[Bug 1061195] New: kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 Bug ID: 1061195 Summary: kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: vbabka@suse.com QA Contact: qa-bugs@suse.de CC: jeffm@suse.com, max@suse.com, msuchanek@suse.com Found By: --- Blocker: --- After upgrade to kernel-default-4.14-rc2 from kernel:HEAD, dnsmasq failed to start: dnsmasq.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED running manually: dnsmasq: cannot open log permission denied: permission denied strace showed that each attempt for socket(AF_UNIX...) returns EACCES Interestingly, things worked with 4.14-rc1. During the reboots I also noticed some error messages from nscd that could not open unix sockets. Running git log on 4.14-rc2 grepping for socket, I noticed commit 651e28c5537a ("apparmor: add base infastructure for socket mediation") which made me suspect apparmor. Indeed, after disabling apparmor, things work again on 4.14-rc2. So I understand that apparmor learned to restrict more things, and current rules are not prepared for that? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c1
--- Comment #1 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c3
--- Comment #3 from Jeff Mahoney
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
Jeff Mahoney
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c4
--- Comment #4 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c5
Michal Kubeček
Do you have any ETA when 4.14 will enter Tumbleweed?
New kernel version is usually submitted shortly after upstream release which in case of 4.14 is most likely going to be in 5 or 6 weeks (we are at rc3 now and last RC tends to be rc7 or rc8). After that, it depends on how many issues are found (and how serious). So I would say you can take 5 weeks for granted but it might be a bit more. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c8
Doug Smythies
We can't be the only ones seeing this issue.
I am seeing issues, not exactly the same, with Ubuntu. My test Ubuntu 16.04.3 server fails to start mysql and libvirtd due to many apparmor "DENIED" errors. My Ubuntu 17.10 development desktop VM fails to acquire an IP address due to dhclient apparmor "DENIED" errors. The problems came up between kernels 4.14-rc1 and 4.14-rc2, and via kernel bisection was isolated to commit 651e28c5537abb39076d3949fb7618536f1d242e - apparmor: add base infastructure for socket mediation. I found this thread: https://lkml.org/lkml/2017/10/3/2 , which pointed me here. The thread debates if this is a kernel regression or not. In my opinion it is a kernel regression. I have passed my information along to the author of the commit. Jeff wrote:
We've carried the network mediation patches for a while. They landed upstream in -rc2, which must've been in a slightly different form.
I'm told that Ubuntu has carried them for awhile also. And yes, there are significant differences between Ubuntu kernel 4.13.0.12 and what ended up in mainline kernel 4.14-rc2. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c9
--- Comment #9 from Christian Boltz
I found this thread: https://lkml.org/lkml/2017/10/3/2 , which pointed me here. The thread debates if this is a kernel regression or not. In my opinion it is a kernel regression. I have passed my information along to the author of the commit.
I somewhat understand why you (as a user) call this a regression ;-) - but I'd call adding support for new rule types (which weren't mediated before and therefore always allowed) a feature, and it was expected that we'll need to add some rules to the abstractions to avoid user-visible breakage. That's why I'm currently using a 4.14 rc kernel - basically I'm eating my own dogfood to avoid trouble for everybody else ;-) The first SR is already on its way to Tumbleweed, weeks before kernel 4.14 is expected there. And I'm also in contact with the libvirt maintainer to make sure the libvirtd profile gets updated (bug 1060860). I've seen in the lkml discussion that you are using the latest kernel (I'd guess from Kernel:HEAD) on Leap. While this isn't officially supported, I'll see if I can include the updated abstractions with the next maintenance update. Until then, feel free to apply the patch from SR 531184 manually. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c10
--- Comment #10 from Jeff Mahoney
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c11
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195
http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c13
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com