[apparmor] getattr handled incorrectly in 2.6.35-6.7

Bug #599450 reported by Marc Deslauriers
122
This bug affects 19 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
John Johansen
Maverick
High
John Johansen

Bug Description

Maverick kernel 2.6.35-6.7 incorrectly handles getattr. Kernel 2.6.35-5.6 worked fine.

Here are some example logs:

Jun 28 09:22:35 mdlinux kernel: [ 40.273454] type=1400 audit(1277731355.186:28): operation="getattr" pid=2210 parent=2209 profile="/usr/sbin/cupsd" name="/lib/" pid=2210 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 09:22:35 mdlinux kernel: [ 40.273476] type=1400 audit(1277731355.186:29): operation="getattr" pid=2210 parent=2209 profile="/usr/sbin/cupsd" name="/usr/lib/" pid=2210 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 09:22:42 mdlinux kernel: [ 40.798130] type=1400 audit(1277731362.002:30): operation="getattr" pid=2210 parent=2209 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2210 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 09:22:42 mdlinux kernel: [ 40.825958] type=1400 audit(1277731362.032:31): operation="getattr" pid=2210 parent=2209 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2210 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:22:10 mdlinux kernel: [ 42.642866] type=1400 audit(1277734930.559:28): operation="getattr" pid=2159 parent=2157 profile="/usr/sbin/cupsd" name="/lib/" pid=2159 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:22:10 mdlinux kernel: [ 42.642889] type=1400 audit(1277734930.559:29): operation="getattr" pid=2159 parent=2157 profile="/usr/sbin/cupsd" name="/usr/lib/" pid=2159 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:22:11 mdlinux kernel: [ 43.359155] type=1400 audit(1277734931.269:30): operation="getattr" pid=2159 parent=2157 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2159 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:22:11 mdlinux kernel: [ 43.359841] type=1400 audit(1277734931.269:31): operation="getattr" pid=2159 parent=2157 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2159 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:25:55 mdlinux kernel: [ 36.520703] type=1400 audit(1277735155.443:28): operation="getattr" pid=2102 parent=2101 profile="/usr/sbin/cupsd" name="/lib/" pid=2102 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:25:55 mdlinux kernel: [ 36.520728] type=1400 audit(1277735155.443:29): operation="getattr" pid=2102 parent=2101 profile="/usr/sbin/cupsd" name="/usr/lib/" pid=2102 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:25:56 mdlinux kernel: [ 37.337014] type=1400 audit(1277735156.253:30): operation="getattr" pid=2102 parent=2101 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2102 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 28 10:25:56 mdlinux kernel: [ 37.337714] type=1400 audit(1277735156.253:31): operation="getattr" pid=2102 parent=2101 profile="/usr/sbin/cupsd" name="/usr/Brother/Printer/hl4040cdn/cupswrapper/brlpdwrapper_hl4040cdn" pid=2102 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → High
tags: added: iso-testing
Revision history for this message
Martin Pitt (pitti) wrote :

This breaks cups, MySQL and presumably other software. I added it to the release notes for alpha-2, but this should be fixed by alpha-3. Thanks!

Changed in linux (Ubuntu Maverick):
milestone: none → maverick-alpha-3
tags: added: regression-potential
Revision history for this message
Chris Cheney (ccheney) wrote :

This also breaks starting instances on UEC.

Revision history for this message
Christopher (soft-kristal) wrote :

Could this also affect gscan2pdf? Files are saving as the current date, rather than the one typed when saving a file. If I'm not mistaken, this bug happened around the same time as evince wouldn't open certain folders and sub-folders.

papukaija (papukaija)
tags: added: maverick
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

As a workaround to use libvirt in the meantime, you can disable the
libvirt profile temporarily by doing:

 cd /etc/apparmor.d/disable
 ln -s /etc/apparmor.d/usr.sbin.libvirtd

and rebooting to reload the profile. Please do this only until the
kernel is fixed.

Revision history for this message
Christopher (soft-kristal) wrote :

Today's Evince update has solved the saving to certain folders problem. I also noticed that after the update there were duplicate bookmarks, some appearing as normal folders and the others grayish. I removed the latter and the others are working well now with Evince.

Revision history for this message
Thierry Carrez (ttx) wrote :

Looks like this is breaking dhcp3 too, see bug 604845

Revision history for this message
Jasper Frumau (jfrumau) wrote :

I think this bug affects MySQL as well:

$ cat /var/log/syslog | grep mysql
Jul 20 01:54:08 ubuntu kernel: [ 6086.630194] type=1400 audit(1279616048.377:20): operation="profile_replace" pid=2610 name="/usr/sbin/mysqld" pid=2610 comm="apparmor_parser"
Jul 20 01:54:08 ubuntu init: mysql post-start process (2615) terminated with status 2
Jul 20 01:54:08 ubuntu kernel: [ 6086.923361] type=1400 audit(1279616048.665:21): operation="getattr" pid=2614 parent=1 profile="/usr/sbin/mysqld" name="/usr/" pid=2614 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 20 01:54:08 ubuntu kernel: [ 6086.923386] type=1400 audit(1279616048.665:22): operation="getattr" pid=2614 parent=1 profile="/usr/sbin/mysqld" name="/var/" pid=2614 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I run Maverick Meerkat:
jasper@ubuntu:/etc$ cat lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.10
DISTRIB_CODENAME=maverick
DISTRIB_DESCRIPTION="Ubuntu maverick (development branch)"

And MySQL will not startup on reboot anymore.

Revision history for this message
John Johansen (jjohansen) wrote :

I have placed test kernels with the fix at

kernel.ubuntu.com/~jj/linux-image-2.6.35-12-generic_2.6.35-12.17_i386.deb
kernel.ubutnu.com/~jj/linux-image-2.6.35-12-generic_2.6.35-12.17~jj_amd64.deb

Changed in linux (Ubuntu Maverick):
status: New → Fix Committed
Revision history for this message
Chad Waters (chad) wrote :

I'm still experiencing the libvirt issue with
linux-image-2.6.35-12-server_2.6.35-12.17_amd64.deb

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/engine.py", line 814, in run_domain
    vm.startup()
  File "/usr/share/virt-manager/virtManager/domain.py", line 1286, in startup
    self._backend.create()
  File "/usr/lib/python2.6/dist-packages/libvirt.py", line 333, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error Process exited while reading console log output: libvir: Security Labeling error : internal error error calling aa_change_profile()

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.35-13.18

---------------
linux (2.6.35-13.18) maverick; urgency=low

  [ Andy Whitcroft ]

  * SAUCE: (no-up) Modularize vesafb -- fix initialisation
  * SAUCE: add tracing for user initiated readahead requests
  * SAUCE: vt -- maintain bootloader screen mode and content until vt
    switch
  * SAUCE: vt -- allow grub to request automatic vt_handoff
  * SAUCE: fbcon -- fix race between open and removal of framebuffers
  * SAUCE: drm -- stop early access to drm devices

  [ Bryan Wu ]

  * CONFIG: compile in OTG driver and Transceiver driver
    - LP: #566645
  * remove OTG modules from modules list file

  [ John Johansen ]

  * SAUCE: AppArmor: -- sync to AppArmor mainline 2010-07-27
    - LP: #581525, #599450
  * SAUCE: AppArmor: -- sync to AppArmor mainline 2010-07-29
  * SAUCE: AppArmor 2.4 compatibility patch
  * SAUCE: AppArmor: Allow dfa backward compatibility with broken userspace
  * SAUCE: fix pv-ops for legacy Xen
  * SAUCE: blkfront: default to sd devices
  * [Config] Build in drivers required for Xen pv-ops

  [ Leann Ogasawara ]

  * Revert "[Upstream] i915: Use the correct mask to detect i830 aperture
    size."

  [ Lee Jones ]

  * SAUCE: ARM: OMAP: Add macros for comparing silicon revision
    - LP: #608095
  * SAUCE: OMAP: DSS2: check for both cpu type and revision, rather than
    just revision
    - LP: #608095
  * SAUCE: OMAP: DSS2: enable hsclk in dsi_pll_init for OMAP36XX
    - LP: #608095
  * SAUCE: ARM: OMAP: Beagle: support twl gpio differences on xM
    - LP: #608095

  [ Upstream Kernel Changes ]

  * agp/intel: Use the correct mask to detect i830 aperture size.
    - LP: #597075
 -- Leann Ogasawara <email address hidden> Fri, 30 Jul 2010 15:46:59 -0700

Changed in linux (Ubuntu Maverick):
status: Fix Committed → Fix Released
Revision history for this message
igi (igor-cali) wrote :

Cups is still not working in Maverick Beta

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@igi: please open a new bug for your issue

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers