unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt from a unshared mount namespace

Please forgive me for making a mistake above:

The call to open returns -1 and errno set to 13 (EACCES) despite using attach_disconnected.

This should read:

The call to open returns -1 and errno set to 13 (EACCES) despite using *complain* mode.

This looks like the child null profile is not inheriting the control flags from its parent

can you please try the kernel in
http://people.canonical.com/~jj/lp1656121/

I've tested this kernel (in fact, automated testing for this kernel and issue) and I think it would be best if we worked on IRC interactively to figure out what's next. Please ping me on IRC if you can.

I've published all the testing tools back to https://github.com/snapcore/snapd/pull/2624

Alright 2nd kernel to test

same location, but the deb is now at v2
http://people.canonical.com/~jj/lp1656121/

please enable apparmor debug
echo 1 > /sys/module/apparmor/parameters/debug

Testing in progress. I'm already switching apparmor debugging on as requested before. I should have results in 15-20 minutes.

Tests failed, this is the collected data:

+ cat debug.log
kern.lo:
http://paste.ubuntu.com/23822082/
journalctl:
http://paste.ubuntu.com/23822083/
snap-confine.log:
http://paste.ubuntu.com/23822084/
+ journalctl -u snapd

Incidentally, the pastebins from comment #6 don't show the "Failed name lookup - disconnected path" -- based on what's visible there, I'm curious if this is just an incomplete profile?

Thanks

Hey

With the test kernel the observed failure is different. The snap in
question is installed in devmode so apparmor should be non-enforcing.

I tried to figure out exactly what is failing, I'll add a strace to
the mix to shed some more light.

Best regards
ZK

PS: Without the debug kernel the error is still the same as before.

On Thu, Jan 19, 2017 at 1:39 AM, Seth Arnold <email address hidden> wrote:
> Incidentally, the pastebins from comment #6 don't show the "Failed name
> lookup - disconnected path" -- based on what's visible there, I'm
> curious if this is just an incomplete profile?
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1656121
>
> Title:
> unexpected errno=13 and disconnected path when trying to open
> /proc/1/ns/mnt from a unshared mount namespace
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/apparmor/+bug/1656121/+subscriptions

Sorry I didn't get spread setup today.

With the current logs in comment 6, this doesn't look like an apparmor denial. So either we are missing logging or something else is happening.

Can you test again with debug enabled.

noquieting set
  echo noquiet > /sys/module/apparmor/parameters/audit

and ratelimiting disabled
  echo 0 > /proc/sys/kernel/printk_ratelimit

Both of those were set as you instructed. I'll re-investigate to see what we're missing.

I wrote a simple script that reproduces this issue. Atteched to the bug now.

This script can be used to reproduce the problem and collect detailed logs.

The test kernel is not fixing the issue. The actual error seems to be entirely different now (as if we could not execute the test application (nsenter).

Log file added below:

+ ./reproduce-lp-1656121.sh
+ snap install --devmode snapd-hacker-toolbelt
snapd-hacker-toolbelt 0.6 from 'zygoon' installed
+ /usr/lib/snapd/snap-discard-ns snapd-hacker-toolbelt
+ perl -n -e /-- cursor: (.+)/ && print $1
+ tail -n 1
+ journalctl --show-cursor
+ cursor=s=f99269010cfc407fa45669c97647431c;i=36a;b=f0a02ed5b1bc42fa939eecd92100e10d;m=135bccf;t=5477b9acae4c4;x=5c3ca07400f5d0e
+ echo 0
+ echo 1
+ echo noquiet
sh: echo: I/O error
+ snapd-hacker-toolbelt.busybox sh -c id && nsenter -m/proc/1/ns/mnt /bin/true
uid=0(root) gid=0(root) groups=0(root)
sh: nsenter: Permission denied
+ echo Test failed. Please look at the error messages below.
Test failed. Please look at the error messages below.
+ cat
+ journalctl --after-cursor=s=f99269010cfc407fa45669c97647431c;i=36a;b=f0a02ed5b1bc42fa939eecd92100e10d;m=135bccf;t=5477b9acae4c4;x=5c3ca07400f5d0e
-- Logs begin at Wed 2017-02-01 18:44:31 CET, end at Wed 2017-02-01 18:44:47 CET. --
Feb 01 18:44:47 autopkgtest kernel: AppArmor: cap_mac_admin? 1
Feb 01 18:44:47 autopkgtest kernel: AppArmor: policy locked? 0
Feb 01 18:44:47 autopkgtest snapd-hacker-toolbelt.busybox[1165]: cmd.go:111: DEBUG: restarting into "/snap/core/current/usr/bin/snap"
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined attached to new label
Feb 01 18:44:47 autopkgtest kernel: apparmor: clearing unsafe personality bits. /usr/lib/snapd/snap-confine label=/usr/lib/snapd/snap-confine
Feb 01 18:44:47 autopkgtest kernel:
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: aa_setprocattr_changehat: (pid 1178) Magic 0x0 count 0 hat 'mount-namespace-capture-helper'
Feb 01 18:44:47 autopkgtest kernel: apparmor: clearing unsafe personality bits. /usr/lib/snapd/snap-exec label=snap.snapd-hacker-toolbelt.busybox
Feb 01 18:44:47 autopkgtest kernel:
Feb 01 18:44:47 autopkgtest kernel: AppArmor: aa_label_alloc (ffffa1a457e1b700)
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: aa_label_alloc (ffffa1a457e1b180)
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:47 autopkgtest kernel: AppArmor: unconfined exec no attachment
Feb 01 18:44:...

