2016-10-12 02:44:05 |
Tyler Hicks |
description |
Running tcpdump inside of a LXD container results in tcpdump immediately segfaulting due to an AppArmor denial preventing /usr/sbin/tcpdump from being mapped.
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# tcpdump -i eth0
Segmentation fault
This AppArmor denial can be seen in the logs:
audit: type=1400 audit(1476204029.500:186): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-yakkety_<var-lib-lxd>" profile="/usr/sbin/tcpdump" name="/usr/sbin/tcpdump" pid=16746 comm="tcpdump" requested_mask="m" denied_mask="m" fsuid=296608 ouid=296608
This is caused by the following upstream kernel change:
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm |
[Impact]
Running tcpdump inside of a Yakkety LXD container, with a Yakkety host, results in tcpdump immediately segfaulting due to an AppArmor denial preventing /usr/sbin/tcpdump from being mapped.
This change in behavior is caused by the following upstream kernel change:
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm
[Test Case]
tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# apt-get update && apt-get dist-upgrade -y
...
root@yakkety:~# tcpdump -i eth0
Segmentation fault
The logs will contain the following AppArmor denial:
audit: type=1400 audit(1476204029.500:186): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-yakkety_<var-lib-lxd>" profile="/usr/sbin/tcpdump" name="/usr/sbin/tcpdump" pid=16746 comm="tcpdump" requested_mask="m" denied_mask="m" fsuid=296608 ouid=296608
The bug fix can be verified by tcpdump working as intended (capturing network traffic) with no AppArmor denial for mapping the /usr/sbin/tcpdump file.
[Regression Potential]
* Low. The fix is a simply adding an additional file permission in the tcpdump AppArmor profile. The only regression potential comes from tcpdump being built in yakkety for the first time. However, a build log comparison shows that there are no compiler flag changes or any other unexpected churn in the build log.
[Other Info]
* Other tcpdump AppArmor denials, related to accessing the D-Bus system bus and/or the systemd-resolved D-Bus API, will be seen in the logs until a fix for bug #1598759 is in place. Those denials are documented in the following comment:
- https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/comments/14 |
|