Feature buffer full in precise with LTS kernel

Bug #1214979 reported by Serge Hallyn on 2013-08-21
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Tim Gardner

Bug Description


 * Users running Saucy or newer kernels on 12.04 LTS release cannot load
   AppArmor profiles due to a fixed-size buffer in the apparmor_parser binary.

 * As a result of this failure, lxc could not install, and no programs would
   run with AppArmor confinement, when a user installed a Saucy or newer kernel.

 * This upload cherry picks a fix from Saucy that increases the size of the
   fixed buffer from 1024 to 8192 bytes. This is expected to be large enough.

[Test Case]

 * apt-add-repository ppa:ubuntu-x-swat/s-lts-backport
   apt-get update
   apt-get install linux-generic-lts-saucy
   shutdown -r now
   /etc/init.d/apparmor reload
   apt-get install lxc

 * Without the fix, the reload and install lxc commands fail, and
   aa-status would report no loaded profiles.

   With the fix, the reload and install lxc commands succeed, and
   aa-status reports many loaded profiles.

[Regression Potential]

 * If a future kernel requires more than 8192 bytes of buffer to describe
   features, this will again break. The AppArmor 3.0 upstream release is
   expected to dynamically allocate the size of this buffer if the buffer
   should again prove to be too small, and such a hypothesized patch can be
   cherry-picked again.

[Other Info]

 * I verified this bug as well as #982619, #987578, and #1091642.

Seth Arnold

[Original report]
The 0041-parser-fix-flags.patch patch from saucy's apparmor needs to be cherrypicked to precise. Without it, using the saucy upstream kernel, installing lxc gives me a "Feature buffer full" error message, and lxc postinst fails.

Serge Hallyn (serge-hallyn) wrote :

Marking confirmed as both rtg and I have seen it.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Tim Gardner (timg-tpi) on 2013-08-21
Changed in apparmor (Ubuntu Precise):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Tim Gardner (timg-tpi) wrote :

I verified that this patch applied to 2.7.102-0ubuntu3.8 allows lxc to be installed when the host is has booted a Saucy LTS kernel (v3.11.0).

Tim Gardner (timg-tpi) wrote :

P.S. The patch in #3 is a backport from apparmor 2.8.0-0ubuntu24 (0041-parser-fix-flags.patch)

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Seth Arnold (seth-arnold) wrote :

Tim, I have finished validation on bug #987578 which had held up a previous SRU of apparmor to precise.

Seth Arnold (seth-arnold) wrote :

Tim, the apparmor 2.7.102-0ubuntu3.8 package will not be pushed through SRU quickly as the 12.04.3 update is taking precedence. Adam Conrad suggested bundling this patch together on top of the apparmor package in -proposed and pushing on Monday:

Wed 21 15:46:50 < infinity> sarnold: Given a point release is in progress pretty much as we speak, releasing that today is a no-go anyway.
Wed 21 15:47:25 < infinity> sarnold: So, you could just upload on top of that for the other bug as well, verify the lot, and we can push it all in on, say, Monday.


Tim Gardner (timg-tpi) on 2013-08-26
Changed in apparmor (Ubuntu Precise):
status: In Progress → Fix Committed
Seth Arnold (seth-arnold) wrote :

sarnold@sec-precise-amd64:~$ uname -a
Linux sec-precise-amd64 3.11.0-4-generic #9~precise1-Ubuntu SMP Mon Aug 26 15:58:59 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
sarnold@sec-precise-amd64:~$ dpkg -l apparmor
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
ii apparmor 2.7.102-0ubuntu3.9 User-space parser utility for AppArmor

description: updated
description: updated
Jamie Strandboge (jdstrand) wrote :

debdiff looks good. ACK. I'm testing locally now and report back and upload in a bit.

Jamie Strandboge (jdstrand) wrote :

Uploaded 2.7.102-0ubuntu3.9 to precise-proposed. Local testing shows all patches applied, no new compiler warnings/errors, upgrades fine and passes QRT.

Hello Serge, or anyone else affected,

Accepted apparmor into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apparmor/2.7.102-0ubuntu3.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
tags: added: verification-done
removed: verification-needed
Seth Arnold (seth-arnold) wrote :

I tested apparmor 2.7.102-0ubuntu3.9 on both 12.04 LTS i386 and amd64 with the above PPA kernel (known to overflow the small buffer). In both cases, the updated package allowed AppArmor profiles to be loaded and thus allowed lxc package install to finish.


Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.9

apparmor (2.7.102-0ubuntu3.9) precise-proposed; urgency=low

  * 0041-parser-fix-flags.patch: increase the size of the fixed 'features'
    buffer to support newer kernels with more apparmor features (LP: #1214979)
 -- Seth Arnold <email address hidden> Mon, 26 Aug 2013 11:31:51 -0700

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers