apparmor parser in precise does not support block_suspend capability (needed for backported kernels)

Bug #1199933 reported by Jeffery von Ronne on 2013-07-10
70
This bug affects 10 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Marc Deslauriers
Saucy
Undecided
Unassigned
cups (Ubuntu)
Undecided
Marc Deslauriers

Bug Description

When running an up-to-date precise system with a linux-image-generic-lts-raring HWE kernel (linux 3.8),
the precise verion of apparmor will deny all attempts of apparmored apps to call the block_suspend system call:

For example:
type=AVC msg=audit(XXXXXXXXXX.XXX:XXXXX): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1040 comm="cupsd" pid=1040 comm="cupsd" capability=36 capname="block_suspend"

But it is also impossible to add block_suspend to the apparmor profiles, because the AppArmor parser does not know about it:
  Setting /usr/sbin/cupsd to enforce mode.
  Warning from stdin (line 1): /sbin/apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
  AppArmor parser error, in stdin line 24: Invalid capability block_suspend.

This seems to make it impossible to have apparmor not deny block suspend when using an LTS HWE kernel.

This seems to be related to bug #1052098.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.7
ProcVersionSignature: Ubuntu 3.8.0-25.37~precise1-generic 3.8.13
Uname: Linux 3.8.0-25-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.3
Architecture: amd64
Date: Wed Jul 10 12:48:24 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
KernLog: Jul 10 12:34:08 gumdrop kernel: [580960.424225] SGI XFS with ACLs, security attributes, realtime, large block/inode numbers, no debug enabled
MarkForUpload: True
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.8.0-25-generic root=UUID=981723af-1da9-455d-b776-3a1e8885efde ro rootflags=subvol=@
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
audit.log: Error: [Errno 13] Permission denied: '/var/log/audit/audit.log'

Jeffery von Ronne (vonronne) wrote :
Jamie Strandboge (jdstrand) wrote :

This is actually bug #1058356 but for precise with a raring kernel. The fix for precise is to adjust upstart in the same way we did for quantal's 1.5-0ubuntu9

no longer affects: apparmor (Ubuntu)
no longer affects: apparmor (Ubuntu Precise)
no longer affects: apparmor (Ubuntu Saucy)
Changed in upstart (Ubuntu Saucy):
status: New → Fix Released
Jamie Strandboge (jdstrand) wrote :

Note that this fix is not optimal, but is small and the best we can do at this time.

Jamie Strandboge (jdstrand) wrote :

Actually, I think I misunderstood and this is actually the inverse of bug #1058356. You have old policy and a new kernel-- but cups works ok with the denial, correct?

Changed in upstart (Ubuntu Precise):
status: New → Incomplete
Jeffery von Ronne (vonronne) wrote :

Yes. I think it is fair to characterize this as the inverse of 1058356.

Basically, if one uses precise with a backported kernel, one gets an implicity "deny capability block_suspend" that can't be changed in all apparmor profiles, because the tools and profiles do not know about block_suspend.

I'm not sure that cups really needs block_suspend, but it affects anything apparmored using precise tools and a raring kernel. I actually first saw this when after using aa-genprof on crashplan, which suggested adding an "capability block_suspend" line, but after adding it, the profile wouldn't load. (I'm not sure why crashplan needs to block_suspend either, though.)

Jamie Strandboge (jdstrand) wrote :

Ok, this bug can be fixed in apparmor, so moving it back there.

affects: upstart (Ubuntu Precise) → apparmor (Ubuntu Precise)
Changed in apparmor (Ubuntu Precise):
status: Incomplete → Triaged
Kai Krueger (kakrueger) wrote :

If you install 12.04.3, this bug occurs even with the default kernel now, which appears to be 3.5.0.

Dovecot appears to require the block_suspend to function. At least I haven't been able to get dovecot working in enforce mode and the block_suspend was the only thing that I could see being denied.

sillyxone (sillyxone) wrote :

Confirmed on a fresh 12.04.3 AMD64. Cannot print due to this error in dmesg:

apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1046 comm="cupsd" pid=1046 comm="cupsd" capability=36 capname="block_suspend"

Adding "capability block_suspend," to /usr/sbin/cupsd resulted in parser error: Invalid capability block_suspend

NoOp (glgxg) wrote :

Affects me also:

cat /proc/version_signature
Ubuntu 3.8.0-32.47~precise1-generic 3.8.13.10
apt-cache policy linux-generic-lts-raring
linux-generic-lts-raring:
  Installed: 3.8.0.32.32
  Candidate: 3.8.0.32.32

$ apt-cache policy cups
cups:
  Installed: 1.5.3-0ubuntu8
  Candidate: 1.5.3-0ubuntu8

apt-cache policy apparmor
apparmor:
  Installed: 2.7.102-0ubuntu3.9
  Candidate: 2.7.102-0ubuntu3.9

[ 752.270216] audit_printk_skb: 39 callbacks suppressed
[ 752.270224] type=1400 audit(1381164104.927:39): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1230 comm="cupsd" pid=1230 comm="cupsd" capability=36 capname="block_suspend"

$ apparmor_parser -p /etc/apparmor.d/usr.sbin.cupsd | grep capability
  capability net_bind_service,
  capability net_bind_service,
  capability chown,
  capability fowner,
  capability fsetid,
  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability dac_override,
  capability net_bind_service,
  capability chown,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,
  capability dac_override,
  capability dac_read_search,

cat /etc/apparmor.d/local/usr.sbin.cupsd
# Site-specific additions and overrides for usr.sbin.cupsd.
# For more details, please see /etc/apparmor.d/local/README.

Margash (margash) wrote :

I can also confirm this on a fresh 12.04.3 installation with default kernel

cat /proc/version_signature
Ubuntu 3.8.0-32.47~precise1-generic 3.8.13.10

After runnig cups with aa-compain I got

apparmor="ALLOWED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=10742 comm="cupsd" pid=10742 comm="cupsd" capability=36 capname="block_suspend"

so I did aa-logprof and now cups doesn't start any longer

tail /var/log/upstart/cups.log
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 18: Invalid capability block_suspend.

Thomas Wouters (i-thomas) wrote :

@margash is right, this bug is present by default in a clean install.

As far as i can see the only thing that needs to happen is backport the “upstart” 1.5-0ubuntu9 package to 12.04 since by default it uses the 1.5-0ubuntu7.2 package. I don't see an easy fix at the moment?

Thomas Wouters (i-thomas) wrote :

Ow, and @margash just made a typo :) but just had a typo. But it still doesn't work by default.

Ray-Ven (ray-ven) wrote :

afaik isn't this a apparmor bug but a upstart bug - shouldn't we change that, or do I get this wrong?!
And is there an ppa with a newer upstart? Or is it save to take the quantal packages or so?

Seth Arnold (seth-arnold) wrote :

Ray, Thomas, this is caused by mismatched Linux kernel and apparmor_parser. Newer versions of the kernel support more posix 1.e draft-style capabilities. The names and numbers as reported by the AppArmor audit messages are provided by the newer kernels. The older apparmor_parser does not support these capabilities.

Upstart is not involved in this bug.

Jamie Strandboge (jdstrand) wrote :

Thomas, a new upstart is not needed, apparmor needs to be updated.

Marc Deslauriers (mdeslaur) wrote :

FYI, for cups in 12.04.3, this should simply be a mostly harmless error message and shouldn't affect printing. It can simply be ignored until a updated apparmor is released.

Changed in cups (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apparmor (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)

The attachment "absolute minimum patch to support block_suspend in this version of the parser" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Ray-Ven (ray-ven) wrote :

Maybe this is a stupid question, but, if this is apparmor related, and apparmor 2.8 has this patch included, why is apparmor 2.8.2 (from ppa:apparmor-upload/apparmor-2.8) still complaining about block_suspend!?

Marc Deslauriers (mdeslaur) wrote :

It's not fixed in a particular version of AppArmor. When the package is built, it dynamically detects what capabilities the kernel supports. The AppArmor package will need the patch above to force inclusion of block_suspend when it gets built on the release version of the kernel in precise, instead of the backported kernel.

Thomas Wouters (i-thomas) wrote :

@mdeslaur thanks for the patch.

Is there any workaround while we wait for a new package to be released?

Marc Deslauriers (mdeslaur) wrote :

It should just be a cosmetic issue, so there is no rush to get a new package.
You can simply ignore the log message for now.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cups (Ubuntu):
status: New → Confirmed

Jamie, Marc, is there still something needed to get fixed in CUPS? If yes, what? Can you fix that or provide a patch?

tony.damato (whatzgnu) wrote :

Marc, this is not a cosmetic issue. My HP printer no longer works after updating to 12.04.4 using 3.8 or 3.11 kernels.

Marc Deslauriers (mdeslaur) wrote :

@tony.damato: Your printing problem is likely unrelated to this issue. Please file a new bug for that.

dogstar1 (nick-dogstar1) wrote :

This has also rendered my HP all-in-one useless.

Marc Deslauriers (mdeslaur) wrote :

@dogstar1: Your printing problem is likely unrelated to this issue. Please file a new bug for that.

tedmar (tedmar) wrote :

My computer has slow boot times because this error
Tail of dmesg

[ 44.672089] input: Bluetooth Laser Travel Mouse as /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.5/2-1.5:1.0/bluetooth/hci0/hci0:35/input12
[ 44.672198] hid-generic 0005:046D:B008.0001: input,hidraw0: BLUETOOTH HID v3.13 Mouse [Bluetooth Laser Travel Mouse] on 84:a6:c8:b2:0a:83
[ 96.021989] audit_printk_skb: 30 callbacks suppressed
[ 96.021992] type=1400 audit(1420316542.197:28): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1370 comm="cupsd" pid=1370 comm="cupsd" capability=36 capname="block_suspend"
[ 118.923987] type=1400 audit(1420316565.113:29): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1370 comm="cupsd" pid=1370 comm="cupsd" capability=36 capname="block_suspend"

In my case is not cosmetic.
I need a patch

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers