This bug was fixed in the package linux - 4.8.0-11.12
---------------
linux (4.8.0-11.12) yakkety; urgency=low
* change_hat is logging failures during expected hat probing (LP: #1615893)
- SAUCE: apparmor: Fix auditing behavior for change_hat probing
* deleted files outside of the namespace are not being treated as
disconnected
(LP: #1615892)
- SAUCE: apparmor: deleted dentries can be disconnected
* stacking to unconfined in a child namespace confuses mediation
(LP: #1615890)
- SAUCE: apparmor: special case unconfined when determining the mode
* apparmor module parameters can be changed after the policy is locked
(LP: #1615895)
- SAUCE: apparmor: fix: parameters can be changed after policy is locked
* AppArmor profile reloading causes an intermittent kernel BUG (LP:
#1579135)
- SAUCE: apparmor: fix vec_unique for vectors larger than 8
* label vec reductions can result in reference labels instead of direct
access
to labels (LP: #1615889)
- SAUCE: apparmor: reduction of vec to single entry is just that entry
* profiles from different namespaces can block other namespaces from being
able to load a profile (LP: #1615887)
- SAUCE: apparmor: profiles in one ns can affect mediation in another ns
* The label build for onexec when stacking is wrong (LP: #1615881)
- SAUCE: apparmor: Fix label build for onexec stacking.
* The inherit check for new to old label comparison for domain transitions
is
wrong (LP: #1615880)
- SAUCE: apparmor: Fix new to old label comparison for domain transitions
* warning stack trace while playing with apparmor namespaces (LP: #1593874)
- SAUCE: apparmor: fix stack trace when removing namespace with profiles
* __label_update proxy comparison test is wrong (LP: #1615878)
- SAUCE: apparmor: Fix __label_update proxy comparison test
* reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
(LP: #1560583)
- SAUCE: apparmor: Allow ns_root processes to open profiles file
- SAUCE: apparmor: Consult sysctl when reading profiles in a user ns
* policy namespace stacking (LP: #1379535)
- SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
- SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading
* Miscellaneous Ubuntu changes
- [Debian] Dynamically determine linux udebs package name
- [Debian] d-i -- fix dtb handling in new kernel-wedge form
- SAUCE: apparmor: Fix FTBFS due to bad include path
- SAUCE: apparmor: add data query support
- [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y
* Miscellaneous upstream changes
- fixup backout policy view capable for forward port
- apparmor: fix: Rework the iter loop for label_update
- apparmor: add more assertions for updates/merges to help catch errors
- apparmor: Make pivot root transitions work with stacking
- apparmor: convert delegating deleted files to mediate deleted files
- apparmor: add missing parens. not a bug fix but highly recommended
- apparmor: add a stack_version file to allow detection of bug fixes
- apparmor: push path lookup into mediation loop
- apparmor: default to allowing unprivileged userns policy
- apparmor: fix: permissions test to view and manage policy
- apparmor: Add Basic ns cross check condition for ipc
-- Leann Ogasawara <leann.ogasaw...@canonical.com> Sat, 17 Sep 2016
10:03:16 -0700
** Changed in: linux (Ubuntu)
Status: Expired => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1593874
Title:
warning stack trace while playing with apparmor namespaces
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Released
Bug description:
I'm not sure what exactly I was doing when this happened, but
something fairly basic (creating containers, adding/removing
profiles). Let me know if you need more than the trace and I can try
and figure out how to reproduce.
Jun 17 20:20:06 dev kernel: [13314.032676] ------------[ cut here
]------------
Jun 17 20:20:06 dev kernel: [13314.032689] WARNING: CPU: 3 PID: 8964 at
/build/linux-oXTOqc/linux-4.4.0/security/apparmor/label.c:82
__aa_proxy_redirect+0xff/0x130()
Jun 17 20:20:06 dev kernel: [13314.032692] AppArmor WARN __aa_proxy_redirect:
((!!queued_write_can_lock(&(&(&(((((&((orig)->vec[0])))[(((orig)->size)) -
1])->ns))->labels)->lock)->raw_lock))):
Jun 17 20:20:06 dev kernel: [13314.032693] Modules linked in: binfmt_misc
veth xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables isofs zfs(PO)
zunicode(PO) zcommon(PO) znvpair(PO) spl(O) zavl(PO) ppdev kvm_intel kvm joydev
serio_raw irqbypass parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad
ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4
btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx
xor raid6_pq libcrc32c raid1 raid0 multipath linear psmouse floppy
Jun 17 20:20:06 dev kernel: [13314.032751] CPU: 3 PID: 8964 Comm: lxd
Tainted: P W O 4.4.0-24-generic #43-Ubuntu
Jun 17 20:20:06 dev kernel: [13314.032753] Hardware name: QEMU Standard PC
(i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Jun 17 20:20:06 dev kernel: [13314.032756] 0000000000000286 00000000dc104ca4
ffff880044db3d18 ffffffff813eab23
Jun 17 20:20:06 dev kernel: [13314.032760] ffff880044db3d60 ffffffff81cec7f0
ffff880044db3d50 ffffffff810810d2
Jun 17 20:20:06 dev kernel: [13314.032763] ffff880047f04360 ffff88007a08d360
ffff88004a551b00 ffff88004a551b38
Jun 17 20:20:06 dev kernel: [13314.032766] Call Trace:
Jun 17 20:20:06 dev kernel: [13314.032773] [<ffffffff813eab23>]
dump_stack+0x63/0x90
Jun 17 20:20:06 dev kernel: [13314.032777] [<ffffffff810810d2>]
warn_slowpath_common+0x82/0xc0
Jun 17 20:20:06 dev kernel: [13314.032780] [<ffffffff8108116c>]
warn_slowpath_fmt+0x5c/0x80
Jun 17 20:20:06 dev kernel: [13314.032784] [<ffffffff81380292>] ?
__list_remove_profile+0x62/0xe0
Jun 17 20:20:06 dev kernel: [13314.032788] [<ffffffff8138abcf>]
__aa_proxy_redirect+0xff/0x130
Jun 17 20:20:06 dev kernel: [13314.032792] [<ffffffff81395dc6>]
destroy_ns+0x86/0xa0
Jun 17 20:20:06 dev kernel: [13314.032794] [<ffffffff81395d0f>]
__aa_remove_ns+0x2f/0x60
Jun 17 20:20:06 dev kernel: [13314.032798] [<ffffffff81382a63>]
aa_remove_profiles+0x193/0x270
Jun 17 20:20:06 dev kernel: [13314.032800] [<ffffffff81379721>] ?
__aa_kvmalloc+0x41/0x60
Jun 17 20:20:06 dev kernel: [13314.032803] [<ffffffff8137724e>]
profile_remove+0x9e/0x1f0
Jun 17 20:20:06 dev kernel: [13314.032808] [<ffffffff8120c468>]
__vfs_write+0x18/0x40
Jun 17 20:20:06 dev kernel: [13314.032811] [<ffffffff8120cdf9>]
vfs_write+0xa9/0x1a0
Jun 17 20:20:06 dev kernel: [13314.032814] [<ffffffff8120bd8f>] ?
do_sys_open+0x1bf/0x2a0
Jun 17 20:20:06 dev kernel: [13314.032818] [<ffffffff8120dab5>]
SyS_write+0x55/0xc0
Jun 17 20:20:06 dev kernel: [13314.032823] [<ffffffff81825bf2>]
entry_SYSCALL_64_fastpath+0x16/0x71
Jun 17 20:20:06 dev kernel: [13314.032826] ---[ end trace 2eb06377c45f3d4c
]---
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1593874/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
