lxc container with postfix, permission denied on mailq

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1446906

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

Hi Brad. Totally unrelated to this bug but I find really weird (for not saying abussive) that Cannical needs to collect all these files, some of them with apparent serial numbers and show this information in a public system. It would be nice if apport-collect were changed/anhanced with:

1 - filter serial numbers (hard I know)
2 - let it me choose what I want to upload

Now, going back to the bug. Please note that it was filled against a package named "linux". I didn't want this. I chose "I don't know" but launchpad rejected the bug report three times.

Thanks

Q: What's status incomplete? Thanks

This is not actually a container problem but an apparmor3 problem. You can reproduce it by using aa-exec on the host (with any profile) starting with commit b3c3d641f1de (UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot) of the wily kernel: see https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/wily/log/security/apparmor
Also if I change my postfix service files on my host to use aa-exec so they're even in the same profile and then run mailq with aa-exec, or even just socat on that socket, the connect() will succeed, the read() will EACCESS.
We also managed to hit the case described in 1390223 where executing mailq in a loop will *sometimes* succeed (though I could not myself reproduce this on my host machine.)
We do have a server where it fails in only *some* containers (the only significant difference between them is that one set is 32 bit and one is 64 bit, but I couldn't reproduce that by simply running 32 bit postfix binaries on the host, so the differences might go beyond that).

Here's an example session with the wily kernel and postfix on a host modified to spawn with aa-exec:

# ps aux |grep postfix
root 556 0.0 0.5 108108 5124 ? Ss 10:21 0:00 /usr/lib/postfix/bin/master -w
postfix 557 0.0 0.6 110176 6868 ? S 10:21 0:00 pickup -l -t unix -u
postfix 558 0.0 0.6 110224 6768 ? S 10:21 0:00 qmgr -l -t unix -u
postfix 560 0.0 0.6 110176 6808 ? S 10:21 0:00 showq -t unix -u
# aa-status |grep -A5 'processes are in enforce mode.'
4 processes are in enforce mode.
   lxc-container-default (556)
   lxc-container-default (557)
   lxc-container-default (558)
   lxc-container-default (560)
0 processes are in complain mode.
# lsof -n |grep showq
master 556 root 61u unix 0xffff88003c99e000 0t0 12486 public/showq type=STREAM
# aa-exec -p lxc-container-default -- mailq
postqueue: warning: close: Permission denied
# aa-exec -p lxc-container-default -- socat UNIX:/var/spool/postfix/public/showq -
2015/11/03 10:23:48 socat[597] E read(5, 0x2103a00, 8192): Permission denied
# strace -f -- aa-exec -p lxc-container-default -- mailq
(...)
socket(PF_LOCAL, SOCK_STREAM, 0) = 4
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0
poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
read(4, 0x5606d5407f00, 4096) = -1 EACCES (Permission denied)

log:
Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 03 10:25:08 akern audit[643]: SYSCALL arch=c000003e syscall=0 success=no exit=-13 a0=4 a1=55bdbc538f00 a2=1000 a3=3dc items=0 ppid...

So I ran postfix' master process with strace to see what it does, didn't find anything out of the ordinary, however, this way the read() succeeded 15 out of 20 times, only 5 EACCES. The strace output of postfix' master is the same in both cases.
So maybe this helps with reproducing the issue.

The issue is that the path is disconnected from the namespace. Currently the only way to deal with this is by using the attach_disconnect flag in the profile, and then place rules for the attached files into the profile

eg.

profile lxc-container-default flags=(attach_disconnected) {

   public/showq r,

   ...

}

nearly correct - the rule needs to be

    /public/showq r,

(note the leading "/")

yes, sorry I'm not sure why I missed adding the leading /

Alright, so this is not the disconnected path issue I thought it was, I am looking into it more.

Alright, this is failing the way it is because it is a race on the socket being shutdown. If the mediate_deleted flag was removed from the profile, an additional info flag would show up in the DENIED message.

info="Failed name lookup - deleted entry"

I am still looking into how to best fix

Making this bug NOT a duplicate of Bug 1390223, which will be for just the bad unix_fs macro fix that has already been committed. This one will track the deleted entry/socket shutdown revalidation issue.

Please try the test kernels at

http://people.canonical.com/~jj/lp1446906/

I encountered this problem too on Ubuntu 15.04 running 3.19.0-39 kernel. Fixed it by turned off apparmor profile for LXC container by adding "lxc.aa_profile = unconfined" into container's config. In my case increased security risk is acceptable, but it's desirable to fix it the right way. Is there any information in what kernel version it will be fixed and when this updates will be available in standartd ubuntu repositories?

@astatutov,

Could you please test the kernels posted in comment #28?

@jjohansen, confused, why is this bug not marked as affecting linux? Is there a reason?

Kernels with version 3 of the fix can be found at
   http://people.canonical.com/~jj/lp1446906/

please test and leave feedback as to whether this fixes the issue

@jjohansen, I've tested your build and can confirm it fixes the issue.

root@host:~# uname -a
Linux host 3.19.0-31-generic #36+lp1446906v3 SMP Fri Dec 18 08:37:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

root@lxc:~# mailq
Mail queue is empty

This bug was fixed in the package linux - 4.4.0-2.16

---------------
linux (4.4.0-2.16) xenial; urgency=low

  [ Andy Whitcroft ]

  * Release Tracking Bug
    - LP: #1539090
  * SAUCE: hv: hv_set_ifconfig -- convert to python3
    - LP: #1506521
  * SAUCE: dm: introduce a target_ioctl op to allow target specific ioctls
    - LP: #1538618

  [ Colin Ian King ]

  * SAUCE: ACPI / tables: Add acpi_force_32bit_fadt_addr option to force 32
    bit FADT addresses (LP: #1529381)
    - LP: #1529381

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
    being shutdown
    - LP: #1446906

  [ Mahesh Salgaonkar ]

  * SAUCE: Powernv: Remove the usage of PACAR1 from opal wrappers
    - LP: #1537881
  * SAUCE: powerpc/book3s: Fix TB corruption in guest exit path on HMI
    interrupt.
    - LP: #1537881
  * SAUCE: KVM: PPC: Book3S HV: Fix soft lockups in KVM on HMI for time
    base errors
    - LP: #1537881

  [ Paolo Pisati ]

  * SAUCE: arm64: errata: Add -mpc-relative-literal-loads to erratum
    #843419 build flags
    - LP: #1533009
  * [Config] MFD_TPS65217=y && REGULATOR_TPS65217=y
  * [Config] disable ARCH_ZX (ZTE ZX Soc)

  [ Tim Gardner ]

  * Revert "SAUCE: (noup) cxlflash: a couple off by one bugs"
  * SAUCE: (no-up) Update bnx2x firmware to 7.12.30.0
    - LP: #1536719
  * SAUCE: drop obsolete bnx2x firmware
  * SAUCE: i40e: Silence 'may be used uninitialized' warnings
    - LP: #1536474
  * [Config] CONFIG_ZONE_DMA=y for amd64 lowlatency
    - LP: #1534647
  * [Config] Add pvpanic to virtual flavour
    - LP: #1537923
  * [Config] CONFIG_INTEL_PUNIT_IPC=m, CONFIG_INTEL_TELEMETRY=m
    - LP: #1520457

  [ Upstream Kernel Changes ]

  * i40evf: fix compiler warning of unused variable
    - LP: #1536474
  * intel: i40e: fix confused code
    - LP: #1536474
  * i40e/i40evf: remove unused tunnel parameter
    - LP: #1536474
  * i40e: Change BUG_ON to WARN_ON in service event complete
    - LP: #1536474
  * i40e: remove BUG_ON from feature string building
    - LP: #1536474
  * i40e: remove BUG_ON from FCoE setup
    - LP: #1536474
  * i40e: Workaround fix for mss < 256 issue
    - LP: #1536474
  * i40e/i40evf: Add a stat to track how many times we have to do a force
    WB
    - LP: #1536474
  * i40e: Move the saving of old link info from handle_link_event to
    link_event
    - LP: #1536474
  * i40e/i40evf: Add comment to #endif
    - LP: #1536474
  * i40e/i40evf: clean up error messages
    - LP: #1536474
  * i40evf: handle many MAC filters correctly
    - LP: #1536474
  * i40e: return the number of enabled queues for ETHTOOL_GRXRINGS
    - LP: #1536474
  * i40e: rework the functions to configure RSS with similar parameters
    - LP: #1536474
  * i40e: create a generic configure rss function
    - LP: #1536474
  * i40e: Bump version to 1.4.2
    - LP: #1536474
  * i40e: add new fields to store user configuration
    - LP: #1536474
  * i40e: rename rss_size to alloc_rss_size in i40e_pf
    - LP: #1536474
  * i40e/i40evf: Fix RS bit update in Tx path and disable force WB
    workaround
    - LP: #1536474
  * i40e/i40evf: prefetch skb data on transmit
    - LP: #1536474
  * i40evf: rename VF adapter s...

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug was fixed in the package linux - 4.2.0-30.35

---------------
linux (4.2.0-30.35) wily; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
    raising caps
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (4.2.0-29.34) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1543167

  [ Brad Figg ]

  * Revert "SAUCE: apparmor: fix sleep from invalid context"
    - LP: #1542049

  [ Upstream Kernel Changes ]

  * Revert "af_unix: Revert 'lock_interruptible' in stream receive code"
    - LP: #1540731

linux (4.2.0-28.33) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540634

  [ Brad Figg ]

  * CONFIG: CONFIG_DEBUG_UART_BCM63XX is not set

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
    being shutdown
    - LP: #1446906
  * SAUCE: apparmor: fix sleep from invalid context
    - LP: #1539349

  [ Tim Gardner ]

  * [Config] Add pvpanic to virtual flavour
    - LP: #1537923

  [ Upstream Kernel Changes ]

  * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
    - LP: #1540532
  * tools: Add a "make all" rule
    - LP: #1536370
  * vf610_adc: Fix internal temperature calculation
    - LP: #1536370
  * iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
    - LP: #1536370
  * iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
    - LP: #1536370
  * iio: ad5064: Fix ad5629/ad5669 shift
    - LP: #1536370
  * iio:ad7793: Fix ad7785 product ID
    - LP: #1536370
  * iio: adc: vf610_adc: Fix division by zero error
    - LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs200()
    - LP: #1536370
  * mmc: mmc: Fix HS setting in mmc_select_hs400()
    - LP: #1536370
  * mmc: mmc: Move mmc_switch_status()
    - LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs400()
    - LP: #1536370
  * crypto: qat - don't use userspace pointer
    - LP: #1536370
  * iio: si7020: Swap data byte order
    - LP: #1536370
  * iio: adc: xilinx: Fix VREFN scale
    - LP: #1536370
  * ipmi: Start the timer and thread on internal msgs
    - LP: #1536370
  * drm/i915: quirk backlight present on Macbook 4, 1
    - LP: #1536370
  * drm/i915: get runtime PM reference around GEM set_caching IOCTL
    - LP: #1536370
  * drm/radeon: Disable uncacheable CPU mappings of GTT with RV6xx
    - LP: #1536370
  *...

This bug was fixed in the package linux - 3.19.0-51.57

---------------
linux (3.19.0-51.57) vivid; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
    raising caps
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (3.19.0-50.56) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540576

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
    being shutdown
    - LP: #1446906

  [ Upstream Kernel Changes ]

  * drivers/base/memory.c: fix kernel warning during memory hotplug on
    ppc64
    - LP: #1463654
  * sched/wait: Fix signal handling in bit wait helpers
    - LP: #1537859
  * sched/wait: Fix the signal handling fix
    - LP: #1537859
  * ARC: Fix silly typo in MAINTAINERS file
    - LP: #1537859
  * ip6mr: call del_timer_sync() in ip6mr_free_table()
    - LP: #1537859
  * gre6: allow to update all parameters via rtnl
    - LP: #1537859
  * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
    - LP: #1537859
  * sctp: use the same clock as if sock source timestamps were on
    - LP: #1537859
  * sctp: update the netstamp_needed counter when copying sockets
    - LP: #1537859
  * sctp: also copy sk_tsflags when copying the socket
    - LP: #1537859
  * net: qca_spi: fix transmit queue timeout handling
    - LP: #1537859
  * ipv6: sctp: clone options to avoid use after free
    - LP: #1537859
  * net: add validation for the socket syscall protocol argument
    - LP: #1537859
  * sh_eth: fix kernel oops in skb_put()
    - LP: #1537859
  * net: fix IP early demux races
    - LP: #1537859
  * vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
    - LP: #1537859
  * skbuff: Fix offset error in skb_reorder_vlan_header
    - LP: #1537859
  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
    - LP: #1537859
  * bluetooth: Validate socket address length in sco_sock_bind().
    - LP: #1537859
  * fou: clean up socket with kfree_rcu
    - LP: #1537859
  * af_unix: Revert 'lock_interruptible' in stream receive code
    - LP: #1537859
  * KEYS: Fix race between read and revoke
    - LP: #1537859
  * tools: Add a "make all" rule
    - LP: #1537859
  * efi: Disable interrupts around EFI calls, not in the epilog/prolog
    calls
    - LP: #1537859
  * fuse: break infinite loop in fuse_fill_write_pages()
    - LP: #1537859
  * usb: gadget: pxa2...