[apparmor] getattr handled incorrectly in 2.6.35-6.7

Bug #599450 reported by Marc Deslauriers on 2010-06-28
122
This bug affects 19 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
John Johansen
Maverick
High
John Johansen

Bug Description

Maverick kernel 2.6.35-6.7 incorrectly handles getattr. Kernel 2.6.35-5.6 worked fine.

Here are some example logs:

Jun 28 09:22:35 mdlinux kernel: [ 40.273454] type=1400 audit(1277731355.186:28): operation="getattr" pid=2210 parent=2209 profile="/usr/sbin/cupsd" name="/lib/" pid=2210 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 09:22:35 mdlinux kernel: [ 40.273476] type=1400 audit(1277731355.186:29): operation="getattr" pid=2210 parent=2209 profile="/usr/sbin/cupsd" name="/usr/lib/" pid=2210 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 09:22:42 mdlinux kernel: [ 40.798130] type=1400 audit(1277731362.002:30): operation="getattr" pid=2210 parent=2209 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2210 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 09:22:42 mdlinux kernel: [ 40.825958] type=1400 audit(1277731362.032:31): operation="getattr" pid=2210 parent=2209 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2210 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:22:10 mdlinux kernel: [ 42.642866] type=1400 audit(1277734930.559:28): operation="getattr" pid=2159 parent=2157 profile="/usr/sbin/cupsd" name="/lib/" pid=2159 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:22:10 mdlinux kernel: [ 42.642889] type=1400 audit(1277734930.559:29): operation="getattr" pid=2159 parent=2157 profile="/usr/sbin/cupsd" name="/usr/lib/" pid=2159 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:22:11 mdlinux kernel: [ 43.359155] type=1400 audit(1277734931.269:30): operation="getattr" pid=2159 parent=2157 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2159 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:22:11 mdlinux kernel: [ 43.359841] type=1400 audit(1277734931.269:31): operation="getattr" pid=2159 parent=2157 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2159 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:25:55 mdlinux kernel: [ 36.520703] type=1400 audit(1277735155.443:28): operation="getattr" pid=2102 parent=2101 profile="/usr/sbin/cupsd" name="/lib/" pid=2102 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:25:55 mdlinux kernel: [ 36.520728] type=1400 audit(1277735155.443:29): operation="getattr" pid=2102 parent=2101 profile="/usr/sbin/cupsd" name="/usr/lib/" pid=2102 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:25:56 mdlinux kernel: [ 37.337014] type=1400 audit(1277735156.253:30): operation="getattr" pid=2102 parent=2101 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2102 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:25:56 mdlinux kernel: [ 37.337714] type=1400 audit(1277735156.253:31): operation="getattr" pid=2102 parent=2101 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2102 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → High
tags: added: iso-testing
Martin Pitt (pitti) wrote :

This breaks cups, MySQL and presumably other software. I added it to the release notes for alpha-2, but this should be fixed by alpha-3. Thanks!

Changed in linux (Ubuntu Maverick):
milestone: none → maverick-alpha-3
tags: added: regression-potential
Chris Cheney (ccheney) wrote :

This also breaks starting instances on UEC.

Christopher (soft-kristal) wrote :

Could this also affect gscan2pdf? Files are saving as the current date, rather than the one typed when saving a file. If I'm not mistaken, this bug happened around the same time as evince wouldn't open certain folders and sub-folders.

papukaija (papukaija) on 2010-07-04
tags: added: maverick
Serge Hallyn (serge-hallyn) wrote :

As a workaround to use libvirt in the meantime, you can disable the
libvirt profile temporarily by doing:

 cd /etc/apparmor.d/disable
 ln -s /etc/apparmor.d/usr.sbin.libvirtd

and rebooting to reload the profile. Please do this only until the
kernel is fixed.

Christopher (soft-kristal) wrote :

Today's Evince update has solved the saving to certain folders problem. I also noticed that after the update there were duplicate bookmarks, some appearing as normal folders and the others grayish. I removed the latter and the others are working well now with Evince.

Thierry Carrez (ttx) wrote :

Looks like this is breaking dhcp3 too, see bug 604845

Jasper Frumau (jfrumau) wrote :

I think this bug affects MySQL as well:

$ cat /var/log/syslog | grep mysql
Jul 20 01:54:08 ubuntu kernel: [ 6086.630194] type=1400 audit(1279616048.377:20): operation="profile_replace" pid=2610 name="/usr/sbin/mysqld" pid=2610 comm="apparmor_parser"
Jul 20 01:54:08 ubuntu init: mysql post-start process (2615) terminated with status 2
Jul 20 01:54:08 ubuntu kernel: [ 6086.923361] type=1400 audit(1279616048.665:21): operation="getattr" pid=2614 parent=1 profile="/usr/sbin/mysqld" name="/usr/" pid=2614 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 20 01:54:08 ubuntu kernel: [ 6086.923386] type=1400 audit(1279616048.665:22): operation="getattr" pid=2614 parent=1 profile="/usr/sbin/mysqld" name="/var/" pid=2614 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I run Maverick Meerkat:
jasper@ubuntu:/etc$ cat lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.10
DISTRIB_CODENAME=maverick
DISTRIB_DESCRIPTION="Ubuntu maverick (development branch)"

And MySQL will not startup on reboot anymore.

John Johansen (jjohansen) wrote :

I have placed test kernels with the fix at

kernel.ubuntu.com/~jj/linux-image-2.6.35-12-generic_2.6.35-12.17_i386.deb
kernel.ubutnu.com/~jj/linux-image-2.6.35-12-generic_2.6.35-12.17~jj_amd64.deb

Changed in linux (Ubuntu Maverick):
status: New → Fix Committed
Chad Waters (chad) wrote :

I'm still experiencing the libvirt issue with
linux-image-2.6.35-12-server_2.6.35-12.17_amd64.deb

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/engine.py", line 814, in run_domain
    vm.startup()
  File "/usr/share/virt-manager/virtManager/domain.py", line 1286, in startup
    self._backend.create()
  File "/usr/lib/python2.6/dist-packages/libvirt.py", line 333, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error Process exited while reading console log output: libvir: Security Labeling error : internal error error calling aa_change_profile()

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.35-13.18

---------------
linux (2.6.35-13.18) maverick; urgency=low

  [ Andy Whitcroft ]

  * SAUCE: (no-up) Modularize vesafb -- fix initialisation
  * SAUCE: add tracing for user initiated readahead requests
  * SAUCE: vt -- maintain bootloader screen mode and content until vt
    switch
  * SAUCE: vt -- allow grub to request automatic vt_handoff
  * SAUCE: fbcon -- fix race between open and removal of framebuffers
  * SAUCE: drm -- stop early access to drm devices

  [ Bryan Wu ]

  * CONFIG: compile in OTG driver and Transceiver driver
    - LP: #566645
  * remove OTG modules from modules list file

  [ John Johansen ]

  * SAUCE: AppArmor: -- sync to AppArmor mainline 2010-07-27
    - LP: #581525, #599450
  * SAUCE: AppArmor: -- sync to AppArmor mainline 2010-07-29
  * SAUCE: AppArmor 2.4 compatibility patch
  * SAUCE: AppArmor: Allow dfa backward compatibility with broken userspace
  * SAUCE: fix pv-ops for legacy Xen
  * SAUCE: blkfront: default to sd devices
  * [Config] Build in drivers required for Xen pv-ops

  [ Leann Ogasawara ]

  * Revert "[Upstream] i915: Use the correct mask to detect i830 aperture
    size."

  [ Lee Jones ]

  * SAUCE: ARM: OMAP: Add macros for comparing silicon revision
    - LP: #608095
  * SAUCE: OMAP: DSS2: check for both cpu type and revision, rather than
    just revision
    - LP: #608095
  * SAUCE: OMAP: DSS2: enable hsclk in dsi_pll_init for OMAP36XX
    - LP: #608095
  * SAUCE: ARM: OMAP: Beagle: support twl gpio differences on xM
    - LP: #608095

  [ Upstream Kernel Changes ]

  * agp/intel: Use the correct mask to detect i830 aperture size.
    - LP: #597075
 -- Leann Ogasawara <email address hidden> Fri, 30 Jul 2010 15:46:59 -0700

Changed in linux (Ubuntu Maverick):
status: Fix Committed → Fix Released
igi (igor-cali) wrote :

Cups is still not working in Maverick Beta

Marc Deslauriers (mdeslaur) wrote :

@igi: please open a new bug for your issue

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers