Ubuntu
tcpdump package

  1. Bug #1632399
  2. Activity log

Activity log for bug #1632399

Date Who What changed Old value New value Message
2016-10-11 16:41:52 Tyler Hicks bug added bug
2016-10-12 02:44:05 Tyler Hicks description Running tcpdump inside of a LXD container results in tcpdump immediately segfaulting due to an AppArmor denial preventing /usr/sbin/tcpdump from being mapped. tyhicks@host:~$ lxc exec yakkety bash root@yakkety:~# tcpdump -i eth0 Segmentation fault This AppArmor denial can be seen in the logs: audit: type=1400 audit(1476204029.500:186): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-yakkety_<var-lib-lxd>" profile="/usr/sbin/tcpdump" name="/usr/sbin/tcpdump" pid=16746 comm="tcpdump" requested_mask="m" denied_mask="m" fsuid=296608 ouid=296608 This is caused by the following upstream kernel change: commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 Date: Mon Aug 22 16:41:46 2016 -0700 binfmt_elf: switch to new creds when switching to new mm [Impact] Running tcpdump inside of a Yakkety LXD container, with a Yakkety host, results in tcpdump immediately segfaulting due to an AppArmor denial preventing /usr/sbin/tcpdump from being mapped. This change in behavior is caused by the following upstream kernel change:    commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46    Date: Mon Aug 22 16:41:46 2016 -0700        binfmt_elf: switch to new creds when switching to new mm [Test Case] tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety tyhicks@host:~$ lxc exec yakkety bash root@yakkety:~# apt-get update && apt-get dist-upgrade -y ... root@yakkety:~# tcpdump -i eth0 Segmentation fault The logs will contain the following AppArmor denial: audit: type=1400 audit(1476204029.500:186): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-yakkety_<var-lib-lxd>" profile="/usr/sbin/tcpdump" name="/usr/sbin/tcpdump" pid=16746 comm="tcpdump" requested_mask="m" denied_mask="m" fsuid=296608 ouid=296608 The bug fix can be verified by tcpdump working as intended (capturing network traffic) with no AppArmor denial for mapping the /usr/sbin/tcpdump file. [Regression Potential] * Low. The fix is a simply adding an additional file permission in the tcpdump AppArmor profile. The only regression potential comes from tcpdump being built in yakkety for the first time. However, a build log comparison shows that there are no compiler flag changes or any other unexpected churn in the build log. [Other Info] * Other tcpdump AppArmor denials, related to accessing the D-Bus system bus and/or the systemd-resolved D-Bus API, will be seen in the logs until a fix for bug #1598759 is in place. Those denials are documented in the following comment: - https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/comments/14
2016-10-13 06:23:29 Martin Pitt nominated for series Ubuntu Yakkety
2016-10-13 06:23:29 Martin Pitt bug task added tcpdump (Ubuntu Yakkety)
2016-10-13 06:23:40 Martin Pitt tcpdump (Ubuntu Yakkety): status In Progress Fix Committed
2016-10-13 06:23:41 Martin Pitt bug added subscriber Ubuntu Stable Release Updates Team
2016-10-13 06:23:46 Martin Pitt bug added subscriber SRU Verification
2016-10-13 06:23:52 Martin Pitt tags verification-needed
2016-10-13 17:02:31 Tyler Hicks tags verification-needed verification-done
2016-10-20 06:11:20 Launchpad Janitor tcpdump (Ubuntu): status Fix Committed Fix Released
2016-10-20 19:49:00 Martin Pitt removed subscriber Ubuntu Stable Release Updates Team
2016-10-20 19:50:33 Launchpad Janitor tcpdump (Ubuntu Yakkety): status Fix Committed Fix Released