apparmor spams log with warning message

Bug #1308761 reported by John Johansen on 2014-04-16
40
This bug affects 8 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Low
John Johansen
Trusty
Low
John Johansen
Utopic
Low
John Johansen

Bug Description

The apparmor kernel module will spam the dmesg log with a stack trace and warning when the label on a unix socket does not match the label on the task sending the message.

This happens when a socket is delegated to another task

Example Message in the log
Apr 5 05:16:45 cormac kernel: [66784.479777] ------------[ cut here ]------------
Apr 5 05:16:45 cormac kernel: [66784.479791] WARNING: CPU: 0 PID: 21866 at /build/buildd/linux-3.13.0/security/apparmor/lsm.c:839 apparmor_unix_may_send+0x16c/0x180()
Apr 5 05:16:45 cormac kernel: [66784.479793] AppArmor WARN apparmor_unix_may_send: ((!aa_label_is_subset(cxt->label, label))):
Apr 5 05:16:45 cormac kernel: [66784.479794] Modules linked in: xt_hl ipt_REJECT xt_comment xt_limit xt_tcpudp xt_addrtype ppdev nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp iptable_filter ip_tables kvm_intel kvm cirrus psmouse serio_raw ip6t_REJECT xt_LOG ttm ip6t_rt nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack parport_pc ip6table_filter ip6_tables x_tables drm_kms_helper drm lp parport mac_hid syscopyarea sysfillrect sysimgblt i2c_piix4 floppy
Apr 5 05:16:45 cormac kernel: [66784.479828] CPU: 0 PID: 21866 Comm: sshd Tainted: G W 3.13.0-22-generic #44-Ubuntu
Apr 5 05:16:45 cormac kernel: [66784.479829] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Apr 5 05:16:45 cormac kernel: [66784.479832] 0000000000000009 ffff8800d5d25bd0 ffffffff81714914 ffff8800d5d25c18
Apr 5 05:16:45 cormac kernel: [66784.479834] ffff8800d5d25c08 ffffffff810676bd ffff8800d67a3c30 ffff880138147b80
Apr 5 05:16:45 cormac kernel: [66784.479836] ffff88003681cb40 ffff880138147680 ffff8801384217f0 ffff8800d5d25c68
Apr 5 05:16:45 cormac kernel: [66784.479839] Call Trace:
Apr 5 05:16:45 cormac kernel: [66784.479846] [<ffffffff81714914>] dump_stack+0x45/0x56
Apr 5 05:16:45 cormac kernel: [66784.479851] [<ffffffff810676bd>] warn_slowpath_common+0x7d/0xa0
Apr 5 05:16:45 cormac kernel: [66784.479853] [<ffffffff8106772c>] warn_slowpath_fmt+0x4c/0x50
Apr 5 05:16:45 cormac kernel: [66784.479855] [<ffffffff8130e92c>] apparmor_unix_may_send+0x16c/0x180
Apr 5 05:16:45 cormac kernel: [66784.479859] [<ffffffff812cf446>] security_unix_may_send+0x16/0x20
Apr 5 05:16:45 cormac kernel: [66784.479863] [<ffffffff816b1435>] unix_dgram_sendmsg+0x2a5/0x620
Apr 5 05:16:45 cormac kernel: [66784.479868] [<ffffffff81601f3b>] sock_sendmsg+0x8b/0xc0
Apr 5 05:16:45 cormac kernel: [66784.479872] [<ffffffff8104f28f>] ? kvm_clock_read+0x1f/0x30
Apr 5 05:16:45 cormac kernel: [66784.479875] [<ffffffff816020e1>] SYSC_sendto+0x121/0x1c0
Apr 5 05:16:45 cormac kernel: [66784.479901] [<ffffffff8109dd74>] ? vtime_account_user+0x54/0x60
Apr 5 05:16:45 cormac kernel: [66784.479907] [<ffffffff81020d35>] ? syscall_trace_enter+0x145/0x250
Apr 5 05:16:45 cormac kernel: [66784.479909] [<ffffffff81602bee>] SyS_sendto+0xe/0x10
Apr 5 05:16:45 cormac kernel: [66784.479913] [<ffffffff817254ff>] tracesys+0xe1/0xe6
Apr 5 05:16:45 cormac kernel: [66784.479915] ---[ end trace c4dfb167bafcc341 ]---

Changed in linux (Ubuntu):
status: New → Confirmed
assignee: nobody → John Johansen (jjohansen)
Stephan Ruegamer (sadig) wrote :
Download full text (5.3 KiB)

For me I have a similar issues...

the log says:

