[Bug 1061195] New: kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets - openSUSE Bugs - openSUSE Mailing Lists

newer
[Bug 1057900] New: traceroute...

[Bug 1061195] New: kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

older
[Bug 1065582] tor: 0.3.1.8,...

bugzilla_noreply＠novell.com

30 Sep 2017 30 Sep '17

19:00

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 Bug ID: 1061195 Summary: kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: vbabka@suse.com QA Contact: qa-bugs@suse.de CC: jeffm@suse.com, max@suse.com, msuchanek@suse.com Found By: --- Blocker: --- After upgrade to kernel-default-4.14-rc2 from kernel:HEAD, dnsmasq failed to start: dnsmasq.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED running manually: dnsmasq: cannot open log permission denied: permission denied strace showed that each attempt for socket(AF_UNIX...) returns EACCES Interestingly, things worked with 4.14-rc1. During the reboots I also noticed some error messages from nscd that could not open unix sockets. Running git log on 4.14-rc2 grepping for socket, I noticed commit 651e28c5537a ("apparmor: add base infastructure for socket mediation") which made me suspect apparmor. Indeed, after disabling apparmor, things work again on 4.14-rc2. So I understand that apparmor learned to restrict more things, and current rules are not prepared for that? -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 3.1 KB)

Reply

Sign in to reply online Use email software

Show replies by date

bugzilla_noreply＠novell.com

1 Oct 1 Oct

14:56

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c1 --- Comment #1 from Christian Boltz --- Can you please check your /var/log/audit/audit.log (or syslog or journal or dmesg, depending on your log configuration) and attach the AppArmor-related messages? -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

2 Oct 2 Oct

14:40

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c3 --- Comment #3 from Jeff Mahoney --- We've carried the network mediation patches for a while. They landed upstream in -rc2, which must've been in a slightly different form. Hopefully it should be as simple as refreshing our userspace tools to get the updated profiles. We can't be the only ones seeing this issue. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

14:40

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rgoldwyn@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

22:40

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c4 --- Comment #4 from Christian Boltz --- I updated to Kernel:HEAD today, and had an interesting evening in #apparmor ;-) Regarding the now upstreamed network patch, let me just quote John: <‎jjohansen‎>‎ cboltz: ah yes, the upstreamed version fixes a couple holes in the old patch suse carried One of these "holes" were unix events, which explains the denials you noticed (and that I also see now after installing 4.14rc2). The final solution will be to add some "unix" rules - but that's hard at the moment because 4.14 doesn't log all details needed for unix rules. Instead, I'll add a temporary patch for abstractions/nameservice that adds network unix dgram, network unix stream, (including a TODO note to replace it as soon as support for unix rules was upstreamed, probably 4.15). These rules are broader than needed, but should avoid user-visible breakage - and at least with 4.14, unix rules would get downgraded to network unix anyway ;-) Do you have any ETA when 4.14 will enter Tumbleweed? I want to have the updated abstractions/nameservice in place before 4.14 enters Tumbleweed, otherwise *lots of* things will break. To give you an impression what "lots of" means - I had to adjust 40 profiles on my laptop ;-) -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

3 Oct 3 Oct

06:54

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c5 Michal Kubeček changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mkubecek@suse.com --- Comment #5 from Michal Kubeček --- (In reply to Christian Boltz from comment #4)

Do you have any ETA when 4.14 will enter Tumbleweed?

New kernel version is usually submitted shortly after upstream release which in case of 4.14 is most likely going to be in 5 or 6 weeks (we are at rc3 now and last RC tends to be rc7 or rc8). After that, it depends on how many issues are found (and how serious). So I would say you can take 5 weeks for granted but it might be a bit more. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

7 Oct 7 Oct

16:24

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c8 Doug Smythies changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dsmythies@telus.net --- Comment #8 from Doug Smythies --- Jeff wrote:

We can't be the only ones seeing this issue.

I am seeing issues, not exactly the same, with Ubuntu. My test Ubuntu 16.04.3 server fails to start mysql and libvirtd due to many apparmor "DENIED" errors. My Ubuntu 17.10 development desktop VM fails to acquire an IP address due to dhclient apparmor "DENIED" errors. The problems came up between kernels 4.14-rc1 and 4.14-rc2, and via kernel bisection was isolated to commit 651e28c5537abb39076d3949fb7618536f1d242e - apparmor: add base infastructure for socket mediation. I found this thread: https://lkml.org/lkml/2017/10/3/2 , which pointed me here. The thread debates if this is a kernel regression or not. In my opinion it is a kernel regression. I have passed my information along to the author of the commit. Jeff wrote:

We've carried the network mediation patches for a while. They landed upstream in -rc2, which must've been in a slightly different form.

I'm told that Ubuntu has carried them for awhile also. And yes, there are significant differences between Ubuntu kernel 4.13.0.12 and what ended up in mainline kernel 4.14-rc2. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

17:47

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c9 --- Comment #9 from Christian Boltz --- (In reply to Doug Smythies from comment #8)

I found this thread: https://lkml.org/lkml/2017/10/3/2 , which pointed me here. The thread debates if this is a kernel regression or not. In my opinion it is a kernel regression. I have passed my information along to the author of the commit.

I somewhat understand why you (as a user) call this a regression ;-) - but I'd call adding support for new rule types (which weren't mediated before and therefore always allowed) a feature, and it was expected that we'll need to add some rules to the abstractions to avoid user-visible breakage. That's why I'm currently using a 4.14 rc kernel - basically I'm eating my own dogfood to avoid trouble for everybody else ;-) The first SR is already on its way to Tumbleweed, weeks before kernel 4.14 is expected there. And I'm also in contact with the libvirt maintainer to make sure the libvirtd profile gets updated (bug 1060860). I've seen in the lkml discussion that you are using the latest kernel (I'd guess from Kernel:HEAD) on Leap. While this isn't officially supported, I'll see if I can include the updated abstractions with the next maintenance update. Until then, feel free to apply the patch from SR 531184 manually. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

22:33

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c10 --- Comment #10 from Jeff Mahoney --- Thanks for your effort on this, Christian. I agree that users running an -rc kernel need to be prepared to deal with issues like this. That's not to say I don't appreciate users doing exactly that and reporting bugs in the process. I view this as a profile compatibility issue and one that, as you say, will be fixed before 4.14 hits TW as a real kernel update. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

20 Oct 20 Oct

20:49

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c11 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #11 from Christian Boltz --- It turned out that the added "network unix dgram/stream" rules is not really needed. Let me explain ;.-) In theory apparmor_parser should downgrade the "unix" rules in abstractions/base to "network unix" rules (when using Kernel < 4.15), which allows more than "network unix dgram/stream". In practise this rule downgrade was broken in apparmor_parser, and will be fixed in AppArmor 2.11.1, 2.10.3 and 2.9.5. I'll keep the patch adding "network unix dram/stream" to abstractions/nameservice in the Tumbleweed package just to be double sure - but already test locally with 2.11.1 and these rules removed. I'll submit 2.11.1 to Tumbleweed as soon as the currently pending SR 534597 gets accepted. For Leap, I'll prepare 2.10.3 update packages over the weekend which include the fixed apparmor_parser, and since Leap usually doesn't run with Kernel 4.14 (unless someone uses the KOTD repo), the safety net shouldn't be needed there. I'll add a pointer to 2.10.3 packages as soon as they are ready, so Leap+KOTD users can test them. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

29 Oct 29 Oct

16:11

New subject: [Bug 1061195] kernel-default-4.14-rc2 with apparmor enabled breaks dnsmasq and others cannot create AF_UNIX sockets

http://bugzilla.opensuse.org/show_bug.cgi?id=1061195 http://bugzilla.opensuse.org/show_bug.cgi?id=1061195#c13 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #13 from Christian Boltz --- The updated package reached Tumbleweed today. I also submitted an update for Leap 42.2 and 42.3 - SR 537428 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

2379

Age (days ago)

2408

Last active (days ago)

Download

10 comments

1 participants

tags

participants (1)

bugzilla_noreply＠novell.com