I wonder if the nsenter denial is related to bug #1648903. Ie, complain mode blocked 'ip netns list' (etc). You should be able to workaround that be adjusting the profile to allow nsenter so that it is allowed and not affected by complain mode.

I have kernels that fix the complain error from bug #1648903 in

http://people.canonical.com/~jj/linux+jj/

Thanks, I'll check this kernel ASAP

On Thu, Feb 2, 2017 at 9:16 AM, John Johansen
<email address hidden> wrote:
> I have kernels that fix the complain error from bug #1648903 in
>
> http://people.canonical.com/~jj/linux+jj/
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1656121
>
> Title:
> unexpected errno=13 and disconnected path when trying to open
> /proc/1/ns/mnt from a unshared mount namespace
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/apparmor/+bug/1656121/+subscriptions

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1656121

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'. If the problem still exists, change the tag 'verification-needed-yakkety' to 'verification-failed-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug was fixed in the package linux - 4.8.0-40.43

---------------
linux (4.8.0-40.43) yakkety; urgency=low

  * linux: 4.8.0-40.43 -proposed tracker (LP: #1667066)

  [ Andy Whitcroft ]
  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * shaking screen (LP: #1651981)
    - drm/radeon: drop verde dpm quirks

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * In Ubuntu 17.04 : after reboot getting message in console like Unable to
    open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
    - SAUCE: ima: Downgrade error to warning

  * 16.04.2: Extra patches for POWER9 (LP: #1664564)
    - powerpc/mm: Fix no execute fault handling on pre-POWER5
    - powerpc/mm: Fix spurrious segfaults on radix with autonuma

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the restriction on max segment size
    - scsi: storvsc: Enable multi-queue support
    - scsi: storvsc: use tagged SRB requests if supported by the device
    - scsi: storvsc: properly handle SRB_ERROR when sense message is present
    - scsi: storvsc: properly set residual data length on errors

  * Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
    caused KVM host hung and all KVM guests down. (LP: #1651248)
    - KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
    - KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
    - KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
    - KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
    - KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend

  * ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
    - blk-mq: Avoid memory reclaim when remapping queues
    - blk-mq: Fix failed allocation path when mapping queues
    - blk-mq: Always schedule hctx->next_cpu

  * systemd-udevd hung in blk_mq_freeze_queue_wait testing unpartitioned NVMe
    drive (LP: #1662673)
    - percpu-refcount: fix reference leak during percpu-atomic transition

  * [Yakkety SRU] Enable KEXEC support in ARM64 kernel (LP: #1662554)
    - [Config] Enable KEXEC support in ARM64.

  * [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
    - Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()

  * brd module compiled as built-in (LP: #1593293)
    - CONFIG_BLK_DEV_RAM=m

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in compla...

This bug was fixed in the package linux - 4.4.0-65.86

---------------
linux (4.4.0-65.86) xenial; urgency=low

  * linux: 4.4.0-65.86 -proposed tracker (LP: #1667052)

  [ Stefan Bader ]
  * Upgrade Redpine RS9113 driver to support AP mode (LP: #1665211)
    - SAUCE: Redpine driver to support Host AP mode

  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * [Hyper-V] SAUCE: pci-hyperv fixes for SR-IOV on Azure (LP: #1665097)
    - SAUCE: PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
    - SAUCE: pci-hyperv: properly handle pci bus remove
    - SAUCE: pci-hyperv: lock pci bus on device eject

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

  * Xenial update to v4.4.49 stable release (LP: #1664960)
    - ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
    - selinux: fix off-by-one in setprocattr
    - Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
    - cpumask: use nr_cpumask_bits for parsing functions
    - hns: avoid stack overflow with CONFIG_KASAN
    - ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
    - target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
    - target: Use correct SCSI status during EXTENDED_COPY exception
    - target: Fix early transport_generic_handle_tmr abort scenario
    - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
    - ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
    - mac80211: Fix adding of mesh vendor IEs
    - netvsc: Set maximum GSO size in the right place
    - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed
      send
    - scsi: aacraid: Fix INTx/MSI-x issue with older controllers
    - scsi: mpt3sas: disable ASPM for MPI2 controllers
    - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
    - ALSA: seq: Fix race at creating a queue
    - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
    - drm/i915: fix use-after-free in page_flip_completed()
    - Linux 4.4.49

  * NFS client : kernel 4.4.0-57 crash with nfsv4 enries in /etc/fstab
    (LP: #1650336)
    - SUNRPC: fix refcounting problems with auth_gss messages.

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the ...

Not fixed because we had to revert the commits due to various regressions.

This bug was fixed in the package linux - 4.8.0-45.48

---------------
linux (4.8.0-45.48) yakkety; urgency=low

  * CVE-2017-7184
    - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
    - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder

 -- Stefan Bader <email address hidden> Fri, 24 Mar 2017 12:03:39 +0100

This bug was fixed in the package linux - 4.4.0-75.96

---------------
linux (4.4.0-75.96) xenial; urgency=low

  * linux: 4.4.0-75.96 -proposed tracker (LP: #1684441)

  * [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
    (LP: #1682561)
    - Drivers: hv: util: move waiting for release to hv_utils_transport itself

linux (4.4.0-74.95) xenial; urgency=low

  * linux: 4.4.0-74.95 -proposed tracker (LP: #1682041)

  * [Hyper-V] hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    (LP: #1681893)
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

linux (4.4.0-73.94) xenial; urgency=low

  * linux: 4.4.0-73.94 -proposed tracker (LP: #1680416)

  * CVE-2017-6353
    - sctp: deny peeloff operation on asocs with threads sleeping on it

  * vfat: missing iso8859-1 charset (LP: #1677230)
    - [Config] NLS_ISO8859_1=y

  * Regression: KVM modules should be on main kernel package (LP: #1678099)
    - [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in complain mode

  * Permission denied and inconsistent behavior in complain mode with 'ip netns
    list' command (LP: #1648903)
    - SAUCE: fix regression with domain change in complain mode

  * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
    from a unshared mount namespace (LP: #1656121)
    - SAUCE: apparmor: null profiles should inherit parent control flags

  * apparmor refcount leak of profile namespace when removing profiles
    (LP: #1660849)
    - SAUCE: apparmor: fix ns ref count link when removing profiles from policy

  * tor in lxd: apparmor="DENIED" operation="change_onexec"
    namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
    name="system_tor" (LP: #1648143)
    - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
      namespaces

  * apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
    - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

  * apparmor auditing denied access of special apparmor .null fi\ le
    (LP: #1660836)
    - SAUCE: apparmor: Don't audit denied access of special apparmor .null file

  * apparmor label leak when new label is unused (LP: #1660834)
    - SAUCE: apparmor: fix label leak when new label is unused

  * apparmor reference count bug in label_merge_insert() (LP: #1660833)
    - SAUCE: apparmor: fix reference count bug in label_merge_insert()

  * apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
    - SAUCE: apparmor: fix replacement race in reading rawdata

  * unix domain socket cross permission check failing with nested namespaces
    (LP: #1660832)
    - SAUCE: apparmor: fix cross ns perm of unix domain sockets

  * Xenial update to v4.4.59 stable release (LP: #1678960)
    - xfrm: policy: init locks early
    - virtio_balloon: init ...

This bug was fixed in the package linux - 4.8.0-49.52

---------------
linux (4.8.0-49.52) yakkety; urgency=low

  * linux: 4.8.0-49.52 -proposed tracker (LP: #1684427)

  * [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
    (LP: #1682561)
    - Drivers: hv: util: move waiting for release to hv_utils_transport itself

linux (4.8.0-48.51) yakkety; urgency=low

  * linux: 4.8.0-48.51 -proposed tracker (LP: #1682034)

  * [Hyper-V] hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    (LP: #1681893)
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

linux (4.8.0-47.50) yakkety; urgency=low

  * linux: 4.8.0-47.50 -proposed tracker (LP: #1679678)

  * CVE-2017-6353
    - sctp: deny peeloff operation on asocs with threads sleeping on it

  * CVE-2017-5986
    - sctp: avoid BUG_ON on sctp_wait_for_sndbuf

  * vfat: missing iso8859-1 charset (LP: #1677230)
    - [Config] NLS_ISO8859_1=y

  * [Hyper-V] pci-hyperv: Use device serial number as PCI domain (LP: #1667527)
    - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs

  * Regression: KVM modules should be on main kernel package (LP: #1678099)
    - [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in complain mode

  * Permission denied and inconsistent behavior in complain mode with 'ip netns
    list' command (LP: #1648903)
    - SAUCE: fix regression with domain change in complain mode

  * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
    from a unshared mount namespace (LP: #1656121)
    - SAUCE: apparmor: null profiles should inherit parent control flags

  * apparmor refcount leak of profile namespace when removing profiles
    (LP: #1660849)
    - SAUCE: apparmor: fix ns ref count link when removing profiles from policy

  * tor in lxd: apparmor="DENIED" operation="change_onexec"
    namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
    name="system_tor" (LP: #1648143)
    - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
      namespaces

  * apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
    - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

  * apparmor auditing denied access of special apparmor .null fi\ le
    (LP: #1660836)
    - SAUCE: apparmor: Don't audit denied access of special apparmor .null file

  * apparmor label leak when new label is unused (LP: #1660834)
    - SAUCE: apparmor: fix label leak when new label is unused

  * apparmor reference count bug in label_merge_insert() (LP: #1660833)
    - SAUCE: apparmor: fix reference count bug in label_merge_insert()

  * apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
    - SAUCE: apparmor: fix replacement race in reading rawdata

  * unix domain socket cross permission check failing with n...