2018-03-13 18:12:29 |
Zygmunt Krynicki |
bug |
|
|
added bug |
2018-03-13 18:13:04 |
Zygmunt Krynicki |
bug |
|
|
added subscriber John Johansen |
2018-03-13 18:13:15 |
Zygmunt Krynicki |
bug |
|
|
added subscriber Jamie Strandboge |
2018-03-13 18:13:23 |
Zygmunt Krynicki |
bug |
|
|
added subscriber Michael Vogt |
2018-03-13 18:30:08 |
Ubuntu Kernel Bot |
linux (Ubuntu): status |
New |
Confirmed |
|
2018-03-13 18:30:49 |
Zygmunt Krynicki |
description |
On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print
It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is affected though I didn't perform an extensive investigation.
I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen.
<jjohansen> zyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing
<jjohansen> zyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists
It is likely that this problem occurs when snapd generates profiles for refreshed snaps or removes profiles for removed snaps but I was not able to determine that yet.
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-36-generic 4.13.0-36.40
ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: zyga 2431 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 13 19:04:50 2018
InstallationDate: Installed on 2018-02-02 (39 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.169.3
RfKill:
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/19/2017
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc. |
On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print
It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is affected though I didn't perform an extensive investigation.
EDIT: This is inaccurate, bionic is affected as well. See below.
I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen.
<jjohansen> zyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing
<jjohansen> zyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists
It is likely that this problem occurs when snapd generates profiles for refreshed snaps or removes profiles for removed snaps but I was not able to determine that yet.
I updated my bionic system and noticed non-snap-related dangling symlink when the libreoffice package was updated:
/sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-36-generic 4.13.0-36.40
ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: zyga 2431 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 13 19:04:50 2018
InstallationDate: Installed on 2018-02-02 (39 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.169.3
RfKill:
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/19/2017
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc. |
|
2018-03-13 18:45:54 |
Joseph Salisbury |
tags |
amd64 apport-bug artful |
amd64 apport-bug artful kernel-da-key |
|
2018-03-13 18:46:02 |
Joseph Salisbury |
linux (Ubuntu): importance |
Undecided |
Medium |
|
2018-03-13 18:46:09 |
Joseph Salisbury |
nominated for series |
|
Ubuntu Bionic |
|
2018-03-13 18:46:09 |
Joseph Salisbury |
bug task added |
|
linux (Ubuntu Bionic) |
|
2018-03-13 18:46:09 |
Joseph Salisbury |
nominated for series |
|
Ubuntu Artful |
|
2018-03-13 18:46:09 |
Joseph Salisbury |
bug task added |
|
linux (Ubuntu Artful) |
|
2018-03-13 18:46:15 |
Joseph Salisbury |
linux (Ubuntu Artful): status |
New |
Confirmed |
|
2018-03-13 18:46:17 |
Joseph Salisbury |
linux (Ubuntu Artful): importance |
Undecided |
Medium |
|
2018-03-13 18:58:08 |
Zygmunt Krynicki |
description |
On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print
It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is affected though I didn't perform an extensive investigation.
EDIT: This is inaccurate, bionic is affected as well. See below.
I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen.
<jjohansen> zyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing
<jjohansen> zyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists
It is likely that this problem occurs when snapd generates profiles for refreshed snaps or removes profiles for removed snaps but I was not able to determine that yet.
I updated my bionic system and noticed non-snap-related dangling symlink when the libreoffice package was updated:
/sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-36-generic 4.13.0-36.40
ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: zyga 2431 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 13 19:04:50 2018
InstallationDate: Installed on 2018-02-02 (39 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.169.3
RfKill:
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/19/2017
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc. |
On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print
The issue was observed on xenial (4.4 kernel), artful (4.13) and bionic (4.15).
I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen.
<jjohansen> zyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing
<jjohansen> zyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists
It is likely that this problem occurs when snapd generates profiles for refreshed snaps or removes profiles for removed snaps but I was not able to determine that yet.
I updated my bionic system and noticed non-snap-related dangling symlink when the libreoffice package was updated:
/sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-36-generic 4.13.0-36.40
ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: zyga 2431 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 13 19:04:50 2018
InstallationDate: Installed on 2018-02-02 (39 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.169.3
RfKill:
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/19/2017
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc. |
|
2018-04-13 19:05:12 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu Bionic): status |
Confirmed |
Fix Committed |
|
2018-04-23 23:51:27 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2018-04-23 23:51:27 |
Launchpad Janitor |
cve linked |
|
2017-5715 |
|
2018-04-23 23:51:27 |
Launchpad Janitor |
cve linked |
|
2017-5753 |
|
2018-04-23 23:51:27 |
Launchpad Janitor |
cve linked |
|
2017-5754 |
|
2018-07-24 09:34:22 |
Andy Whitcroft |
linux (Ubuntu Artful): status |
Confirmed |
Won't Fix |
|