Apr 17 02:29:36 trusty-01 kernel: [70827.909934] ------------[ cut here ]------------
Apr 17 02:29:36 trusty-01 kernel: [70827.909960] WARNING: CPU: 0 PID: 2985 at /build/buildd/linux-3.13.0/security/apparmor/lsm.c:839 apparmor_unix_may_send+0x16c/0x180()
Apr 17 02:29:36 trusty-01 kernel: [70827.909964] AppArmor WARN apparmor_unix_may_send: ((!aa_label_is_subset(cxt->label, label))):
Apr 17 02:29:36 trusty-01 kernel: [70827.909968] Modules linked in: kvm_intel kvm cirrus snd_hda_intel ttm snd_hda_codec drm_kms_helper snd_hwdep psmouse serio_raw snd_pcm drm snd_page_alloc snd_timer syscopyarea snd soundcore sysfillrect sysimgblt i2c_piix4 lp parport mac_hid 8139too 8139cp mii floppy
Apr 17 02:29:36 trusty-01 kernel: [70827.910014] CPU: 0 PID: 2985 Comm: dhcpd Tainted: G W 3.13.0-24-generic #46-Ubuntu
Apr 17 02:29:36 trusty-01 kernel: [70827.910018] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Apr 17 02:29:36 trusty-01 kernel: [70827.910022] 0000000000000009 ffff880000063bd0 ffffffff81715a64 ffff880000063c18
Apr 17 02:29:36 trusty-01 kernel: [70827.910030] ffff880000063c08 ffffffff810676bd ffff88003e00a430 ffff88003d618000
Apr 17 02:29:36 trusty-01 kernel: [70827.910036] ffff88003b33f010 ffff88003d70f400 ffff88003c1a8000 ffff880000063c68
Apr 17 02:29:36 trusty-01 kernel: [70827.910043] Call Trace:
Apr 17 02:29:36 trusty-01 kernel: [70827.910056] [<ffffffff81715a64>] dump_stack+0x45/0x56
Apr 17 02:29:36 trusty-01 kernel: [70827.910066] [<ffffffff810676bd>] warn_slowpath_common+0x7d/0xa0
Apr 17 02:29:36 trusty-01 kernel: [70827.910072] [<ffffffff8106772c>] warn_slowpath_fmt+0x4c/0x50
Apr 17 02:29:36 trusty-01 kernel: [70827.910080] [<ffffffff8130ed5c>] apparmor_unix_may_send+0x16c/0x180
Apr 17 02:29:36 trusty-01 kernel: [70827.910089] [<ffffffff812cf876>] security_unix_may_send+0x16/0x20
Apr 17 02:29:36 trusty-01 kernel: [70827.910097] [<ffffffff816b2575>] unix_dgram_sendmsg+0x2a5/0x620
Apr 17 02:29:36 trusty-01 kernel: [70827.910108] [<ffffffff816024eb>] sock_sendmsg+0x8b/0xc0
Apr 17 02:29:36 trusty-01 kernel: [70827.910116] [<ffffffff81602691>] SYSC_sendto+0x121/0x1c0
Apr 17 02:29:36 trusty-01 kernel: [70827.910125] [<ffffffff8109dd84>] ? vtime_account_user+0x54/0x60
Apr 17 02:29:36 trusty-01 kernel: [70827.910137] [<ffffffff81020d35>] ? syscall_trace_enter+0x145/0x250
Apr 17 02:29:36 trusty-01 kernel: [70827.910145] [<ffffffff8160319e>] SyS_sendto+0xe/0x10
Apr 17 02:29:36 trusty-01 kernel: [70827.910154] [<ffffffff8172663f>] tracesys+0xe1/0xe6
Apr 17 02:29:36 trusty-01 kernel: [70827.910158] ---[ end trace 0b1a05a3a90a9dc7 ]---
Apr 17 02:29:46 trusty-01 kernel: [70838.210778] ------------[ cut here ]------------
Apr 17 02:29:46 trusty-01 kernel: [70838.210791] WARNING: CPU: 0 PID: 2985 at /build/buildd/linux-3.13.0/security/apparmor/lsm.c:839 apparmor_unix_may_send+0x16c/0x180()
Apr 17 02:29:46 trusty-01 kernel: [70838.210793] AppArmor WARN apparmor_unix_may_send: ((!aa_label_is_subset(cxt->label, label))):
Apr 17 02:29:46 trusty-01 kernel: [70838.210794] Modules linked in: kvm_intel kvm cirrus snd_hda_intel ttm snd_hda_codec drm_kms_he...

Read more...

Luca (luca-lazzarin) wrote :

Hi all, here i have the same problem

[2559611.578826] ------------[ cut here ]------------
[2559611.578832] WARNING: CPU: 0 PID: 18649 at /build/buildd/linux-3.13.0/security/apparmor/lsm.c:839 apparmor_unix_may_send+0x16c/0x180()
[2559611.578835] AppArmor WARN apparmor_unix_may_send: ((!aa_label_is_subset(cxt->label, label))):
[2559611.578837] Modules linked in: btrfs(F) ufs(F) qnx4(F) hfsplus(F) hfs(F) minix(F) ntfs(F) msdos(F) jfs(F) xfs(F) libcrc32c(F) dm_crypt lrw gf128mul glue_helper ablk_helper cryptd aes_x86_64 xt_conntrack ipt_MASQUERADE iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_tcpudp ip6table_filter ip6_tables iptable_filter ip_tables x_tables gpio_ich coretemp kvm_intel kvm psmouse serio_raw joydev lp lpc_ich parport i3200_edac mac_hid edac_core raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx hid_generic xor raid6_pq ses enclosure usbhid raid1 e1000e hid raid0 ahci ptp multipath floppy e1000 usb_storage libahci pps_core linear
[2559611.578902] CPU: 0 PID: 18649 Comm: dhcpd Tainted: GF W I 3.13.0-24-generic #46-Ubuntu
[2559611.578904] Hardware name: Intel Corporation S3210SH/S3210SH, BIOS S3200X38.86B.00.00.0042.042820081723 04/28/2008
[2559611.578907] 0000000000000009 ffff8800d83d9bd0 ffffffff81715a64 ffff8800d83d9c18
[2559611.578912] ffff8800d83d9c08 ffffffff810676bd ffff88011b00c430 ffff8801190f9b80
[2559611.578917] ffff8800362e6ff0 ffff880119182800 ffff8800cb0c2fe0 ffff8800d83d9c68
[2559611.578921] Call Trace:
[2559611.578926] [<ffffffff81715a64>] dump_stack+0x45/0x56
[2559611.578931] [<ffffffff810676bd>] warn_slowpath_common+0x7d/0xa0
[2559611.578935] [<ffffffff8106772c>] warn_slowpath_fmt+0x4c/0x50
[2559611.578940] [<ffffffff8130ed5c>] apparmor_unix_may_send+0x16c/0x180
[2559611.578944] [<ffffffff812cf876>] security_unix_may_send+0x16/0x20
[2559611.578948] [<ffffffff816b2575>] unix_dgram_sendmsg+0x2a5/0x620
[2559611.578953] [<ffffffff816024eb>] sock_sendmsg+0x8b/0xc0
[2559611.578958] [<ffffffff8109df6d>] ? vtime_common_task_switch+0x3d/0x40
[2559611.578962] [<ffffffff81719a11>] ? __schedule+0x381/0x7d0
[2559611.578967] [<ffffffff8101b763>] ? native_sched_clock+0x13/0x80
[2559611.578971] [<ffffffff81602691>] SYSC_sendto+0x121/0x1c0
[2559611.578976] [<ffffffff8109dd84>] ? vtime_account_user+0x54/0x60
[2559611.578980] [<ffffffff81020d35>] ? syscall_trace_enter+0x145/0x250
[2559611.578985] [<ffffffff8160319e>] SyS_sendto+0xe/0x10
[2559611.578989] [<ffffffff8172663f>] tracesys+0xe1/0xe6
[2559611.578992] ---[ end trace 4a4dfa3d4cf5d4b7 ]---

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.15.0-4.8

---------------
linux (3.15.0-4.8) utopic; urgency=low

  [ Andy Whitcroft ]

  * Release Tracking Bug
    - LP: #1324107
  * [Config] enable SECURITY_APPARMOR_UNCONFINED_INIT

  [ Javier Martinez Canillas ]

  * SAUCE: (no-up) apparmor: fix bug that constantly spam the console
    - LP: #1323526

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
    - LP: #1323528
  * SAUCE: (no-up) apparmor: fix apparmor spams log with warning message
    - LP: #1308761
  * SAUCE: (no-up) apparmor: fix refcount bug in apparmor pivotroot
    - LP: #1308765
  * SAUCE: (no-up): apparmor: fix apparmor refcount bug in apparmor_kill
    - LP: #1308764
  * SAUCE: (no-up): apparmor: use custom write_is_locked macro
    - LP: #1323530

  [ Kamal Mostafa ]

  * [Config] add debian/gbp.conf

  [ Tim Gardner ]

  * [Config] CONFIG_SATA_AHCI=m for ppc64el
    - LP: #1323980
 -- Andy Whitcroft <email address hidden> Wed, 28 May 2014 12:47:17 +0100

Changed in linux (Ubuntu Utopic):
status: Confirmed → Fix Released
Simon Déziel (sdeziel) wrote :

John, are there any plans to SRU this to Trusty? Thanks

CSRedRat (csredrat) wrote :

When this fixed in 14.04 Trusty Tahr for 14.04.1 (24 July)?

Tim Gardner (timg-tpi) on 2014-06-17
Changed in linux (Ubuntu Trusty):
status: Confirmed → Fix Committed
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
John Johansen (jjohansen) wrote :

I have been running this for a few hours and it seems to be working

tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :
Download full text (35.8 KiB)

This bug was fixed in the package linux - 3.13.0-32.57

---------------
linux (3.13.0-32.57) trusty; urgency=low

  [ Upstream Kernel Changes ]

  * l2tp: Privilege escalation in ppp over l2tp sockets
    - LP: #1341472
    - CVE-2014-4943

linux (3.13.0-32.56) trusty; urgency=low

  [ Luis Henriques ]

  * Merged back Ubuntu-3.13.0-30.55 security release
  * Revert "x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"
    - LP: #1337339
  * Release Tracking Bug
    - LP: #1338524

  [ Upstream Kernel Changes ]

  * ptrace,x86: force IRET path after a ptrace_stop()
    - LP: #1337339
    - CVE-2014-4699
  * hpsa: add new Smart Array PCI IDs (May 2014)
    - LP: #1337516

linux (3.13.0-31.55) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1336278

  [ Andy Whitcroft ]

  * [Config] switch hyper-keyboard to virtual
    - LP: #1325306
  * [Packaging] linux-udeb-flavour -- standardise on linux prefix

  [ dann frazier ]

  * [Config] CONFIG_GPIO_DWAPB=m
    - LP: #1334823

  [ Feng Kan ]

  * SAUCE: (no-up) arm64: dts: Add Designware GPIO dts binding to APM
    X-Gene platform
    - LP: #1334823

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: fix apparmor spams log with warning message
    - LP: #1308761

  [ Kamal Mostafa ]

  * [Config] updateconfigs ACPI_PROCFS_POWER=y after v3.13.11.4 rebase

  [ Loc Ho ]

  * SAUCE: (no-up) phy-xgene: Use correct tuning for Mustang
    - LP: #1335636

  [ Michael Ellerman ]

  * SAUCE: (no-up) powerpc/perf: Ensure all EBB register state is cleared
    on fork()
    - LP: #1328914

  [ Ming Lei ]

  * Revert "SAUCE: (no-up) rtc: Add X-Gene SoC Real Time Clock Driver"
    - LP: #1274305

  [ Suman Tripathi ]

  * SAUCE: (no-up) libahci: Implement the function ahci_restart_engine to
    restart the port dma engine.
    - LP: #1335645
  * SAUCE: (no-up) ata: Fix the dma state machine lockup for the IDENTIFY
    DEVICE PIO mode command.
    - LP: #1335645

  [ Tim Gardner ]

  * [Config] CONFIG_POWERNV_CPUFREQ=y for powerpc, ppc64el
    - LP: #1324571
  * [Debian] Add UTS_UBUNTU_RELEASE_ABI to utsrelease.h
    - LP: #1327619
  * [Config] CONFIG_HAVE_MEMORYLESS_NODES=y
    - LP: #1332063
  * [Config] CONFIG_HID_RMI=m
    - LP: #1305522

  [ Upstream Kernel Changes ]

  * Revert "offb: Add palette hack for little endian"
    - LP: #1333430
  * Revert "net: mvneta: fix usage as a module on RGMII configurations"
    - LP: #1333837
  * Revert "USB: serial: add usbid for dell wwan card to sierra.c"
    - LP: #1333837
  * Revert "macvlan : fix checksums error when we are in bridge mode"
    - LP: #1333838
  * serial: uart: add hw flow control support configuration
    - LP: #1328295
  * mm/numa: Remove BUG_ON() in __handle_mm_fault()
    - LP: #1323165
  * Tools: hv: Handle the case when the target file exists correctly
    - LP: #1306215
  * Documentation/devicetree/bindings: add documentation for the APM X-Gene
    SoC RTC DTS binding
    - LP: #1274305
  * drivers/rtc: add APM X-Gene SoC RTC driver
    - LP: #1274305
  * arm64: add APM X-Gene SoC RTC DTS entry
    - LP: #1274305
  * powerpc/perf: Add Power8 cache & TLB events
    - LP: #1328914
  * powerpc/perf: Configure BH...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
importance: Undecided → Low
Changed in linux (Ubuntu Trusty):
importance: Undecided → Low
Changed in linux (Ubuntu Utopic):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers