AppArmor confinement change in 4.8 and newer kernels causes segfault inside LXD containers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tcpdump (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks | ||
Yakkety |
Fix Released
|
High
|
Tyler Hicks |
Bug Description
[Impact]
Running tcpdump inside of a Yakkety LXD container, with a Yakkety host, results in tcpdump immediately segfaulting due to an AppArmor denial preventing /usr/sbin/tcpdump from being mapped.
This change in behavior is caused by the following upstream kernel change:
commit 9f834ec18defc36
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm
[Test Case]
tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# apt-get update && apt-get dist-upgrade -y
...
root@yakkety:~# tcpdump -i eth0
Segmentation fault
The logs will contain the following AppArmor denial:
audit: type=1400 audit(147620402
The bug fix can be verified by tcpdump working as intended (capturing network traffic) with no AppArmor denial for mapping the /usr/sbin/tcpdump file.
[Regression Potential]
* Low. The fix is a simply adding an additional file permission in the tcpdump AppArmor profile. The only regression potential comes from tcpdump being built in yakkety for the first time. However, a build log comparison shows that there are no compiler flag changes or any other unexpected churn in the build log.
[Other Info]
* Other tcpdump AppArmor denials, related to accessing the D-Bus system bus and/or the systemd-resolved D-Bus API, will be seen in the logs until a fix for bug #1598759 is in place. Those denials are documented in the following comment:
- https:/
Hello Tyler, or anyone else affected,
Accepted tcpdump into yakkety-proposed. The package will build now and be available at https:/ /launchpad. net/ubuntu/ +source/ tcpdump/ 4.7.4-1ubuntu1. 16.10.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed. In either case, details of your testing will help us make a better decision.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance!