pidof cupsd`
LABEL PID TTY STAT TIME COMMAND
/usr/sbin/cupsd 789 ? Ss 0:00 /usr/sbin/cupsd -F
janos@Andraslinux:~$ sudo bash -c "echo /usr/sbin/cupsd >/sys/kernel/security/apparmor/.remove"
[sudo] password for janos:
bash: line 0: echo: write error: No such file or directory
janos@Andraslinux:~$ sudo bash -c "echo /usr/lib/cups/backend/cups-pdf >/sys/kernel/security/apparmor/.remove"
bash: line 0: echo: write error: No such file or directory
janos@Andraslinux:~$ sudo aa-status
apparmor module is loaded.
You do not have enough privilege to read the profile set.
janos@Andraslinux:~$ ps -Z `pidof cupsd`
LABEL PID TTY STAT TIME COMMAND
/usr/sbin/cupsd 789 ? Ss 0:00 /usr/sbin/cupsd -F
janos@Andraslinux:~$ sudo restart cups
cups start/running, process 2163
janos@Andraslinux:~$ ps -Z `pidof cupsd`
LABEL PID TTY STAT TIME COMMAND
/usr/sbin/cupsd 2163 ? Ss 0:00 /usr/sbin/cupsd -F
janos@Andraslinux:~$

It looks like the entity " .remove" is a file in /sys/kernel/security/apparmor directory, not a directory. The only directory there is "features" that also has directories. I hope this helps.

John Johansen (jjohansen) wrote :

Sorry my mistake again. I don't often hit the low level interface. The echo command needs a -n, we are echoing the profile name to remove directly into the apparmor kernel interface.

lets do this

    sudo aa-status

    ps -Z `pidof cupsd`

    sudo bash -c "echo -n /usr/sbin/cupsd >/sys/kernel/security/apparmor/.remove"
    sudo bash -c "echo -n /usr/lib/cups/backend/cups-pdf >/sys/kernel/security/apparmor/.remove"

    sudo aa-status
    ps -Z `pidof cupsd`

    sudo restart cups
    ps -Z `pidof cupsd`

Janos G. Komaromi (jankom) wrote :

Thank you, I'm learning new stuff. Besides, I like low level interfaces.

Results were as expected - I think, except for the last step. After restarting cupsd "unconfined" disappeared. See below the output of commands you suggested:

janos@Andraslinux:~$ sudo aa-status
[sudo] password for janos:
apparmor module is loaded.
You do not have enough privilege to read the profile set.
janos@Andraslinux:~$ ps -Z `pidof cupsd`
LABEL PID TTY STAT TIME COMMAND
/usr/sbin/cupsd 823 ? Ss 0:00 /usr/sbin/cupsd -F
janos@Andraslinux:~$ sudo bash -c "echo -n /usr/sbin/cupsd >/sys/kernel/security/apparmor/.remove"
janos@Andraslinux:~$ sudo bash -c "echo -n /usr/lib/cups/backend/cups-pdf >/sys/kernel/security/apparmor/.remove"
janos@Andraslinux:~$ sudo aa-status
apparmor module is loaded.
You do not have enough privilege to read the profile set.
janos@Andraslinux:~$ ps -Z `pidof cupsd`
LABEL PID TTY STAT TIME COMMAND
unconfined 823 ? Ss 0:00 /usr/sbin/cupsd -F
janos@Andraslinux:~$ sudo restart cups
cups start/running, process 18702
janos@Andraslinux:~$ ps -Z `pidof cupsd`
LABEL PID TTY STAT TIME COMMAND
/usr/sbin/cupsd 18702 ? Ss 0:00 /usr/sbin/cupsd -F

Nevertheless, I tried to print with Lexmark, but same result (printer wakes up, but then segfault). Here is dmesg:

[ 3124.613956] type=1400 audit(1371215611.840:32): apparmor="STATUS" operation="profile_load" name="/usr/lib/cups/backend/cups-pdf" pid=18805 comm="apparmor_parser"
[ 3124.614896] type=1400 audit(1371215611.840:33): apparmor="STATUS" operation="profile_load" name="/usr/sbin/cupsd" pid=18805 comm="apparmor_parser"
[ 3186.971241] printdriver[18826]: segfault at 0 ip (null) sp bfc266dc error 4 in printdriver[8048000+b000]

Another point:
I booted up to the old, FC3 version, and Lexmark prints without segfault. As I mention, print files, etc. are exact copies in both FC3 boot or Ubuntu 13.04 boot.

John Johansen (jjohansen) wrote :

Okay we are getting there,

can you provide me the output of

  uname -a

also can you try
    sudo bash -c "echo -n /usr/sbin/cupsd >/sys/kernel/security/apparmor/.remove"
    sudo bash -c "echo -n /usr/lib/cups/backend/cups-pdf >/sys/kernel/security/apparmor/.remove"

and then try printing without restarting cups. It looks like the cups package has an apparmor policy hook and is ensuring the cups policy is loaded before it starts the service.

John Johansen (jjohansen) wrote :

oh and the output of

ls -l /sys/kernel/security/apparmor/

John Johansen (jjohansen) wrote :

oh and yet another thing that would be helpful

can you attach the file
  /etc/apparmor.d/cache/.features

Janos G. Komaromi (jankom) wrote :

root@Andraslinux:/home/janos# uname -a
Linux Andraslinux 3.8.13-030813-generic #201305111843 SMP Sat May 11 22:52:24 UTC 2013 i686 athlon i686 GNU/Linux
root@Andraslinux:/home/janos# bash -c "echo -n /usr/sbin/cupsd >/sys/kernel/security/apparmor/.remove"
root@Andraslinux:/home/janos# bash -c "echo -n /usr/lib/cups/backend/cups-pdf >/sys/kernel/security/apparmor/.remove"
root@Andraslinux:/home/janos# ls -l /sys/kernel/security/apparmor/
total 0
drwxr-xr-x 5 root root 0 Jun 14 20:31 features

No luck with printing after the remove commands.

I did the above from root account and copied the .features files to my user directory.
File attached. I had to trick the system because the Attachment Browse button would not show hidden files.

I'll be going away for the week-end - so you have a nice one, and I'll be back Monday continuing this quest.
Thx

John Johansen (jjohansen) wrote :

Alright, because you aren't using an Ubuntu kernel, or a kernel with the interface patches the following things aren't working correctly
  sudo aa-status
  sudo /etc/init.d/apparmor restart #won't remove profiles that have been removed from the directory

basically Ubuntu is carrying an out of tree interface patch. I can point you at it if you would like. That accounts for some of the apparmor weirdness you where encountering, but not your print driver failing.

So we have tried removing apparmor confinement from just the printing subsystem, lets remove apparmor completely and see if you still get the same failure. Reboot your system into the grub boot menu and add the following kernel parameter

   apparmor=0

this will disable apparmor from boot

Janos G. Komaromi (jankom) wrote :

Output of the first two commands is below:

janos@Andraslinux:~$ sudo aa-status
[sudo] password for janos:
apparmor module is loaded.
You do not have enough privilege to read the profile set.
janos@Andraslinux:~$ sudo /etc/init.d/apparmor restart
 * Reloading AppArmor profiles Warning from /etc/apparmor.d/lightdm-guest-session (/etc/apparmor.d/lightdm-guest-session line 13): profile /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper network rules not enforced
Warning from /etc/apparmor.d/lightdm-guest-session (/etc/apparmor.d/lightdm-guest-session line 13): profile chromium_browser network rules not enforced
Warning from /etc/apparmor.d/sbin.dhclient (/etc/apparmor.d/sbin.dhclient line 76): profile /sbin/dhclient network rules not enforced
Warning from /etc/apparmor.d/usr.bin.evince (/etc/apparmor.d/usr.bin.evince line 160): profile /usr/bin/evince network rules not enforced
Warning from /etc/apparmor.d/usr.bin.evince (/etc/apparmor.d/usr.bin.evince line 160): profile sanitized_helper network rules not enforced
Warning from /etc/apparmor.d/usr.bin.evince (/etc/apparmor.d/usr.bin.evince line 160): profile /usr/bin/evince-previewer network rules not enforced
Warning from /etc/apparmor.d/usr.bin.evince (/etc/apparmor.d/usr.bin.evince line 160): profile sanitized_helper network rules not enforced
Warning from /etc/apparmor.d/usr.bin.evince (/etc/apparmor.d/usr.bin.evince line 160): profile /usr/bin/evince-thumbnailer network rules not enforced
Warning from /etc/apparmor.d/usr.bin.evince (/etc/apparmor.d/usr.bin.evince line 160): profile sanitized_helper network rules not enforced
Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Warning from /etc/apparmor.d/usr.sbin.cupsd (/etc/apparmor.d/usr.sbin.cupsd line 180): profile /usr/lib/cups/backend/cups-pdf network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.cupsd (/etc/apparmor.d/usr.sbin.cupsd line 180): profile /usr/sbin/cupsd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.cupsd.original (/etc/apparmor.d/usr.sbin.cupsd.original line 176): profile /usr/lib/cups/backend/cups-pdf network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.cupsd.original (/etc/apparmor.d/usr.sbin.cupsd.original line 176): profile /usr/sbin/cupsd network rules not enforced
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Warning from /etc/apparmor.d/usr.sbin.tcpdump (/etc/apparmor.d/usr.sbin.tcpdump line 64): profile /usr/sbin/tcpdump network rules not enforced
cat: /sys/kernel/security/apparmor/profiles: No such file or directory
janos@Andraslinux:~$

Now rebooting, and will post results in a separate comment.

John Johansen (jjohansen) wrote :

yes that is the output that is expected for those two commands when the kernel isn't patched.

aa-status - has a bug where it is incorrectly reporting it does not have privilege to read the profile set. It is mis-interpreting the failure to find the profiles file as a denial to access it.

restart - will warn about network rules not being able to be enforced by the kernel but that will not affect the actual reload. In this case removal can't happen as the restart command can't determine which profiles exist in the kernel vs. what profiles exist in /etc/apparmor.d/ It will load all the profiles that exist in apparmor.d but can't remove from the kernel a profile that was removed from apparmor.d/ in this case you have to explicitly tell apparmor you removed it from the directory by using apparmor_parser -R on the file before removing it from apparmor.d/ or hitting the low level interface.

Looking forward to the results from the reboot

Janos G. Komaromi (jankom) wrote :

I'm not familiar with the new grub. grub.cfg is more complex than the old grub I'm used to. So my first attempt to restart failed to deactivate apparmor.

Then I edited grub.cfg and put the apparmor=0 statement dierctly after root=xxxxx and before ro

This time I think apparmor is less effective. See below:

janos@Andraslinux:~$ sudo aa-status
[sudo] password for janos:
apparmor module is loaded.
apparmor filesystem is not mounted.
janos@Andraslinux:~$ dmesg | tail
[ 56.010269] composite sync not supported
[ 56.010284] composite sync not supported
[ 56.672092] init: plymouth-stop pre-start process (1095) terminated with status 1
[ 69.534864] composite sync not supported
[ 69.534877] composite sync not supported
[ 72.344126] composite sync not supported
[ 72.344140] composite sync not supported
[ 72.403431] composite sync not supported
[ 72.403445] composite sync not supported
[ 194.610821] printdriver[1974]: segfault at 0 ip (null) sp bfd013fc error 4 in printdriver[8048000+b000]
janos@Andraslinux:~$

Howver, as you see I still get the segfault. Could it be because apparmor module is still loaded?

I'm sorry, I'm confused a littbit about your last paragraph on restart.

One more point: in your previous comment you state that "Alright, because you aren't using an Ubuntu kernel, or a kernel with the interface patches". My kernel is what came with the installation DVD and updated periodically by the updater.

John Johansen (jjohansen) wrote :

Yes grub2 is a little different, but its not too bad once you get used to it
  use the cursor keys to move to the entry you want to edit
  press e
  move to the kernel line which will look something like
      linux /boot/vmlinuz-3.8.0-23-generic root=UUID=7d19c7bc-50aa-4266-9ab7-332c92f5e3aa ro quiet splash pcie_aspm=force drm.vblankoffdelay=1 i915.semaphores=1 nmi_watchdog=0 $vt_handoff
  add apparmor=0 to the end or anywhere after root= really
  use ctrl-x to boot

You can directly edit /boot/grub/grub.cfg but its not recommended as your changes will be lost any time that a kernel update is applied. If you want a kernel config to survive a kernel update you should edit
  /etc/default/grub/
After editing /etc/default/grub you will need to run
  sudo update-grub
To regenerate your grub.cfg. It seems like a pita but then the change will survive next time you get a kernel update.

The apparmor module is present (it is built into the kernel), but it is not active or enforcing any policy. It is turned off. If you do
  dmesg | grep AppArmor

if apparmor is enabled you get something like
  [0.008000] AppArmor: AppArmor initialized
  [0.813392] AppArmor: AppArmor Filesystem Enabled
and disabled by apparmor=0
  [0.008000] AppArmor: AppArmor disabled by boot time parameter

So apparmor is not causing the print failure you are seeing.

Restart can be a little confusing. Let me try again. There are two copies of apparmor policy. What is stored in /etc/apparmor.d/ and what is currently active in the kernel. The restart command tries to sync the kernel to reflect with what is in /etc/apparmor.d/ If for example you delete a profile file from /etc/apparmor.d/ you would want that profile to also be removed from the kernel, when you run restart to sync /etc/apparmor.d and the loaded system policy.

