[regression] NoNewPrivileges incompatible with Apparmor

Bug #1844186 reported by Simon Déziel on 2019-09-16
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Disco
Undecided
Unassigned
Eoan
Undecided
Unassigned

Bug Description

Description:

Host: Bionic 64 bit with GA kernel (4.15)
Container: Bionic 64 bit

The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes.

  # systemctl show nsd | grep ^NoNew
  NoNewPrivileges=yes

This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg:

audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_</var/snap/lxd/common/lxd>" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd"
audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_<var-snap-lxd-common-lxd>" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd"

Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again.

I check with a couple of kernels:

4.15.0-52-generic works
4.15.0-58-generic works
4.15.0-60-generic is broken

The 5.0 HWE kernel has always been broken it seems:

5.0.0-15-generic is broken
5.0.0-17-generic is broken
5.0.0-20-generic is broken
5.0.0-23-generic is broken
5.0.0-25-generic is broken
5.0.0-27-generic is broken

I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken.

Additional information:

# lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04

# apt-cache policy nsd
nsd:
  Installed: 4.1.26-1ubuntu0.18.04.1~ppa2
  Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2
  Version table:
 *** 4.1.26-1ubuntu0.18.04.1~ppa2 500
        500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     4.1.17-1build1 500
        500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

nsd comes from a custom backport this should be irrelevant.
nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-60-generic 4.15.0-60.67
ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21
Uname: Linux 5.0.0-27-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Sep 16 18:02 seq
 crw-rw---- 1 root audio 116, 33 Sep 16 18:02 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay'
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found.
Date: Mon Sep 16 18:14:02 2019
InstallationDate: Installed on 2019-08-22 (24 days ago)
InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig'
MachineType: Dell Inc. Inspiron 530s
PciMultimedia:

ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
 TERM=xterm-256color
 PATH=(custom, no user)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none
RelatedPackageVersions:
 linux-restricted-modules-5.0.0-27-generic N/A
 linux-backports-modules-5.0.0-27-generic N/A
 linux-firmware 1.173.9
RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 02/24/2009
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.0.18
dmi.board.name: 0RY007
dmi.board.vendor: Dell Inc.
dmi.chassis.type: 3
dmi.chassis.vendor: Dell Inc.
dmi.chassis.version: OEM
dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM:
dmi.product.name: Inspiron 530s
dmi.sys.vendor: Dell Inc.

Simon Déziel (sdeziel) wrote :
summary: - [regression] NoNewPrivileges breaks Apparmor
+ [regression] NoNewPrivileges incompatible with Apparmor

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Simon Déziel (sdeziel) on 2019-09-16
description: updated
Simon Déziel (sdeziel) on 2019-09-16
description: updated

Apparently this seems to be introduced by bug 1839037,
which is related to nnp and the only mention to it in
the changelog of linux 4.15.0-60.67 [1] if read right.

[1] https://launchpad.net/ubuntu/+source/linux/4.15.0-60.67

Simon Déziel (sdeziel) wrote :

Yes, that's also what I suspected. I haven't been able to catch John Johansen on IRC to discuss with him about it.

John Johansen (jjohansen) wrote :

The LSMs respecting the nnp flag was actually mandated by Linus. So yes it breaks apparmor.

Kernel 3.5: Tasks that have nnp block apparmor policy transitions except for unconfined, as transitions in that case always result in reduced permissions.

Kernel 4.13: Loosened these restrictions around stacking. That is a transition adding a new element to a stack was allowed as that is guarenteed to always reduce permissions. Ubuntu had this in Xenial (4.4) kernels.

Kernel 4.17: AppArmor began tracking under what label nnp was set and using that for profile transition tests. This improved the 4.13 stacking test making containers capable of transitioning policy in the container as long as the host policy wasn't transitioned.

To do more apparmor has to be able to override nnp. Selinux has managed to add an nnp override permission and get it upstream, we are looking to do the same with apparmor but I have no time line as to when it will land.

John Johansen (jjohansen) wrote :

I should add that bug 1839037 is a bug in the subset test introduced in kernel 4.13 (and earlier Ubuntu 4.4 Xenial kernels). Some subsets will properly transition some won't it all depends on what is in the stack being transitioned. The patch fixes it so the all transitions combinations pass correctly. The patch actual allows more transitions under nnp than when it is not applied. The bug does not exist in the 4.17 or later kernel version.

The 5.0 HWE kernel never had the bug addressed in bug 1839037, and did not receive the patch.

The DENY messages above indicate that this is a case of a cross policy namespace check, I am investigating if cross namespace checks are broken.

John Johansen (jjohansen) wrote :

In the above regression we have

lxd-ns0_</var/snap/lxd/common/lxd>//&:root//lxd-ns0_<var-snap-lxd-common-lxd>://unconfined

transitioning to

lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd//&:root//lxd-ns0_<var-snap-lxd-common-lxd>:///usr/sbin/nsd

this is not a strict subset of profiles, however the unconfined exception needs to be taken into account when nnp is set.

There is a bug in the subset test, so that the unconfined exception is not being handled correctly. This affects all kernels, though to different degrees.

kernels before the patch for bug 1839037 have this bug, but because of where the unconfined exception is tested (at the profile transition) it happens to work in this case. Other cases can be contrived where the transition will fail.

Reverting the patch in bug 1839037 will fix the regression for this particular case.

John Johansen (jjohansen) wrote :

I am testing a fix for this that won't require reverting the patch. I will put up a test kernel if it passes.

Simon Déziel (sdeziel) wrote :

Thanks for working on this. I'll be happy to test whatever you come up with on Xenial/Bionic (4.4, 4.15 and 5.0 kernels) machines.

John Johansen (jjohansen) wrote :

There are some test kernels at
https://people.canonical.com/~jj/lp1844186/

Simon Déziel (sdeziel) wrote :

Tests results on Bionic:

Bionic/4.15:

$ uname -a
Linux c2d.mgmt.sdeziel.info 4.15.0-64-generic #73+lp1844186 SMP Thu Sep 26 15:17:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: works!

Bionic/5.0:

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.0.0-8-generic #9+lp1844186 SMP Thu Sep 26 15:03:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: doesn't work/couldn't test properly. That kernel doesn't let me load an Apparmor policy in the container:

root@ns0:~# aa-status
apparmor module is loaded.
You do not have enough privilege to read the profile set.

Maybe it's just too old or the kernel isn't compatible with the Apparmor version from Bionic? The binary/service starts fine with NoNewPrivileges=yes but there is no Apparmor policy loaded in the container, only in the host.

Simon Déziel (sdeziel) wrote :

Tests results on Xenial:

Xenial/4.4:

# uname -a | sed 's/lxd01\.[^ ]\+/lxd01/'
Linux lxd01 4.4.0-164-generic #192+lp1844186 SMP Thu Sep 26 15:17:42 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: works

Xenial/4.15:

# uname -a | sed 's/lxd01\.[^ ]\+/lxd01/'
Linux lxd01 4.15.0-64-generic #73+lp1844186 SMP Thu Sep 26 15:17:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: works

John Johansen (jjohansen) wrote :

okay, thanks for testing. I'll submit the patch for 4.4 and 4.15 kernels and look into why the 5.0 kernel is blocking policy loads

Simon Déziel (sdeziel) wrote :

I was surprised to get such an old 5.0 (5.0.0-8 was released in Mar 2019) kernel while all the others were very current. I'm sure you have you reasons but I'd want to be sure it was not a simple mistake :)

John Johansen (jjohansen) wrote :

ha, its by mistake. I fetched the new kernel but missed doing the rebase. I'll get a new 5.0 up asap

John Johansen (jjohansen) wrote :

updated to the 5.0.0-29 kernel

Simon Déziel (sdeziel) wrote :

Bionic/5.0:

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.0.0-29-generic #31+lp1844186 SMP Sat Sep 28 18:11:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: doesn't work

Same behavior as with the official/unpatched 5.0.0-29 (and 5.0.0-30) kernel, either NNP or Apparmor needs to be disabled otherwise:

audit: type=1400 audit(1569799739.869:70): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_<var-snap-lxd-common-lxd>" profile="unconfined" name="/usr/sbin/nsd" pid=2754 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd"

Simon Déziel (sdeziel) wrote :

I found your 5.0.0-29 *v2* kernel and gave it a try and I'm happy to report that you've fixed the problem!

Bionic/5.0 v2:

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.0.0-29-generic #31+v2lp1844186 SMP Wed Oct 2 18:47:25 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: works

John Johansen (jjohansen) wrote :

sorry it appears I added the comments about the v2 patch to the wrong bug

thanks for testing. I will get the request sent out to the kt.

Changed in linux (Ubuntu Disco):
status: New → Confirmed
Changed in linux (Ubuntu Bionic):
status: New → Confirmed
Changed in linux (Ubuntu Xenial):
status: New → Confirmed
Changed in linux (Ubuntu Disco):
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Eoan):
status: Confirmed → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco
Simon Déziel (sdeziel) wrote :

I pulled the various .deb packages from https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+build/17945283 and installed them on my Bionic host.

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.0.0-33-generic #35-Ubuntu SMP Tue Oct 22 01:48:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

With that kernel it works so marking as verified for Disco.

tags: added: verification-done-disco
removed: verification-needed-disco

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-eoan
Simon Déziel (sdeziel) wrote :

I pulled the various .deb packages from https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+build/17953251/+files/ and installed them on my Bionic host.

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.3.0-20-generic #21-Ubuntu SMP Wed Oct 23 16:20:37 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

With that kernel it works so marking as verified for Eoan.

tags: added: verification-done-eoan
removed: verification-needed-eoan
Simon Déziel (sdeziel) wrote :

@jjohansen, I see that you've included the fix in most of the kernels currently in -proposed, thanks for that! Although, I'm not seeing those for 4.4 and 4.15 and I'd like to make sure they don't fall through the cracks ;)

All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-1008.9~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

linux-gcp-5.3/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-gcp-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Launchpad Janitor (janitor) wrote :
Download full text (53.1 KiB)

This bug was fixed in the package linux - 5.3.0-22.24

---------------
linux (5.3.0-22.24) eoan; urgency=medium

  * [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout
    setting (LP: #1849682)
    - Revert "md/raid0: avoid RAID0 data corruption due to layout confusion."

  * refcount underflow and type confusion in shiftfs (LP: #1850867) // CVE-2019-15793
    - SAUCE: shiftfs: Correct id translation for lower fs operations
    - SAUCE: shiftfs: prevent type confusion
    - SAUCE: shiftfs: Fix refcount underflow in btrfs ioctl handling

  * CVE-2018-12207
    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
    - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
      active
    - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
    - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
    - SAUCE: kvm: Add helper function for creating VM worker threads
    - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
    - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
    - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

  * CVE-2019-11135
    - x86/msr: Add the IA32_TSX_CTRL MSR
    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
    - x86/speculation/taa: Add mitigation for TSX Async Abort
    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
    - x86/speculation/taa: Add documentation for TSX Async Abort
    - x86/tsx: Add config options to set tsx=on|off|auto
    - [Config] Disable TSX by default when possible

  * CVE-2019-0154
    - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

  * CVE-2019-0155
    - SAUCE: drm/i915: Rename gen7 cmdparser tables
    - SAUCE: drm/i915: Disable Secure Batches for gen6+
    - SAUCE: drm/i915: Remove Master tables from cmdparser
    - SAUCE: drm/i915: Add support for mandatory cmdparsing
    - SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
    - SAUCE: drm/i915: Allow parsing of unsized batches
    - SAUCE: drm/i915: Add gen9 BCS cmdparsing
    - SAUCE: drm/i915/cmdparser: Use explicit goto for error paths
    - SAUCE: drm/i915/cmdparser: Add support for backward jumps
    - SAUCE: drm/i915/cmdparser: Ignore Length operands during command matching

linux (5.3.0-21.22) eoan; urgency=medium

  * eoan/linux: 5.3.0-21.22 -proposed tracker (LP: #1850486)

  * Fix signing of staging modules in eoan (LP: #1850234)
    - [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

linux (5.3.0-20.21) eoan; urgency=medium

  * eoan/linux: 5.3.0-20.21 -proposed tracker (LP: #1849064)

  * eoan: alsa/sof: Enable SOF_HDA link and codec (LP: #1848490)
    - [Config] Enable SOF_HDA link and codec

  * Eoan update: 5.3.7 upstream stable release (LP: #1848750)
    - panic: ensure preemption is disabled during panic()
    - [Config] updateconfigs for USB_RIO500
    - USB: rio500: Remove Rio 500 kernel driver
   ...

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (38.6 KiB)

This bug was fixed in the package linux - 5.0.0-35.38

---------------
linux (5.0.0-35.38) disco; urgency=medium

  * [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout
    setting (LP: #1849682)
    - SAUCE: Fix revert "md/raid0: avoid RAID0 data corruption due to layout
      confusion."

  * refcount underflow and type confusion in shiftfs (LP: #1850867) // CVE-2019-15793
    - SAUCE: shiftfs: Correct id translation for lower fs operations
    - SAUCE: shiftfs: prevent type confusion
    - SAUCE: shiftfs: Fix refcount underflow in btrfs ioctl handling

  * CVE-2018-12207
    - kvm: Convert kvm_lock to a mutex
    - kvm: x86: Do not release the page inside mmu_set_spte()
    - KVM: x86: make FNAME(fetch) and __direct_map more similar
    - KVM: x86: remove now unneeded hugepage gfn adjustment
    - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
    - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
    - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
      active
    - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
    - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
    - SAUCE: kvm: Add helper function for creating VM worker threads
    - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
    - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
    - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

  * CVE-2019-11135
    - KVM: x86: use Intel speculation bugs and features as derived in generic x86
      code
    - x86/msr: Add the IA32_TSX_CTRL MSR
    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
    - x86/speculation/taa: Add mitigation for TSX Async Abort
    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
    - x86/speculation/taa: Add documentation for TSX Async Abort
    - x86/tsx: Add config options to set tsx=on|off|auto
    - SAUCE: x86/speculation/taa: Call tsx_init()
    - [Config] Disable TSX by default when possible

  * CVE-2019-0154
    - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

  * CVE-2019-0155
    - SAUCE: drm/i915: Rename gen7 cmdparser tables
    - SAUCE: drm/i915: Disable Secure Batches for gen6+
    - SAUCE: drm/i915: Remove Master tables from cmdparser
    - SAUCE: drm/i915: Add support for mandatory cmdparsing
    - SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
    - SAUCE: drm/i915: Allow parsing of unsized batches
    - SAUCE: drm/i915: Add gen9 BCS cmdparsing
    - SAUCE: drm/i915/cmdparser: Use explicit goto for error paths
    - SAUCE: drm/i915/cmdparser: Add support for backward jumps
    - SAUCE: drm/i915/cmdparser: Ignore Length operands during command matching

linux (5.0.0-34.36) disco; urgency=medium

  * disco/linux: <version to be filled> -proposed tracker (LP: #1850574)

  * [REGRESSION] md/raid0: cannot as...

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers