imx51 AppArmor oops during bootup

Bug #344370 reported by Brad Figg on 2009-03-17
26
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Brad Figg

Bug Description

The purpose of this bug report is to 1: report the oops (obviously) and 2: to document what we are doing to work around the problem until we can get to the root cause and fix it.

Because of the oops, AppArmor has been disabled for the imx51 configuration.

Brad Figg (brad-figg) wrote :
Changed in linux:
assignee: nobody → brad-figg
status: New → In Progress
Brad Figg (brad-figg) wrote :

AUFS is needed on the imx51. However because of changes made to the VFS layer in fs/namei.c, AUFS will not build without AppArmor.

It is proposed that we either:
   1: Ifdef the AppArmor changes made to fs/namei.c.
   2: We have a copy of fs/namei.c called something like fs/ubuntu_noapparmor_namei.c which doesn't have the AppArmor changes and then have a #ifndef in the Makefile which uses it if we don't want AppArmor.

Amit Kucheria (amitk) wrote :

For option 2., IMO the logic should be reversed (for Karmic atleast).
- namei.c should be w/o apparmor.
- aa-namei.c can be with apparmor patch

The offending commit that changes the VFS API is c9b68678c51d435e824214926d41e1ab5e9f7b99 in Jaunty. This commit shouldn't have unconditionally changed the VFS API.

Amit Kucheria (amitk) on 2009-03-17
Changed in linux (Ubuntu):
importance: Undecided → Medium
milestone: none → ubuntu-9.04-beta
Peter Cordes (peter-cordes) wrote :

When you're cleaning up the #ifs, make sure you test with
all combinations of CONFIG_VSERVER and apparmor. Bug #327337 is that aufs doesn't build when neither of those are included. (the calls don't match the prototypes.)

On Thu, Mar 19, 2009 at 12:49 AM, Peter Cordes <email address hidden> wrote:
> When you're cleaning up the #ifs, make sure you test with
> all combinations of CONFIG_VSERVER and apparmor.  Bug #327337 is that aufs doesn't build when neither of those are included.  (the calls don't match the prototypes.)
>

Unfortunately, Brad, who is working on this bug mentioned that there
are several places where the kernel is tightly coupled to the Apparmor
VFS changes. This will require changes to unionfs, nfs and some other
components. This is due to the way AA changes have been made to the
Ubuntu kernel. The VFS changes to all the filesystems should've been
#ifdef'ed, but aren't.

I'll let him comment on the details.

Brad Figg (brad-figg) wrote :

If we are to take the AUFS code as it is now in the Ubuntu kernel tree and try to get it to compile we would need to ifdef the AppArmor changes that were made to the VFS layer. If those changes are made, AUFS will build for imx51 (AA disabled). However, UnionFS will no longer build for the imx51 or any other flavour that has AA disabled because UnionFS uses the new VFS APIs. Also, ixp4xx will not build because it has NFS configured and NFS is using the new APIs and the ixp4xx has AA disabled.

A potentially better alternative is to get AUFS to build using the new APIs.

Amit Kucheria (amitk) wrote :

On Thu, Mar 19, 2009 at 4:05 PM, Brad Figg <email address hidden> wrote:
> If we are to take the AUFS code as it is now in the Ubuntu kernel tree
> and try to get it to compile we would need to ifdef the AppArmor changes
> that were made to the VFS layer. If those changes are made, AUFS will

It is definitely a lesson learned for KK. We should split out the AA
patch into smaller bits and make sure that the kernel builds just fine
without AA.

Brad Figg (brad-figg) wrote :

Turns out that SECURITYFS was not configured into the kernel and this is what was leading to the oops. A change is being made to the Kconfig for AA so that when AA is configured, SECURITYFS is as well.

Brad Figg (brad-figg) on 2009-03-25
Changed in linux:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package linux - 2.6.28-11.38

---------------
linux (2.6.28-11.38) jaunty; urgency=low

  [ Brad Figg ]

  * When AppArmor is configured, securityfs must be as well.
    - LP: #344370
  * ARM: Enable AA with SECURITYFS for imx51
    - LP: #344370

  [ Bryan Wu ]

  * Add 3 missing files to prerm remove file list
    - LP: #345623

  [ Daniel T Chen ]

  * SAUCE: (drop after 2.6.28) Don't trust hw-ptr blindly
    - LP: #330814
  * SAUCE: (drop after 2.6.28) Apply further pcm_lib updates for hw_ptr
    - LP: #330814

  [ Ike Panhc ]

  * Copy header files for various kernel media driver
    - LP: #322732

  [ Tim Gardner ]

  * Revert "Fix the VFP handling on the Feroceon CPU"
    Only applied to mv78xx0 ARM flavour.
  * Enabled drivers/staging/at76_usb
    - LP: #152626

  [ <email address hidden> ]

  * SAUCE: ipw2200: Enable LED by default
    - LP: #21367
  * SAUCE: wistron_btns: support Prestigio Wifi RF kill button over suspend
    - LP: #346586

  [ Upstream Kernel Changes ]

  * Build fix for __early_pfn_to_nid() undefined link error
  * Fix misreporting of #cores as #hyperthreads for Q9550
  * eventfd: remove fput() call from possible IRQ context
  * S390: __div64_31 broken for CONFIG_MARCH_G5
  * ALSA: Fix vunmap and free order in snd_free_sgbuf_pages()
  * ALSA: mixart, fix lock imbalance
  * ALSA: pcm_oss, fix locking typo
  * ALSA: hda - Fix DMA mask for ATI controllers
  * ALSA: hda - Workaround for buggy DMA position on ATI controllers
  * ALSA: opl3sa2 - Fix NULL dereference when suspending snd_opl3sa2
  * nfsd: nfsd should drop CAP_MKNOD for non-root
  * NFSD: provide encode routine for OP_OPENATTR
  * dm ioctl: validate name length when renaming
  * dm io: respect BIO_MAX_PAGES limit
  * dm crypt: fix kcryptd_async_done parameter
  * dm crypt: wait for endio to complete before destruction
  * ata_piix: add workaround for Samsung DB-P70
  * V4L/DVB (10218): cx23885: Fix Oops for mixed install of analog and
    digital only cards
  * thinkpad-acpi: fix module autoloading for older models
  * Add '-fwrapv' to gcc CFLAGS
  * Move cc-option to below arch-specific setup
  * USB: storage: Unusual USB device Prolific 2507 variation added
  * USB: Add Vendor/Product ID for new CDMA U727 to option driver
  * USB: option.c: add ZTE 622 modem device
  * USB: Add device id for Option GTM380 to option driver
  * USB: Option: let cdc-acm handle Sony Ericsson F3507g / Dell 5530
  * USB: Updated unusual-devs entry for USB mass storage on Nokia 6233
  * USB: unusual_devs: Add support for GI 0431 SD-Card interface
  * USB: serial: add FTDI USB/Serial converter devices
  * USB: serial: ftdi: enable UART detection on gnICE JTAG adaptors
    blacklist interface0
  * USB: serial: new cp2101 device id
  * USB: usbtmc: fix stupid bug in open()
  * USB: usbtmc: add protocol 1 support
  * USB: usbfs: keep async URBs until the device file is closed
  * USB: EHCI: expedite unlinks when the root hub is suspended
  * USB: EHCI: Fix isochronous URB leak
  * powerpc: Remove extra semicolon in fsl_soc.c
  * menu: fix embedded menu snafu
  * Linux 2.6.28.9
  * Add '-fwrapv' to gcc CFLAGS
    - LP: #348015
  * Move cc-option to below arch-s...

Read more...

Changed in linux:
status: Fix Committed → Fix Released
tags: added: iso-testing
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments