[Touch-packages] [Bug 1655982] Re: cups-browsed fails to start in containers after apparmor stacking backport to xenial

Thu, 04 May 2017 13:17:03 -0700 

Host:
$ uname -a
Linux sec-xenial-amd64 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:34:02 UTC 
2017 x86_64 x86_64 x86_64 GNU/Linux

$ apparmor_parser -V
AppArmor parser version 2.10.95
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.


Container:
root@xen:~# uname -a
Linux xen 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:34:02 UTC 2017 x86_64 
x86_64 x86_64 GNU/Linux

root@xen:~# apparmor_parser -V
AppArmor parser version 2.10.95
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.

Note, the reproducer is:

1. apt-get install lxd
2. sg lxd
3. lxc launch ubuntu:16.04 xen
4. lxc exec xen -- apt update
5. lxc exec xen -- apt dist-upgrade -y
6. lxc exec xen -- /bin/bash and edit /etc/apparmor.d/abstractions/base to have:
     /run/systemd/journal/stdout rw,
7. lxc exec xen -- apt install cups -y

and get the denial. If add to /etc/apparmor.d/usr.sbin.cups-browsed in
the container:

  /usr/sbin/cups-browsed r,

then I can (after reloading the profile):

$ lxc exec xen -- /bin/bash
root@xen:~# service cups-browsed stop
root@xen:~# service cups-browsed start
root@xen:~# systemctl status cups-browsed
● cups-browsed.service - Make remote CUPS printers available locally
   Loaded: loaded (/lib/systemd/system/cups-browsed.service; enabled; vendor 
preset: 
   Active: active (running) since Thu 2017-05-04 20:06:50 UTC; 10s ago
 Main PID: 11697 (cups-browsed)
    Tasks: 3
   Memory: 2.5M
      CPU: 17ms
   CGroup: /system.slice/cups-browsed.service
           └─11697 /usr/sbin/cups-browsed

May 04 20:06:50 xen systemd[1]: Started Make remote CUPS printers
available locally.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1655982

Title:
  cups-browsed fails to start in containers after apparmor stacking
  backport to xenial

Status in apparmor package in Ubuntu:
  New

Bug description:
  The SRU of apparmor stacking for the Ubuntu 16.04 LTS kernel causes a
  regression in cups-browsed (shipped by cups) which now fails to start
  and gets respawned in a loop by systemd until it completely gives up.

  To reproduce:
   - lxc launch ubuntu:16.04 xen
   - lxc exec xen -- apt update
   - lxc exec xen -- apt dist-upgrade -y
   - lxc exec xen -- apt install cups -y

  You'll get:

  root@xen:~# systemctl status cups-browsed
  ● cups-browsed.service - Make remote CUPS printers available locally
     Loaded: loaded (/lib/systemd/system/cups-browsed.service; enabled; vendor 
preset: enabled)
     Active: failed (Result: signal) since Thu 2017-01-12 14:09:38 UTC; 8min ago
   Main PID: 7725 (code=killed, signal=SEGV)

  Jan 12 14:09:38 xen systemd[1]: Started Make remote CUPS printers available 
locally.
  Jan 12 14:09:38 xen systemd[1]: cups-browsed.service: Main process exited, 
code=killed, status=11/SEGV
  Jan 12 14:09:38 xen systemd[1]: cups-browsed.service: Unit entered failed 
state.
  Jan 12 14:09:38 xen systemd[1]: cups-browsed.service: Failed with result 
'signal'.


  And in dmesg (in a loop):
  [95217.312576] audit: type=1400 audit(1484230171.171:1004): apparmor="STATUS" 
operation="profile_load" 
label="lxd-xen_</var/lib/lxd>//&:lxd-xen_<var-lib-lxd>://unconfined" 
name="/usr/lib/cups/backend/cups-pdf" pid=16941 comm="apparmor_parser"
  [95217.313011] audit: type=1400 audit(1484230171.171:1005): apparmor="STATUS" 
operation="profile_load" 
label="lxd-xen_</var/lib/lxd>//&:lxd-xen_<var-lib-lxd>://unconfined" 
name="/usr/sbin/cupsd" pid=16941 comm="apparmor_parser"
  [95217.313202] audit: type=1400 audit(1484230171.171:1006): apparmor="STATUS" 
operation="profile_load" 
label="lxd-xen_</var/lib/lxd>//&:lxd-xen_<var-lib-lxd>://unconfined" 
name="/usr/sbin/cupsd//third_party" pid=16941 comm="apparmor_parser"
  [95218.126005] audit: type=1400 audit(1484230171.983:1007): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" 
profile="/usr/sbin/cupsd" name="/run/systemd/journal/stdout" pid=17074 
comm="cupsd" requested_mask="w" denied_mask="w" fsuid=100000 ouid=100000
  [95218.126018] audit: type=1400 audit(1484230171.983:1008): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" 
profile="/usr/sbin/cupsd" name="/run/systemd/journal/stdout" pid=17074 
comm="cupsd" requested_mask="w" denied_mask="w" fsuid=100000 ouid=100000
  [95222.686493] audit: type=1400 audit(1484230176.542:1009): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" 
profile="/usr/sbin/cupsd" name="/run/systemd/journal/stdout" pid=17553 
comm="cupsd" requested_mask="w" denied_mask="w" fsuid=100000 ouid=100000
  [95222.686624] audit: type=1400 audit(1484230176.542:1010): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" 
profile="/usr/sbin/cupsd" name="/run/systemd/journal/stdout" pid=17553 
comm="cupsd" requested_mask="w" denied_mask="w" fsuid=100000 ouid=100000
  [95224.324494] audit: type=1400 audit(1484230178.182:1011): apparmor="STATUS" 
operation="profile_load" 
label="lxd-xen_</var/lib/lxd>//&:lxd-xen_<var-lib-lxd>://unconfined" 
name="/usr/sbin/cups-browsed" pid=17681 comm="apparmor_parser"
  [95224.610016] audit: type=1400 audit(1484230178.466:1012): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" 
profile="/usr/sbin/cups-browsed" name="/run/systemd/journal/stdout" pid=17765 
comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=100000 
ouid=100000
  [95224.610029] audit: type=1400 audit(1484230178.466:1013): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-xen_<var-lib-lxd>" 
profile="/usr/sbin/cups-browsed" name="/run/systemd/journal/stdout" pid=17765 
comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=100000 
ouid=100000
  [95224.610046] audit: type=1400 audit(1484230178.466:1014): apparmor="DENIED" 
operation="file_mmap" namespace="root//lxd-xen_<var-lib-lxd>" 
profile="/usr/sbin/cups-browsed" name="/usr/sbin/cups-browsed" pid=17765 
comm="cups-browsed" requested_mask="rm" denied_mask="rm" fsuid=100000 
ouid=100000

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1655982/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to