This bug was fixed in the package linux - 4.8.0-11.12

---------------
linux (4.8.0-11.12) yakkety; urgency=low

  * change_hat is logging failures during expected hat probing (LP: #1615893)
    - SAUCE: apparmor: Fix auditing behavior for change_hat probing

  * deleted files outside of the namespace are not being treated as
    disconnected
    (LP: #1615892)
    - SAUCE: apparmor: deleted dentries can be disconnected

  * stacking to unconfined in a child namespace confuses mediation
    (LP: #1615890)
    - SAUCE: apparmor: special case unconfined when determining the mode

  * apparmor module parameters can be changed after the policy is locked
    (LP: #1615895)
    - SAUCE: apparmor: fix: parameters can be changed after policy is locked

  * AppArmor profile reloading causes an intermittent kernel BUG (LP:
    #1579135)
    - SAUCE: apparmor: fix vec_unique for vectors larger than 8

  * label vec reductions can result in reference labels instead of direct
    access
    to labels (LP: #1615889)
    - SAUCE: apparmor: reduction of vec to single entry is just that entry

  * profiles from different namespaces can block other namespaces from being
    able to load a profile (LP: #1615887)
    - SAUCE: apparmor: profiles in one ns can affect mediation in another ns

  * The label build for onexec when stacking is wrong (LP: #1615881)
    - SAUCE: apparmor: Fix label build for onexec stacking.

  * The inherit check for new to old label comparison for domain transitions
    is
    wrong (LP: #1615880)
    - SAUCE: apparmor: Fix new to old label comparison for domain transitions

  * warning stack trace while playing with apparmor namespaces (LP: #1593874)
    - SAUCE: apparmor: fix stack trace when removing namespace with profiles

  * __label_update proxy comparison test is wrong (LP: #1615878)
    - SAUCE: apparmor: Fix __label_update proxy comparison test

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
    (LP: #1560583)
    - SAUCE: apparmor: Allow ns_root processes to open profiles file
    - SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * policy namespace stacking (LP: #1379535)
    - SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
    - SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Miscellaneous Ubuntu changes
    - [Debian] Dynamically determine linux udebs package name
    - [Debian] d-i -- fix dtb handling in new kernel-wedge form
    - SAUCE: apparmor: Fix FTBFS due to bad include path
    - SAUCE: apparmor: add data query support
    - [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y

  * Miscellaneous upstream changes
    - fixup backout policy view capable for forward port
    - apparmor: fix: Rework the iter loop for label_update
    - apparmor: add more assertions for updates/merges to help catch errors
    - apparmor: Make pivot root transitions work with stacking
    - apparmor: convert delegating deleted files to mediate deleted files
    - apparmor: add missing parens. not a bug fix but highly recommended
    - apparmor: add a stack_version file to allow detection of bug fixes
    - apparmor: push path lookup into mediation loop
    - apparmor: default to allowing unprivileged userns policy
    - apparmor: fix: permissions test to view and manage policy
    - apparmor: Add Basic ns cross check condition for ipc

 -- Leann Ogasawara <leann.ogasaw...@canonical.com>  Sat, 17 Sep 2016
10:03:16 -0700

** Changed in: linux (Ubuntu)
       Status: Expired => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1593874

Title:
  warning stack trace while playing with apparmor namespaces

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  I'm not sure what exactly I was doing when this happened, but
  something fairly basic (creating containers, adding/removing
  profiles). Let me know if you need more than the trace and I can try
  and figure out how to reproduce.

  Jun 17 20:20:06 dev kernel: [13314.032676] ------------[ cut here 
]------------
  Jun 17 20:20:06 dev kernel: [13314.032689] WARNING: CPU: 3 PID: 8964 at 
/build/linux-oXTOqc/linux-4.4.0/security/apparmor/label.c:82 
__aa_proxy_redirect+0xff/0x130()
  Jun 17 20:20:06 dev kernel: [13314.032692] AppArmor WARN __aa_proxy_redirect: 
((!!queued_write_can_lock(&(&(&(((((&((orig)->vec[0])))[(((orig)->size)) - 
1])->ns))->labels)->lock)->raw_lock))): 
  Jun 17 20:20:06 dev kernel: [13314.032693] Modules linked in: binfmt_misc 
veth xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack 
xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables isofs zfs(PO) 
zunicode(PO) zcommon(PO) znvpair(PO) spl(O) zavl(PO) ppdev kvm_intel kvm joydev 
serio_raw irqbypass parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad 
ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 
btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx 
xor raid6_pq libcrc32c raid1 raid0 multipath linear psmouse floppy
  Jun 17 20:20:06 dev kernel: [13314.032751] CPU: 3 PID: 8964 Comm: lxd 
Tainted: P        W  O    4.4.0-24-generic #43-Ubuntu
  Jun 17 20:20:06 dev kernel: [13314.032753] Hardware name: QEMU Standard PC 
(i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
  Jun 17 20:20:06 dev kernel: [13314.032756]  0000000000000286 00000000dc104ca4 
ffff880044db3d18 ffffffff813eab23
  Jun 17 20:20:06 dev kernel: [13314.032760]  ffff880044db3d60 ffffffff81cec7f0 
ffff880044db3d50 ffffffff810810d2
  Jun 17 20:20:06 dev kernel: [13314.032763]  ffff880047f04360 ffff88007a08d360 
ffff88004a551b00 ffff88004a551b38
  Jun 17 20:20:06 dev kernel: [13314.032766] Call Trace:
  Jun 17 20:20:06 dev kernel: [13314.032773]  [<ffffffff813eab23>] 
dump_stack+0x63/0x90
  Jun 17 20:20:06 dev kernel: [13314.032777]  [<ffffffff810810d2>] 
warn_slowpath_common+0x82/0xc0
  Jun 17 20:20:06 dev kernel: [13314.032780]  [<ffffffff8108116c>] 
warn_slowpath_fmt+0x5c/0x80
  Jun 17 20:20:06 dev kernel: [13314.032784]  [<ffffffff81380292>] ? 
__list_remove_profile+0x62/0xe0
  Jun 17 20:20:06 dev kernel: [13314.032788]  [<ffffffff8138abcf>] 
__aa_proxy_redirect+0xff/0x130
  Jun 17 20:20:06 dev kernel: [13314.032792]  [<ffffffff81395dc6>] 
destroy_ns+0x86/0xa0
  Jun 17 20:20:06 dev kernel: [13314.032794]  [<ffffffff81395d0f>] 
__aa_remove_ns+0x2f/0x60
  Jun 17 20:20:06 dev kernel: [13314.032798]  [<ffffffff81382a63>] 
aa_remove_profiles+0x193/0x270
  Jun 17 20:20:06 dev kernel: [13314.032800]  [<ffffffff81379721>] ? 
__aa_kvmalloc+0x41/0x60
  Jun 17 20:20:06 dev kernel: [13314.032803]  [<ffffffff8137724e>] 
profile_remove+0x9e/0x1f0
  Jun 17 20:20:06 dev kernel: [13314.032808]  [<ffffffff8120c468>] 
__vfs_write+0x18/0x40
  Jun 17 20:20:06 dev kernel: [13314.032811]  [<ffffffff8120cdf9>] 
vfs_write+0xa9/0x1a0
  Jun 17 20:20:06 dev kernel: [13314.032814]  [<ffffffff8120bd8f>] ? 
do_sys_open+0x1bf/0x2a0
  Jun 17 20:20:06 dev kernel: [13314.032818]  [<ffffffff8120dab5>] 
SyS_write+0x55/0xc0
  Jun 17 20:20:06 dev kernel: [13314.032823]  [<ffffffff81825bf2>] 
entry_SYSCALL_64_fastpath+0x16/0x71
  Jun 17 20:20:06 dev kernel: [13314.032826] ---[ end trace 2eb06377c45f3d4c 
]---

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1593874/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to