2012-09-28 21:36:41 |
Ted Gould |
bug |
|
|
added bug |
2012-09-28 21:37:39 |
Ted Gould |
bug |
|
|
added subscriber Ubuntu Security Team |
2012-09-28 22:26:57 |
Till Kamppeter |
cups (Ubuntu): assignee |
|
Martin Pitt (pitti) |
|
2012-10-01 06:05:54 |
Martin Pitt |
cups (Ubuntu): assignee |
Martin Pitt (pitti) |
Jamie Strandboge (jdstrand) |
|
2012-10-01 06:06:17 |
Martin Pitt |
summary |
CUPS failes to install with apparmor exception |
fails to install when kernel does not provide block_suspend capability |
|
2012-10-01 13:23:33 |
Jamie Strandboge |
cups (Ubuntu): status |
New |
Incomplete |
|
2012-10-12 06:42:23 |
RussianNeuroMancer |
bug |
|
|
added subscriber RussianNeuroMancer |
2012-10-12 18:43:14 |
Jamie Strandboge |
cups (Ubuntu): status |
Incomplete |
Confirmed |
|
2012-10-12 18:58:24 |
Jamie Strandboge |
affects |
cups (Ubuntu) |
upstart (Ubuntu) |
|
2012-10-12 18:58:24 |
Jamie Strandboge |
upstart (Ubuntu): importance |
Undecided |
High |
|
2012-10-12 18:58:24 |
Jamie Strandboge |
upstart (Ubuntu): status |
Confirmed |
In Progress |
|
2012-10-12 18:58:24 |
Jamie Strandboge |
upstart (Ubuntu): milestone |
|
ubuntu-12.10 |
|
2012-10-12 18:58:40 |
Jamie Strandboge |
tags |
|
apparmor |
|
2012-10-12 19:00:34 |
Jamie Strandboge |
attachment added |
|
upstart_1.5-0ubuntu9.debdiff https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1058356/+attachment/3396539/+files/upstart_1.5-0ubuntu9.debdiff |
|
2012-10-12 19:27:38 |
Jamie Strandboge |
upstart (Ubuntu): status |
In Progress |
Fix Committed |
|
2012-10-12 19:27:40 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2012-10-12 19:27:42 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2012-10-12 19:27:49 |
Steve Langasek |
tags |
apparmor |
apparmor verification-needed |
|
2012-10-12 19:28:02 |
Jamie Strandboge |
upstart (Ubuntu): milestone |
ubuntu-12.10 |
quantal-updates |
|
2012-10-12 19:28:10 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Quantal |
|
2012-10-12 19:28:10 |
Jamie Strandboge |
bug task added |
|
upstart (Ubuntu Quantal) |
|
2012-10-12 19:48:46 |
Jamie Strandboge |
description |
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
[IMPACT]
* Users upgrading from 12.04 LTS to 12.10 will encounter upgrade errors because
apparmor_parser fails to load new policy on an old kernel. Specifically, the
block_suspend capability is new in the 12.10 kernel and does not exist in the
12.04 LTS kernel. On upgrade, the cups upstart job calls
/lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
apparmor_parser will exit with error on upgrades causing the upstart job to fail
no restart, which is performed during the upgrade.
[TESTCASE]
* One can either
- perform an upgrade from 12.04 to 12.10, or
- obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo restart cups'. If the
bug is not fixed, you will see 'restart: Job failed to restart'. If it is
fixed, you will see 'cups start/running, process ####' (note, if cups is not
already running you will need to do 'sudo start cups' instead of 'restart').
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '|| exit 0' to a
shell script.
[Other Info]
* This has been discussed with the security team, the release team and foundations and
we all agree this is the best fix at this time.
Previous report:
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
|
2012-10-12 20:01:34 |
Jamie Strandboge |
description |
[IMPACT]
* Users upgrading from 12.04 LTS to 12.10 will encounter upgrade errors because
apparmor_parser fails to load new policy on an old kernel. Specifically, the
block_suspend capability is new in the 12.10 kernel and does not exist in the
12.04 LTS kernel. On upgrade, the cups upstart job calls
/lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
apparmor_parser will exit with error on upgrades causing the upstart job to fail
no restart, which is performed during the upgrade.
[TESTCASE]
* One can either
- perform an upgrade from 12.04 to 12.10, or
- obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo restart cups'. If the
bug is not fixed, you will see 'restart: Job failed to restart'. If it is
fixed, you will see 'cups start/running, process ####' (note, if cups is not
already running you will need to do 'sudo start cups' instead of 'restart').
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '|| exit 0' to a
shell script.
[Other Info]
* This has been discussed with the security team, the release team and foundations and
we all agree this is the best fix at this time.
Previous report:
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
[IMPACT]
* Users upgrading from 12.04 LTS to 12.10 will encounter upgrade errors because
apparmor_parser fails to load new policy on an old kernel. Specifically, the
block_suspend capability is new in the 12.10 kernel and does not exist in the
12.04 LTS kernel. On upgrade, the cups upstart job calls
/lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
apparmor_parser will exit with error on upgrades causing the upstart job to fail
no restart, which is performed during the upgrade.
[TESTCASE]
* One can either
- perform an upgrade from 12.04 to 12.10, or
- obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo restart cups'. If the
bug is not fixed, you will see 'restart: Job failed to restart'. If it is
fixed, you will see 'cups start/running, process ####' (note, if cups is not
already running you will need to do 'sudo start cups' instead of 'restart').
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '|| exit 0' to a
shell script.
[Other Info]
* This has been discussed with the security team, the release team and foundations and
we all agree this is the best fix at this time.
* On upgrades, upstart is unpacked very early (much earlier than cups), so the new
/lib/init/apparmor-profile-load should be in place when cups is restarted
Previous report:
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
|
2012-10-12 20:36:45 |
Jamie Strandboge |
description |
[IMPACT]
* Users upgrading from 12.04 LTS to 12.10 will encounter upgrade errors because
apparmor_parser fails to load new policy on an old kernel. Specifically, the
block_suspend capability is new in the 12.10 kernel and does not exist in the
12.04 LTS kernel. On upgrade, the cups upstart job calls
/lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
apparmor_parser will exit with error on upgrades causing the upstart job to fail
no restart, which is performed during the upgrade.
[TESTCASE]
* One can either
- perform an upgrade from 12.04 to 12.10, or
- obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo restart cups'. If the
bug is not fixed, you will see 'restart: Job failed to restart'. If it is
fixed, you will see 'cups start/running, process ####' (note, if cups is not
already running you will need to do 'sudo start cups' instead of 'restart').
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '|| exit 0' to a
shell script.
[Other Info]
* This has been discussed with the security team, the release team and foundations and
we all agree this is the best fix at this time.
* On upgrades, upstart is unpacked very early (much earlier than cups), so the new
/lib/init/apparmor-profile-load should be in place when cups is restarted
Previous report:
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
[IMPACT]
* Some users upgrading from 12.04 LTS to 12.10 have encountered upgrade errors because
apparmor_parser fails to load new policy on an old kernel. Specifically, the
block_suspend capability is new in the 12.10 kernel and does not exist in the
12.04 LTS kernel. On upgrade, the cups upstart job calls
/lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
apparmor_parser can exit with error on upgrades causing the upstart job to fail.
[TESTCASE]
* Regular upgrades using do-release-upgrade or update-manager don't seem to be affected,
so it is best to:
- obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo stop cups ; sudo start cups'.
If the bug is not fixed, you will see 'start: Job failed to start'. If it is
fixed, you will see 'cups start/running, process ####'.
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '|| exit 0' to a
shell script.
[Other Info]
* This has been discussed with the security team, the release team and foundations and
we all agree this is the best fix at this time.
* On upgrades, upstart is unpacked very early (much earlier than cups), so the new
/lib/init/apparmor-profile-load should be in place when cups is restarted
Previous report:
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
|
2012-10-12 20:38:18 |
Jamie Strandboge |
upstart (Ubuntu Quantal): importance |
High |
Medium |
|
2012-10-12 20:52:40 |
Jamie Strandboge |
description |
[IMPACT]
* Some users upgrading from 12.04 LTS to 12.10 have encountered upgrade errors because
apparmor_parser fails to load new policy on an old kernel. Specifically, the
block_suspend capability is new in the 12.10 kernel and does not exist in the
12.04 LTS kernel. On upgrade, the cups upstart job calls
/lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
apparmor_parser can exit with error on upgrades causing the upstart job to fail.
[TESTCASE]
* Regular upgrades using do-release-upgrade or update-manager don't seem to be affected,
so it is best to:
- obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo stop cups ; sudo start cups'.
If the bug is not fixed, you will see 'start: Job failed to start'. If it is
fixed, you will see 'cups start/running, process ####'.
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '|| exit 0' to a
shell script.
[Other Info]
* This has been discussed with the security team, the release team and foundations and
we all agree this is the best fix at this time.
* On upgrades, upstart is unpacked very early (much earlier than cups), so the new
/lib/init/apparmor-profile-load should be in place when cups is restarted
Previous report:
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
[IMPACT]
* Some users upgrading from 12.04 LTS to 12.10 have encountered upgrade errors because
apparmor_parser fails to load new policy on an old kernel. Specifically, the
block_suspend capability is new in the 12.10 kernel and does not exist in the
12.04 LTS kernel. On upgrade, the cups upstart job calls
/lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
apparmor_parser can exit with error on upgrades causing the upstart job to fail.
[TESTCASE]
* Regular upgrades using do-release-upgrade or update-manager don't seem to be affected,
so it is best to:
- obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo stop cups ; sudo start cups'.
If the bug is not fixed, you will see 'start: Job failed to start'. If it is
fixed, you will see 'cups start/running, process ####'.
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '|| exit 0' to a
shell script.
[Other Info]
* This has been discussed with the security team, the release team and foundations and
we all agree this is the best fix at this time.
* On upgrades, upstart is unpacked very early (much earlier than cups), so the new
/lib/init/apparmor-profile-load should be in place before the upstart job is used
* apparmor_parser failure will not remove the old profile when it faces this error
condition, so the program will not go unconfined
Previous report:
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
|
2012-10-15 09:45:34 |
Launchpad Janitor |
upstart (Ubuntu Quantal): status |
Fix Committed |
Fix Released |
|
2012-10-22 19:50:55 |
Kees Cook |
bug task added |
|
cups (Ubuntu) |
|
2014-05-29 00:14:42 |
Mathew Hodson |
tags |
apparmor verification-needed |
apparmor quantal |
|
2014-12-05 04:58:16 |
Rolf Leggewie |
cups (Ubuntu Quantal): status |
New |
Won't Fix |
|
2014-12-05 06:58:45 |
RussianNeuroMancer |
removed subscriber RussianNeuroMancer |
|
|
|
2015-08-19 04:46:09 |
Mathew Hodson |
cups (Ubuntu): status |
New |
Invalid |
|
2015-08-19 04:46:14 |
Mathew Hodson |
cups (Ubuntu Quantal): status |
Won't Fix |
Invalid |
|
2015-08-19 04:52:33 |
Mathew Hodson |
description |
[IMPACT]
* Some users upgrading from 12.04 LTS to 12.10 have encountered upgrade errors because
apparmor_parser fails to load new policy on an old kernel. Specifically, the
block_suspend capability is new in the 12.10 kernel and does not exist in the
12.04 LTS kernel. On upgrade, the cups upstart job calls
/lib/init/apparmor-profile-load from upstart, which in turn calls apparmor_parser.
apparmor_parser can exit with error on upgrades causing the upstart job to fail.
[TESTCASE]
* Regular upgrades using do-release-upgrade or update-manager don't seem to be affected,
so it is best to:
- obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo stop cups ; sudo start cups'.
If the bug is not fixed, you will see 'start: Job failed to start'. If it is
fixed, you will see 'cups start/running, process ####'.
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '|| exit 0' to a
shell script.
[Other Info]
* This has been discussed with the security team, the release team and foundations and
we all agree this is the best fix at this time.
* On upgrades, upstart is unpacked very early (much earlier than cups), so the new
/lib/init/apparmor-profile-load should be in place before the upstart job is used
* apparmor_parser failure will not remove the old profile when it faces this error
condition, so the program will not go unconfined
Previous report:
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
[Impact]
* Some users upgrading from 12.04 LTS to 12.10 have encountered upgrade
errors because apparmor_parser fails to load new policy on an old kernel.
Specifically, the block_suspend capability is new in the 12.10 kernel and
does not exist in the 12.04 LTS kernel.
* On upgrade, the cups upstart job calls /lib/init/apparmor-profile-load
from upstart, which in turn calls apparmor_parser. apparmor_parser can
exit with error on upgrades causing the upstart job to fail.
[Test Case]
* Regular upgrades using do-release-upgrade or update-manager don't seem to
be affected, so it is best to:
* Obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo stop cups ; sudo
start cups'.
* If the bug is not fixed, you will see 'start: Job failed to start'. If it
is fixed, you will see 'cups start/running, process ####'.
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal /view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '||
exit 0' to a shell script.
[Other Info]
* This has been discussed with the security team, the release team and
foundations and we all agree this is the best fix at this time.
* On upgrades, upstart is unpacked very early (much earlier than cups), so
the new /lib/init/apparmor-profile-load should be in place before the
upstart job is used
* apparmor_parser failure will not remove the old profile when it faces this
error condition, so the program will not go unconfined
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
|
2015-08-19 04:53:38 |
Mathew Hodson |
summary |
fails to install when kernel does not provide block_suspend capability |
cups fails to install when kernel does not provide block_suspend capability |
|
2015-08-19 04:56:14 |
Mathew Hodson |
description |
[Impact]
* Some users upgrading from 12.04 LTS to 12.10 have encountered upgrade
errors because apparmor_parser fails to load new policy on an old kernel.
Specifically, the block_suspend capability is new in the 12.10 kernel and
does not exist in the 12.04 LTS kernel.
* On upgrade, the cups upstart job calls /lib/init/apparmor-profile-load
from upstart, which in turn calls apparmor_parser. apparmor_parser can
exit with error on upgrades causing the upstart job to fail.
[Test Case]
* Regular upgrades using do-release-upgrade or update-manager don't seem to
be affected, so it is best to:
* Obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo stop cups ; sudo
start cups'.
* If the bug is not fixed, you will see 'start: Job failed to start'. If it
is fixed, you will see 'cups start/running, process ####'.
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal /view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '||
exit 0' to a shell script.
[Other Info]
* This has been discussed with the security team, the release team and
foundations and we all agree this is the best fix at this time.
* On upgrades, upstart is unpacked very early (much earlier than cups), so
the new /lib/init/apparmor-profile-load should be in place before the
upstart job is used
* apparmor_parser failure will not remove the old profile when it faces this
error condition, so the program will not go unconfined
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
[Impact]
* Some users upgrading from 12.04 LTS to 12.10 have encountered upgrade
errors because apparmor_parser fails to load new policy on an old kernel.
Specifically, the block_suspend capability is new in the 12.10 kernel and
does not exist in the 12.04 LTS kernel.
* On upgrade, the cups upstart job calls /lib/init/apparmor-profile-load
from upstart, which in turn calls apparmor_parser. apparmor_parser can
exit with error on upgrades causing the upstart job to fail.
[Test Case]
* Regular upgrades using do-release-upgrade or update-manager don't seem to
be affected, so it is best to:
* Obtain the apparmor profile from the 12.10 cups package[1], copy it to
/etc/apparmor.d/usr.sbin.cupsd and then perform 'sudo stop cups ; sudo
start cups'.
* If the bug is not fixed, you will see 'start: Job failed to start'. If it
is fixed, you will see 'cups start/running, process ####'.
[1]http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cups/quantal/view/head:/debian/local/apparmor-profile
[Regression Potential]
* The regression potential is extremely low. The only change is adding '||
exit 0' to a shell script.
[Other Info]
* This has been discussed with the security team, the release team and
foundations and we all agree this is the best fix at this time.
* On upgrades, upstart is unpacked very early (much earlier than cups), so
the new /lib/init/apparmor-profile-load should be in place before the
upstart job is used
* apparmor_parser failure will not remove the old profile when it faces this
error condition, so the program will not go unconfined
On our Jenkins builds we're getting a failure to install the cups package. This seems to be because the apparmor profile looks for suspend capability but the virtualized builders do not have it. Here seems to be the relevant log:
AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/usr.sbin.cupsd at line 24: Invalid capability block_suspend.
start: Job failed to start
invoke-rc.d: initscript cups, action "start" failed.
dpkg: error processing cups (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
cups
E: Sub-process /usr/bin/dpkg returned an error code (1)
Full log: https://jenkins.qa.ubuntu.com/job/indicator-session-ci/label=quantal/16/console |
|