In this case your kernel is missing an interface patch that allows the restart command to introspect the kernel and determine what policy is currently loaded. In this case restart can go through and load policy that exists in /etc/apparmor.d/ but it can't detect that the kernel has some policy loaded that is not in /etc/apparmor.d You can reboot instead of using restart to clear out the loaded policy from the kernel.

This should not affect your current printing problems as you are not deleted files in /etc/apparmor.d/, just noting that this behavior is broken with your current kernel.

As for your kernel it most certainly is not an official Ubuntu kernel. What DVD did you install it from?
The official Ubuntu kernels have the apparmor patches applied and have a uname -a that looks like

  Linux ortho2 3.8.0-23-generic #34-Ubuntu SMP Wed May 29 20:22:58 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
your kernel version string is showing its a derivative of
  3.8.

but the rest of the version string is all wrong
  13-030813-generic #201305111843 SMP Sat May 11 22:52:24 UTC 2013 i686

Janos G. Komaromi (jankom) wrote :

Thank you for the detailed explanation of restart.

As far as my installation DVD is concerned I downloaded the ISO image from Ubuntu's web site and burned it myself.

The only complication I had was that I already had a 12.04 installation on my 2nd hard drive (hdb or sdb) and the Ubuntu installation detected it and wanted me to upgrade, etc. I was not happy with the choices, so I disconnected the power supply to my 2nd hard drive and did the installation as a virgin installation. Previously, of course, I wiped out partitions on the main hard drive so the installation found nothing but an unpartitioned hard drive. Btw, this main hard drive is brand new, 250 Gig, because the original hard drive started to fail. I had a hard time finding an IDE ATA drive, because now everything is SATA and my motherboard is a few years old. Anyway, when I first installed 13.04 on the factory new hard drive it formatted and occupied the entire 250 Gig. So I wiped it out, created a smaller partition and this is how this 13.04 is installed. Probably this all is irrelevant.

I can start all over again: download the ISO, burn the DVD, reinstall 13.04 and try again.

My 12.04 installation is on the 2nd hard drive, and so is my old FC3 where the Lexmark printer does not segfault.

Scanner works on 12.04, and I can try deactivating apparmor on 12.04 and see if I can print with Lexmark.

Janos G. Komaromi (jankom) wrote :

I tested my 12.04 installation with apparmor disabled in grub for printing and it also segfaulted. However, this time it is not the printdriver, but libpthread - see below

janos@andraslinux:~$ dmesg | tail
[ 56.157663] composite sync not supported
[ 56.614874] composite sync not supported
[ 56.614886] composite sync not supported
[ 57.031522] composite sync not supported
[ 57.031534] composite sync not supported
[ 57.501989] composite sync not supported
[ 57.502001] composite sync not supported
[ 121.161899] firefox[1798]: segfault at 4 ip 15684564 sp bfcbc3e0 error 4 in nouveau_vieux_dri.so[15676000+2f000]
[ 121.171388] firefox[1801]: segfault at 4 ip 00a56564 sp bf93ea90 error 4 in nouveau_vieux_dri.so[a48000+2f000]
[ 461.056973] printdriver[2199]: segfault at 0 ip (null) sp bff4987c error 4 in libpthread-2.15.so[110000+17000]
janos@andraslinux:~$

I'm going away for a week now. Will check status of this bug when I come back. Hopefully, we can find a solution.

One more thing, the uname -a in my 12.04 is the following:

janos@andraslinux:~$ uname -a
Linux andraslinux 3.2.0-45-generic #70-Ubuntu SMP Wed May 29 20:11:31 UTC 2013 i686 athlon i386 GNU/Linux
janos@andraslinux:~$

I also run updates on 12.04, and will keep both distributions alive until my scanner and printer works. At that point I'll keep only 13.04. Presently scanner works on 12.04 and printer works on neither. My old FC3 installation has both the printer and scanner working, but the system is all messed up, so I use it as a sanbox. I use there twm as window manager and emlfm for files.

Thanks again for your interest in helping with this issue - and at the same time, hopefully, make Ubuntu better.

Janos

John Johansen (jjohansen) wrote :

Alright, so I am not sure the best way to proceed with debugging this from here. It looks like this is a driver problem, we have been able to rule out apparmor as being the source for the fault.

I have added the cups project in hopes that we get the attention of some one who knows cups better than I do.

Changed in apparmor (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers