apparmor parser in precise does not support block_suspend capability (needed for backported kernels)

Bug #1199933 reported by Jeffery von Ronne on 2013-07-10
This bug affects 10 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Marc Deslauriers
cups (Ubuntu)
Marc Deslauriers

Bug Description

When running an up-to-date precise system with a linux-image-generic-lts-raring HWE kernel (linux 3.8),
the precise verion of apparmor will deny all attempts of apparmored apps to call the block_suspend system call:

For example:
type=AVC msg=audit(XXXXXXXXXX.XXX:XXXXX): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1040 comm="cupsd" pid=1040 comm="cupsd" capability=36 capname="block_suspend"

But it is also impossible to add block_suspend to the apparmor profiles, because the AppArmor parser does not know about it:
  Setting /usr/sbin/cupsd to enforce mode.
  Warning from stdin (line 1): /sbin/apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
  AppArmor parser error, in stdin line 24: Invalid capability block_suspend.

This seems to make it impossible to have apparmor not deny block suspend when using an LTS HWE kernel.

This seems to be related to bug #1052098.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.7
ProcVersionSignature: Ubuntu 3.8.0-25.37~precise1-generic 3.8.13
Uname: Linux 3.8.0-25-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.3
Architecture: amd64
Date: Wed Jul 10 12:48:24 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
KernLog: Jul 10 12:34:08 gumdrop kernel: [580960.424225] SGI XFS with ACLs, security attributes, realtime, large block/inode numbers, no debug enabled
MarkForUpload: True
 PATH=(custom, no user)
ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.8.0-25-generic root=UUID=981723af-1da9-455d-b776-3a1e8885efde ro rootflags=subvol=@
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
audit.log: Error: [Errno 13] Permission denied: '/var/log/audit/audit.log'

Jeffery von Ronne (vonronne) wrote :
Jamie Strandboge (jdstrand) wrote :

This is actually bug #1058356 but for precise with a raring kernel. The fix for precise is to adjust upstart in the same way we did for quantal's 1.5-0ubuntu9

no longer affects: apparmor (Ubuntu)
no longer affects: apparmor (Ubuntu Precise)
no longer affects: apparmor (Ubuntu Saucy)
Changed in upstart (Ubuntu Saucy):
status: New → Fix Released
Jamie Strandboge (jdstrand) wrote :

Note that this fix is not optimal, but is small and the best we can do at this time.

Jamie Strandboge (jdstrand) wrote :

Actually, I think I misunderstood and this is actually the inverse of bug #1058356. You have old policy and a new kernel-- but cups works ok with the denial, correct?

Changed in upstart (Ubuntu Precise):
status: New → Incomplete
Jeffery von Ronne (vonronne) wrote :

Yes. I think it is fair to characterize this as the inverse of 1058356.

Basically, if one uses precise with a backported kernel, one gets an implicity "deny capability block_suspend" that can't be changed in all apparmor profiles, because the tools and profiles do not know about block_suspend.

I'm not sure that cups really needs block_suspend, but it affects anything apparmored using precise tools and a raring kernel. I actually first saw this when after using aa-genprof on crashplan, which suggested adding an "capability block_suspend" line, but after adding it, the profile wouldn't load. (I'm not sure why crashplan needs to block_suspend either, though.)

Jamie Strandboge (jdstrand) wrote :

Ok, this bug can be fixed in apparmor, so moving it back there.

affects: upstart (Ubuntu Precise) → apparmor (Ubuntu Precise)
Changed in apparmor (Ubuntu Precise):
status: Incomplete → Triaged
Kai Krueger (kakrueger) wrote :

If you install 12.04.3, this bug occurs even with the default kernel now, which appears to be 3.5.0.

Dovecot appears to require the block_suspend to function. At least I haven't been able to get dovecot working in enforce mode and the block_suspend was the only thing that I could see being denied.

sillyxone (sillyxone) wrote :

Confirmed on a fresh 12.04.3 AMD64. Cannot print due to this error in dmesg:

apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1046 comm="cupsd" pid=1046 comm="cupsd" capability=36 capname="block_suspend"

Adding "capability block_suspend," to /usr/sbin/cupsd resulted in parser error: Invalid capability block_suspend

NoOp (glgxg) wrote :

Affects me also:

cat /proc/version_signature
Ubuntu 3.8.0-32.47~precise1-generic
apt-cache policy linux-generic-lts-raring

$ apt-cache policy cups
  Installed: 1.5.3-0ubuntu8
  Candidate: 1.5.3-0ubuntu8

apt-cache policy apparmor
  Installed: 2.7.102-0ubuntu3.9
  Candidate: 2.7.102-0ubuntu3.9

[ 752.270216] audit_printk_skb: 39 callbacks suppressed
[ 752.270224] type=1400 audit(1381164104.927:39): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1230 comm="cupsd" pid=1230 comm="cupsd" capability=36 capname="block_suspend"

$ apparmor_parser -p /etc/apparmor.d/usr.sbin.cupsd | grep capability
  capability net_bind_service,
  capability net_bind_service,
  capability chown,
  capability fowner,
  capability fsetid,
  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability dac_override,
  capability net_bind_service,
  capability chown,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,
  capability dac_override,
  capability dac_read_search,

cat /etc/apparmor.d/local/usr.sbin.cupsd
# Site-specific additions and overrides for usr.sbin.cupsd.
# For more details, please see /etc/apparmor.d/local/README.

Margash (margash) wrote :

I can also confirm this on a fresh 12.04.3 installation with default kernel

cat /proc/version_signature
Ubuntu 3.8.0-32.47~precise1-generic

After runnig cups with aa-compain I got

apparmor="ALLOWED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=10742 comm="cupsd" pid=10742 comm="cupsd" capability=36 capname="block_suspend"

so I did aa-logprof and now cups doesn't start any longer

tail /var/log/upstart/cups.log
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 18: Invalid capability block_suspend.

Thomas Wouters (i-thomas) wrote :

@margash is right, this bug is present by default in a clean install.

As far as i can see the only thing that needs to happen is backport the “upstart” 1.5-0ubuntu9 package to 12.04 since by default it uses the 1.5-0ubuntu7.2 package. I don't see an easy fix at the moment?

Thomas Wouters (i-thomas) wrote :

Ow, and @margash just made a typo :) but just had a typo. But it still doesn't work by default.

Ray-Ven (ray-ven) wrote :

afaik isn't this a apparmor bug but a upstart bug - shouldn't we change that, or do I get this wrong?!
And is there an ppa with a newer upstart? Or is it save to take the quantal packages or so?

Seth Arnold (seth-arnold) wrote :

Ray, Thomas, this is caused by mismatched Linux kernel and apparmor_parser. Newer versions of the kernel support more posix 1.e draft-style capabilities. The names and numbers as reported by the AppArmor audit messages are provided by the newer kernels. The older apparmor_parser does not support these capabilities.

Upstart is not involved in this bug.

Jamie Strandboge (jdstrand) wrote :

Thomas, a new upstart is not needed, apparmor needs to be updated.

Marc Deslauriers (mdeslaur) wrote :

FYI, for cups in 12.04.3, this should simply be a mostly harmless error message and shouldn't affect printing. It can simply be ignored until a updated apparmor is released.

Changed in cups (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apparmor (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)

The attachment "absolute minimum patch to support block_suspend in this version of the parser" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Ray-Ven (ray-ven) wrote :

Maybe this is a stupid question, but, if this is apparmor related, and apparmor 2.8 has this patch included, why is apparmor 2.8.2 (from ppa:apparmor-upload/apparmor-2.8) still complaining about block_suspend!?

Marc Deslauriers (mdeslaur) wrote :

It's not fixed in a particular version of AppArmor. When the package is built, it dynamically detects what capabilities the kernel supports. The AppArmor package will need the patch above to force inclusion of block_suspend when it gets built on the release version of the kernel in precise, instead of the backported kernel.

Thomas Wouters (i-thomas) wrote :

@mdeslaur thanks for the patch.

Is there any workaround while we wait for a new package to be released?

Marc Deslauriers (mdeslaur) wrote :

It should just be a cosmetic issue, so there is no rush to get a new package.
You can simply ignore the log message for now.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cups (Ubuntu):
status: New → Confirmed

Jamie, Marc, is there still something needed to get fixed in CUPS? If yes, what? Can you fix that or provide a patch?

tony.damato (whatzgnu) wrote :

Marc, this is not a cosmetic issue. My HP printer no longer works after updating to 12.04.4 using 3.8 or 3.11 kernels.

Marc Deslauriers (mdeslaur) wrote :

@tony.damato: Your printing problem is likely unrelated to this issue. Please file a new bug for that.

dogstar1 (nick-dogstar1) wrote :

This has also rendered my HP all-in-one useless.

Marc Deslauriers (mdeslaur) wrote :

@dogstar1: Your printing problem is likely unrelated to this issue. Please file a new bug for that.

tedmar (tedmar) wrote :

My computer has slow boot times because this error
Tail of dmesg

[ 44.672089] input: Bluetooth Laser Travel Mouse as /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.5/2-1.5:1.0/bluetooth/hci0/hci0:35/input12
[ 44.672198] hid-generic 0005:046D:B008.0001: input,hidraw0: BLUETOOTH HID v3.13 Mouse [Bluetooth Laser Travel Mouse] on 84:a6:c8:b2:0a:83
[ 96.021989] audit_printk_skb: 30 callbacks suppressed
[ 96.021992] type=1400 audit(1420316542.197:28): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1370 comm="cupsd" pid=1370 comm="cupsd" capability=36 capname="block_suspend"
[ 118.923987] type=1400 audit(1420316565.113:29): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1370 comm="cupsd" pid=1370 comm="cupsd" capability=36 capname="block_suspend"

In my case is not cosmetic.
I need a patch

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers