[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Serge Hallyn]

** Changed in: lxc (Ubuntu Xenial)
   Status: Confirmed => Invalid

** No longer affects: lxc (Ubuntu Vivid)

** No longer affects: lxc (Ubuntu Wily)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in linux package in Ubuntu:
  Fix Released
Status in lxc package in Ubuntu:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Wily:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in lxc source package in Xenial:
  Invalid

Bug description:
  [Impact]

   * Users may encounter situations where they use applications, confined by
 AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
 stream sockets.

   * These failures typically occur when the confined applications attempts to
 read from an AF_UNIX stream socket when the other end of the socket has
 already been closed.

   * AppArmor is mistakenly denying the socket operations due to the socket
 shutdown operation making the sun_path no longer being available for
 AppArmor mediation after the socket is shutdown.

  [Test Case]

   The expected test case is:

   $ sudo apt-get install postfix # installing in 'local only' config is fine
   $ cat > bug-profile << EOF
   profile bug-profile flags=(attach_disconnected) {
 network,
 file,
   }
   EOF
   $ sudo apparmor_parser -r bug.profile 
   $ aa-exec -p bug-profile -- mailq
   Mail queue is empty

   A failed test case will see the mailq command exit with an error:

   $ aa-exec -p bug-profile -- mailq
   postqueue: warning: close: Permission denied

   and these denials will be found in the syslog:

   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [Regression Potential]

   * The changes are local to the path-based AF_UNIX stream socket mediation 
code
 so that limits the regression potential to some degree.

   * John Johansen authored the patch and I reviewed it. It is small and there's
 no obvious areas of concern to me regarding potential regressions.

  [Other Info]

   * None at this time

  [Original bug report]

  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset 

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Launchpad Bug Tracker]

** Branch linked: lp:~ubuntu-branches/ubuntu/trusty/linux-lts-wily
/trusty-proposed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in linux package in Ubuntu:
  Fix Released
Status in lxc package in Ubuntu:
  Confirmed
Status in linux source package in Vivid:
  Fix Released
Status in lxc source package in Vivid:
  New
Status in linux source package in Wily:
  Fix Released
Status in lxc source package in Wily:
  New
Status in linux source package in Xenial:
  Fix Released
Status in lxc source package in Xenial:
  Confirmed

Bug description:
  [Impact]

   * Users may encounter situations where they use applications, confined by
 AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
 stream sockets.

   * These failures typically occur when the confined applications attempts to
 read from an AF_UNIX stream socket when the other end of the socket has
 already been closed.

   * AppArmor is mistakenly denying the socket operations due to the socket
 shutdown operation making the sun_path no longer being available for
 AppArmor mediation after the socket is shutdown.

  [Test Case]

   The expected test case is:

   $ sudo apt-get install postfix # installing in 'local only' config is fine
   $ cat > bug-profile << EOF
   profile bug-profile flags=(attach_disconnected) {
 network,
 file,
   }
   EOF
   $ sudo apparmor_parser -r bug.profile 
   $ aa-exec -p bug-profile -- mailq
   Mail queue is empty

   A failed test case will see the mailq command exit with an error:

   $ aa-exec -p bug-profile -- mailq
   postqueue: warning: close: Permission denied

   and these denials will be found in the syslog:

   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [Regression Potential]

   * The changes are local to the path-based AF_UNIX stream socket mediation 
code
 so that limits the regression potential to some degree.

   * John Johansen authored the patch and I reviewed it. It is small and there's
 no obvious areas of concern to me regarding potential regressions.

  [Other Info]

   * None at this time

  [Original bug report]

  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-vivid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in linux package in Ubuntu:
  Fix Released
Status in lxc package in Ubuntu:
  Confirmed
Status in linux source package in Vivid:
  Fix Released
Status in lxc source package in Vivid:
  New
Status in linux source package in Wily:
  Fix Released
Status in lxc source package in Wily:
  New
Status in linux source package in Xenial:
  Fix Released
Status in lxc source package in Xenial:
  Confirmed

Bug description:
  [Impact]

   * Users may encounter situations where they use applications, confined by
 AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
 stream sockets.

   * These failures typically occur when the confined applications attempts to
 read from an AF_UNIX stream socket when the other end of the socket has
 already been closed.

   * AppArmor is mistakenly denying the socket operations due to the socket
 shutdown operation making the sun_path no longer being available for
 AppArmor mediation after the socket is shutdown.

  [Test Case]

   The expected test case is:

   $ sudo apt-get install postfix # installing in 'local only' config is fine
   $ cat > bug-profile << EOF
   profile bug-profile flags=(attach_disconnected) {
 network,
 file,
   }
   EOF
   $ sudo apparmor_parser -r bug.profile 
   $ aa-exec -p bug-profile -- mailq
   Mail queue is empty

   A failed test case will see the mailq command exit with an error:

   $ aa-exec -p bug-profile -- mailq
   postqueue: warning: close: Permission denied

   and these denials will be found in the syslog:

   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [Regression Potential]

   * The changes are local to the path-based AF_UNIX stream socket mediation 
code
 so that limits the regression potential to some degree.

   * John Johansen authored the patch and I reviewed it. It is small and there's
 no obvious areas of concern to me regarding potential regressions.

  [Other Info]

   * None at this time

  [Original bug report]

  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset 

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 3.19.0-51.57

---
linux (3.19.0-51.57) vivid; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
raising caps
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
xattrs
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576

linux (3.19.0-50.56) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1540576

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
- LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
- LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
being shutdown
- LP: #1446906

  [ Upstream Kernel Changes ]

  * drivers/base/memory.c: fix kernel warning during memory hotplug on
ppc64
- LP: #1463654
  * sched/wait: Fix signal handling in bit wait helpers
- LP: #1537859
  * sched/wait: Fix the signal handling fix
- LP: #1537859
  * ARC: Fix silly typo in MAINTAINERS file
- LP: #1537859
  * ip6mr: call del_timer_sync() in ip6mr_free_table()
- LP: #1537859
  * gre6: allow to update all parameters via rtnl
- LP: #1537859
  * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
- LP: #1537859
  * sctp: use the same clock as if sock source timestamps were on
- LP: #1537859
  * sctp: update the netstamp_needed counter when copying sockets
- LP: #1537859
  * sctp: also copy sk_tsflags when copying the socket
- LP: #1537859
  * net: qca_spi: fix transmit queue timeout handling
- LP: #1537859
  * ipv6: sctp: clone options to avoid use after free
- LP: #1537859
  * net: add validation for the socket syscall protocol argument
- LP: #1537859
  * sh_eth: fix kernel oops in skb_put()
- LP: #1537859
  * net: fix IP early demux races
- LP: #1537859
  * vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
- LP: #1537859
  * skbuff: Fix offset error in skb_reorder_vlan_header
- LP: #1537859
  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
- LP: #1537859
  * bluetooth: Validate socket address length in sco_sock_bind().
- LP: #1537859
  * fou: clean up socket with kfree_rcu
- LP: #1537859
  * af_unix: Revert 'lock_interruptible' in stream receive code
- LP: #1537859
  * KEYS: Fix race between read and revoke
- LP: #1537859
  * tools: Add a "make all" rule
- LP: #1537859
  * efi: Disable interrupts around EFI calls, not in the epilog/prolog
calls
- LP: #1537859
  * fuse: break infinite loop in fuse_fill_write_pages()
- LP: #1537859
  * usb: gadget: pxa27x: fix suspend callback
- LP: #1537859
  * iio: fix some warning messages
- LP: #1537859
  * USB: cp210x: Remove CP2110 ID from compatibility list
- LP: #1537859
  * USB: cdc_acm: Ignore Infineon Flash Loader utility
- LP: #1537859
  * ext4: Fix handling of extended tv_sec
- LP: #1537859
  * jbd2: Fix unreclaimed pages after truncate in data=journal mode
- LP: #1537859
  * drm/ttm: Fixed a read/write lock imbalance
- LP: #1537859
  * i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs
- LP: #1537859
  * AHCI: Fix softreset failed issue of Port Multiplier
- LP: #1537859
  * sata_sil: disable trim
- LP: #1537859
  * usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter
JMicron
- LP: #1537859
  * staging: lustre: echo_copy.._lsm() dereferences userland pointers
directly
- LP: #1537859
  * irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB
- LP: #1537859
  * usb: core : hub: Fix BOS 'NULL pointer' kernel panic
- LP: #1537859
  * USB: whci-hcd: add check for dma mapping error
- LP: #1537859
  * usb: Use the USB_SS_MULT() macro to decode burst multiplier for log
message
- LP: #1537859
  * xen/events/fifo: Consume unprocessed events when a CPU dies
- LP: #1537859
  * dm btree: fix leak of bufio-backed block in btree_split_sibling error
path
- LP: #1537859
  * ARM: 8465/1: mm: keep reserved ASIDs in sync with mm after multiple
rollovers
- LP: #1537859
  * perf: Fix PERF_EVENT_IOC_PERIOD deadlock
- LP: #1537859
  * usb: xhci: fix config fail of FS hub behind a HS hub with MTT
- LP: #1537859
  * ALSA: rme96: Fix unexpected volume reset after rate changes
- LP: #1537859
  * net: mvpp2: fix missing DMA region unmap in egress processing
  

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 3.19.0-51.57

---
linux (3.19.0-51.57) vivid; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
raising caps
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
xattrs
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576

linux (3.19.0-50.56) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1540576

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
- LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
- LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
being shutdown
- LP: #1446906

  [ Upstream Kernel Changes ]

  * drivers/base/memory.c: fix kernel warning during memory hotplug on
ppc64
- LP: #1463654
  * sched/wait: Fix signal handling in bit wait helpers
- LP: #1537859
  * sched/wait: Fix the signal handling fix
- LP: #1537859
  * ARC: Fix silly typo in MAINTAINERS file
- LP: #1537859
  * ip6mr: call del_timer_sync() in ip6mr_free_table()
- LP: #1537859
  * gre6: allow to update all parameters via rtnl
- LP: #1537859
  * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
- LP: #1537859
  * sctp: use the same clock as if sock source timestamps were on
- LP: #1537859
  * sctp: update the netstamp_needed counter when copying sockets
- LP: #1537859
  * sctp: also copy sk_tsflags when copying the socket
- LP: #1537859
  * net: qca_spi: fix transmit queue timeout handling
- LP: #1537859
  * ipv6: sctp: clone options to avoid use after free
- LP: #1537859
  * net: add validation for the socket syscall protocol argument
- LP: #1537859
  * sh_eth: fix kernel oops in skb_put()
- LP: #1537859
  * net: fix IP early demux races
- LP: #1537859
  * vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
- LP: #1537859
  * skbuff: Fix offset error in skb_reorder_vlan_header
- LP: #1537859
  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
- LP: #1537859
  * bluetooth: Validate socket address length in sco_sock_bind().
- LP: #1537859
  * fou: clean up socket with kfree_rcu
- LP: #1537859
  * af_unix: Revert 'lock_interruptible' in stream receive code
- LP: #1537859
  * KEYS: Fix race between read and revoke
- LP: #1537859
  * tools: Add a "make all" rule
- LP: #1537859
  * efi: Disable interrupts around EFI calls, not in the epilog/prolog
calls
- LP: #1537859
  * fuse: break infinite loop in fuse_fill_write_pages()
- LP: #1537859
  * usb: gadget: pxa27x: fix suspend callback
- LP: #1537859
  * iio: fix some warning messages
- LP: #1537859
  * USB: cp210x: Remove CP2110 ID from compatibility list
- LP: #1537859
  * USB: cdc_acm: Ignore Infineon Flash Loader utility
- LP: #1537859
  * ext4: Fix handling of extended tv_sec
- LP: #1537859
  * jbd2: Fix unreclaimed pages after truncate in data=journal mode
- LP: #1537859
  * drm/ttm: Fixed a read/write lock imbalance
- LP: #1537859
  * i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs
- LP: #1537859
  * AHCI: Fix softreset failed issue of Port Multiplier
- LP: #1537859
  * sata_sil: disable trim
- LP: #1537859
  * usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter
JMicron
- LP: #1537859
  * staging: lustre: echo_copy.._lsm() dereferences userland pointers
directly
- LP: #1537859
  * irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB
- LP: #1537859
  * usb: core : hub: Fix BOS 'NULL pointer' kernel panic
- LP: #1537859
  * USB: whci-hcd: add check for dma mapping error
- LP: #1537859
  * usb: Use the USB_SS_MULT() macro to decode burst multiplier for log
message
- LP: #1537859
  * xen/events/fifo: Consume unprocessed events when a CPU dies
- LP: #1537859
  * dm btree: fix leak of bufio-backed block in btree_split_sibling error
path
- LP: #1537859
  * ARM: 8465/1: mm: keep reserved ASIDs in sync with mm after multiple
rollovers
- LP: #1537859
  * perf: Fix PERF_EVENT_IOC_PERIOD deadlock
- LP: #1537859
  * usb: xhci: fix config fail of FS hub behind a HS hub with MTT
- LP: #1537859
  * ALSA: rme96: Fix unexpected volume reset after rate changes
- LP: #1537859
  * net: mvpp2: fix missing DMA region unmap in egress processing
  

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.2.0-30.35

---
linux (4.2.0-30.35) wily; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
raising caps
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
xattrs
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576

linux (4.2.0-29.34) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
- LP: #1543167

  [ Brad Figg ]

  * Revert "SAUCE: apparmor: fix sleep from invalid context"
- LP: #1542049

  [ Upstream Kernel Changes ]

  * Revert "af_unix: Revert 'lock_interruptible' in stream receive code"
- LP: #1540731

linux (4.2.0-28.33) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1540634

  [ Brad Figg ]

  * CONFIG: CONFIG_DEBUG_UART_BCM63XX is not set

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
- LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
- LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
being shutdown
- LP: #1446906
  * SAUCE: apparmor: fix sleep from invalid context
- LP: #1539349

  [ Tim Gardner ]

  * [Config] Add pvpanic to virtual flavour
- LP: #1537923

  [ Upstream Kernel Changes ]

  * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
- LP: #1540532
  * tools: Add a "make all" rule
- LP: #1536370
  * vf610_adc: Fix internal temperature calculation
- LP: #1536370
  * iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
- LP: #1536370
  * iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
- LP: #1536370
  * iio: ad5064: Fix ad5629/ad5669 shift
- LP: #1536370
  * iio:ad7793: Fix ad7785 product ID
- LP: #1536370
  * iio: adc: vf610_adc: Fix division by zero error
- LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs200()
- LP: #1536370
  * mmc: mmc: Fix HS setting in mmc_select_hs400()
- LP: #1536370
  * mmc: mmc: Move mmc_switch_status()
- LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs400()
- LP: #1536370
  * crypto: qat - don't use userspace pointer
- LP: #1536370
  * iio: si7020: Swap data byte order
- LP: #1536370
  * iio: adc: xilinx: Fix VREFN scale
- LP: #1536370
  * ipmi: Start the timer and thread on internal msgs
- LP: #1536370
  * drm/i915: quirk backlight present on Macbook 4, 1
- LP: #1536370
  * drm/i915: get runtime PM reference around GEM set_caching IOCTL
- LP: #1536370
  * drm/radeon: Disable uncacheable CPU mappings of GTT with RV6xx
- LP: #1536370
  * drm/radeon: unconditionally set sysfs_initialized
- LP: #1536370
  * drm/amdgpu: Fix default page access routing
- LP: #1536370
  * USB: qcserial: Fix support for HP lt4112 LTE/HSPA+ Gobi 4G Modem
- LP: #1536370
  * ext2, ext4: warn when mounting with dax enabled
- LP: #1536370
  * arm64: mm: use correct mapping granularity under DEBUG_RODATA
- LP: #1536370
  * drm/i915: Don't clobber the addfb2 ioctl params
- LP: #1536370
  * arm64: kernel: pause/unpause function graph tracer in cpu_suspend()
- LP: #1536370
  * usb: chipidea: debug: disable usb irq while role switch
- LP: #1536370
  * xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices
- LP: #1536370
  * fat: fix fake_offset handling on error path
- LP: #1536370
  * kernel/signal.c: unexport sigsuspend()
- LP: #1536370
  * parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h
- LP: #1536370
  * mmc: remove bondage between REQ_META and reliable write
- LP: #1536370
  * stmmac: avoid ipq806x constant overflow warning
- LP: #1536370
  * perf symbols: Fix dso lookup by long name and missing buildids
- LP: #1536370
  * net/mlx4_core: Avoid returning success in case of an error flow
- LP: #1536370
  * mtd: nand: fix shutdown/reboot for multi-chip systems
- LP: #1536370
  * FS-Cache: Add missing initialization of ret in cachefiles_write_page()
- LP: #1536370
  * ipvlan: fix leak in ipvlan_rcv_frame
- LP: #1536370
  * ipvlan: fix use after free of skb
- LP: #1536370
  * macvlan: fix leak in macvlan_handle_frame
- LP: #1536370
  * ALSA: hda - Fix noise on Dell Latitude E6440
- LP: #1536370
  * dm thin: restore requested 'error_if_no_space' setting on OODS to WRITE
transition
- LP: #1536370
  * ALSA: hda - Add 

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.2.0-30.35

---
linux (4.2.0-30.35) wily; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
raising caps
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
xattrs
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576

linux (4.2.0-29.34) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
- LP: #1543167

  [ Brad Figg ]

  * Revert "SAUCE: apparmor: fix sleep from invalid context"
- LP: #1542049

  [ Upstream Kernel Changes ]

  * Revert "af_unix: Revert 'lock_interruptible' in stream receive code"
- LP: #1540731

linux (4.2.0-28.33) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1540634

  [ Brad Figg ]

  * CONFIG: CONFIG_DEBUG_UART_BCM63XX is not set

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
- LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
- LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
being shutdown
- LP: #1446906
  * SAUCE: apparmor: fix sleep from invalid context
- LP: #1539349

  [ Tim Gardner ]

  * [Config] Add pvpanic to virtual flavour
- LP: #1537923

  [ Upstream Kernel Changes ]

  * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
- LP: #1540532
  * tools: Add a "make all" rule
- LP: #1536370
  * vf610_adc: Fix internal temperature calculation
- LP: #1536370
  * iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
- LP: #1536370
  * iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
- LP: #1536370
  * iio: ad5064: Fix ad5629/ad5669 shift
- LP: #1536370
  * iio:ad7793: Fix ad7785 product ID
- LP: #1536370
  * iio: adc: vf610_adc: Fix division by zero error
- LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs200()
- LP: #1536370
  * mmc: mmc: Fix HS setting in mmc_select_hs400()
- LP: #1536370
  * mmc: mmc: Move mmc_switch_status()
- LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs400()
- LP: #1536370
  * crypto: qat - don't use userspace pointer
- LP: #1536370
  * iio: si7020: Swap data byte order
- LP: #1536370
  * iio: adc: xilinx: Fix VREFN scale
- LP: #1536370
  * ipmi: Start the timer and thread on internal msgs
- LP: #1536370
  * drm/i915: quirk backlight present on Macbook 4, 1
- LP: #1536370
  * drm/i915: get runtime PM reference around GEM set_caching IOCTL
- LP: #1536370
  * drm/radeon: Disable uncacheable CPU mappings of GTT with RV6xx
- LP: #1536370
  * drm/radeon: unconditionally set sysfs_initialized
- LP: #1536370
  * drm/amdgpu: Fix default page access routing
- LP: #1536370
  * USB: qcserial: Fix support for HP lt4112 LTE/HSPA+ Gobi 4G Modem
- LP: #1536370
  * ext2, ext4: warn when mounting with dax enabled
- LP: #1536370
  * arm64: mm: use correct mapping granularity under DEBUG_RODATA
- LP: #1536370
  * drm/i915: Don't clobber the addfb2 ioctl params
- LP: #1536370
  * arm64: kernel: pause/unpause function graph tracer in cpu_suspend()
- LP: #1536370
  * usb: chipidea: debug: disable usb irq while role switch
- LP: #1536370
  * xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices
- LP: #1536370
  * fat: fix fake_offset handling on error path
- LP: #1536370
  * kernel/signal.c: unexport sigsuspend()
- LP: #1536370
  * parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h
- LP: #1536370
  * mmc: remove bondage between REQ_META and reliable write
- LP: #1536370
  * stmmac: avoid ipq806x constant overflow warning
- LP: #1536370
  * perf symbols: Fix dso lookup by long name and missing buildids
- LP: #1536370
  * net/mlx4_core: Avoid returning success in case of an error flow
- LP: #1536370
  * mtd: nand: fix shutdown/reboot for multi-chip systems
- LP: #1536370
  * FS-Cache: Add missing initialization of ret in cachefiles_write_page()
- LP: #1536370
  * ipvlan: fix leak in ipvlan_rcv_frame
- LP: #1536370
  * ipvlan: fix use after free of skb
- LP: #1536370
  * macvlan: fix leak in macvlan_handle_frame
- LP: #1536370
  * ALSA: hda - Fix noise on Dell Latitude E6440
- LP: #1536370
  * dm thin: restore requested 'error_if_no_space' setting on OODS to WRITE
transition
- LP: #1536370
  * ALSA: hda - Add 

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Brad Figg]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-vivid

** Tags added: verification-needed-wily

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in linux package in Ubuntu:
  Fix Released
Status in lxc package in Ubuntu:
  Confirmed
Status in linux source package in Vivid:
  Fix Committed
Status in lxc source package in Vivid:
  New
Status in linux source package in Wily:
  Fix Committed
Status in lxc source package in Wily:
  New
Status in linux source package in Xenial:
  Fix Released
Status in lxc source package in Xenial:
  Confirmed

Bug description:
  [Impact]

   * Users may encounter situations where they use applications, confined by
 AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
 stream sockets.

   * These failures typically occur when the confined applications attempts to
 read from an AF_UNIX stream socket when the other end of the socket has
 already been closed.

   * AppArmor is mistakenly denying the socket operations due to the socket
 shutdown operation making the sun_path no longer being available for
 AppArmor mediation after the socket is shutdown.

  [Test Case]

   The expected test case is:

   $ sudo apt-get install postfix # installing in 'local only' config is fine
   $ cat > bug-profile << EOF
   profile bug-profile flags=(attach_disconnected) {
 network,
 file,
   }
   EOF
   $ sudo apparmor_parser -r bug.profile 
   $ aa-exec -p bug-profile -- mailq
   Mail queue is empty

   A failed test case will see the mailq command exit with an error:

   $ aa-exec -p bug-profile -- mailq
   postqueue: warning: close: Permission denied

   and these denials will be found in the syslog:

   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [Regression Potential]

   * The changes are local to the path-based AF_UNIX stream socket mediation 
code
 so that limits the regression potential to some degree.

   * John Johansen authored the patch and I reviewed it. It is small and there's
 no obvious areas of concern to me regarding potential regressions.

  [Other Info]

   * None at this time

  [Original bug report]

  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Brad Figg]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in linux package in Ubuntu:
  Fix Released
Status in lxc package in Ubuntu:
  Confirmed
Status in linux source package in Vivid:
  Fix Committed
Status in lxc source package in Vivid:
  New
Status in linux source package in Wily:
  Fix Committed
Status in lxc source package in Wily:
  New
Status in linux source package in Xenial:
  Fix Released
Status in lxc source package in Xenial:
  Confirmed

Bug description:
  [Impact]

   * Users may encounter situations where they use applications, confined by
 AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
 stream sockets.

   * These failures typically occur when the confined applications attempts to
 read from an AF_UNIX stream socket when the other end of the socket has
 already been closed.

   * AppArmor is mistakenly denying the socket operations due to the socket
 shutdown operation making the sun_path no longer being available for
 AppArmor mediation after the socket is shutdown.

  [Test Case]

   The expected test case is:

   $ sudo apt-get install postfix # installing in 'local only' config is fine
   $ cat > bug-profile << EOF
   profile bug-profile flags=(attach_disconnected) {
 network,
 file,
   }
   EOF
   $ sudo apparmor_parser -r bug.profile 
   $ aa-exec -p bug-profile -- mailq
   Mail queue is empty

   A failed test case will see the mailq command exit with an error:

   $ aa-exec -p bug-profile -- mailq
   postqueue: warning: close: Permission denied

   and these denials will be found in the syslog:

   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [Regression Potential]

   * The changes are local to the path-based AF_UNIX stream socket mediation 
code
 so that limits the regression potential to some degree.

   * John Johansen authored the patch and I reviewed it. It is small and there's
 no obvious areas of concern to me regarding potential regressions.

  [Other Info]

   * None at this time

  [Original bug report]

  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.4.0-2.16

---
linux (4.4.0-2.16) xenial; urgency=low

  [ Andy Whitcroft ]

  * Release Tracking Bug
- LP: #1539090
  * SAUCE: hv: hv_set_ifconfig -- convert to python3
- LP: #1506521
  * SAUCE: dm: introduce a target_ioctl op to allow target specific ioctls
- LP: #1538618

  [ Colin Ian King ]

  * SAUCE: ACPI / tables: Add acpi_force_32bit_fadt_addr option to force 32
bit FADT addresses (LP: #1529381)
- LP: #1529381

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
being shutdown
- LP: #1446906

  [ Mahesh Salgaonkar ]

  * SAUCE: Powernv: Remove the usage of PACAR1 from opal wrappers
- LP: #1537881
  * SAUCE: powerpc/book3s: Fix TB corruption in guest exit path on HMI
interrupt.
- LP: #1537881
  * SAUCE: KVM: PPC: Book3S HV: Fix soft lockups in KVM on HMI for time
base errors
- LP: #1537881

  [ Paolo Pisati ]

  * SAUCE: arm64: errata: Add -mpc-relative-literal-loads to erratum
#843419 build flags
- LP: #1533009
  * [Config] MFD_TPS65217=y && REGULATOR_TPS65217=y
  * [Config] disable ARCH_ZX (ZTE ZX Soc)

  [ Tim Gardner ]

  * Revert "SAUCE: (noup) cxlflash: a couple off by one bugs"
  * SAUCE: (no-up) Update bnx2x firmware to 7.12.30.0
- LP: #1536719
  * SAUCE: drop obsolete bnx2x firmware
  * SAUCE: i40e: Silence 'may be used uninitialized' warnings
- LP: #1536474
  * [Config] CONFIG_ZONE_DMA=y for amd64 lowlatency
- LP: #1534647
  * [Config] Add pvpanic to virtual flavour
- LP: #1537923
  * [Config] CONFIG_INTEL_PUNIT_IPC=m, CONFIG_INTEL_TELEMETRY=m
- LP: #1520457

  [ Upstream Kernel Changes ]

  * i40evf: fix compiler warning of unused variable
- LP: #1536474
  * intel: i40e: fix confused code
- LP: #1536474
  * i40e/i40evf: remove unused tunnel parameter
- LP: #1536474
  * i40e: Change BUG_ON to WARN_ON in service event complete
- LP: #1536474
  * i40e: remove BUG_ON from feature string building
- LP: #1536474
  * i40e: remove BUG_ON from FCoE setup
- LP: #1536474
  * i40e: Workaround fix for mss < 256 issue
- LP: #1536474
  * i40e/i40evf: Add a stat to track how many times we have to do a force
WB
- LP: #1536474
  * i40e: Move the saving of old link info from handle_link_event to
link_event
- LP: #1536474
  * i40e/i40evf: Add comment to #endif
- LP: #1536474
  * i40e/i40evf: clean up error messages
- LP: #1536474
  * i40evf: handle many MAC filters correctly
- LP: #1536474
  * i40e: return the number of enabled queues for ETHTOOL_GRXRINGS
- LP: #1536474
  * i40e: rework the functions to configure RSS with similar parameters
- LP: #1536474
  * i40e: create a generic configure rss function
- LP: #1536474
  * i40e: Bump version to 1.4.2
- LP: #1536474
  * i40e: add new fields to store user configuration
- LP: #1536474
  * i40e: rename rss_size to alloc_rss_size in i40e_pf
- LP: #1536474
  * i40e/i40evf: Fix RS bit update in Tx path and disable force WB
workaround
- LP: #1536474
  * i40e/i40evf: prefetch skb data on transmit
- LP: #1536474
  * i40evf: rename VF adapter specific RSS function
- LP: #1536474
  * i40evf: create a generic config RSS function
- LP: #1536474
  * i40evf: create a generic get RSS function
- LP: #1536474
  * i40evf: add new fields to store user configuration of RSS
- LP: #1536474
  * i40e: Update error messaging
- LP: #1536474
  * i40e: fix confusing message
- LP: #1536474
  * i40e: make error message more useful
- LP: #1536474
  * i40evf: quoth the VF driver, Nevermore
- LP: #1536474
  * i40evf: allocate queue vectors dynamically
- LP: #1536474
  * i40evf: allocate ring structs dynamically
- LP: #1536474
  * i40e/i40evf: Bump i40e version to 1.4.4 and i40evf to 1.4.1
- LP: #1536474
  * i40e: fix: do not sleep in netdev_ops
- LP: #1536474
  * i40e: remove unused argument
- LP: #1536474
  * i40evf: increase max number of queues
- LP: #1536474
  * i40evf: set real num queues
- LP: #1536474
  * i40evf: remove duplicate string
- LP: #1536474
  * i40e: Detection and recovery of TX queue hung logic moved to
service_task from tx_timeout
- LP: #1536474
  * i40e: Fix memory leaks, sideband filter programming
- LP: #1536474
  * i40evf: don't use atomic allocation
- LP: #1536474
  * i40e: propagate properly
- LP: #1536474
  * i40evf: use correct types
- LP: #1536474
  * i40e: use priv flags to control packet split
- LP: #1536474
  * i40e: Remove separate functions gathering XOFF Rx stats
- LP: #1536474
  * i40e: fix whitespace
- LP: #1536474
  * i40e/i40evf: use logical operator
- LP: #1536474
  * i40e/i40evf: Bump version to 1.4.7 for i40e and 1.4.3 for i40evf
- LP: #1536474
  * i40e: trivial fixes
- LP: #1536474
  * i40e: Fix i40e_print_features() VEB mode output
- LP: #1536474
  * i40e: chomp the 

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Tim Gardner]

** Changed in: linux (Ubuntu Vivid)
   Status: In Progress => Fix Committed

** Changed in: linux (Ubuntu Wily)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in linux package in Ubuntu:
  Fix Committed
Status in lxc package in Ubuntu:
  Confirmed
Status in linux source package in Vivid:
  Fix Committed
Status in lxc source package in Vivid:
  New
Status in linux source package in Wily:
  Fix Committed
Status in lxc source package in Wily:
  New
Status in linux source package in Xenial:
  Fix Committed
Status in lxc source package in Xenial:
  Confirmed

Bug description:
  [Impact]

   * Users may encounter situations where they use applications, confined by
 AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
 stream sockets.

   * These failures typically occur when the confined applications attempts to
 read from an AF_UNIX stream socket when the other end of the socket has
 already been closed.

   * AppArmor is mistakenly denying the socket operations due to the socket
 shutdown operation making the sun_path no longer being available for
 AppArmor mediation after the socket is shutdown.

  [Test Case]

   The expected test case is:

   $ sudo apt-get install postfix # installing in 'local only' config is fine
   $ cat > bug-profile << EOF
   profile bug-profile flags=(attach_disconnected) {
 network,
 file,
   }
   EOF
   $ sudo apparmor_parser -r bug.profile 
   $ aa-exec -p bug-profile -- mailq
   Mail queue is empty

   A failed test case will see the mailq command exit with an error:

   $ aa-exec -p bug-profile -- mailq
   postqueue: warning: close: Permission denied

   and these denials will be found in the syslog:

   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [Regression Potential]

   * The changes are local to the path-based AF_UNIX stream socket mediation 
code
 so that limits the regression potential to some degree.

   * John Johansen authored the patch and I reviewed it. It is small and there's
 no obvious areas of concern to me regarding potential regressions.

  [Other Info]

   * None at this time

  [Original bug report]

  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Christopher M. Penalver]

** Changed in: linux (Ubuntu Xenial)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in linux package in Ubuntu:
  Fix Committed
Status in lxc package in Ubuntu:
  Confirmed
Status in linux source package in Vivid:
  In Progress
Status in lxc source package in Vivid:
  New
Status in linux source package in Wily:
  In Progress
Status in lxc source package in Wily:
  New
Status in linux source package in Xenial:
  Fix Committed
Status in lxc source package in Xenial:
  Confirmed

Bug description:
  [Impact]

   * Users may encounter situations where they use applications, confined by
 AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
 stream sockets.

   * These failures typically occur when the confined applications attempts to
 read from an AF_UNIX stream socket when the other end of the socket has
 already been closed.

   * AppArmor is mistakenly denying the socket operations due to the socket
 shutdown operation making the sun_path no longer being available for
 AppArmor mediation after the socket is shutdown.

  [Test Case]

   The expected test case is:

   $ sudo apt-get install postfix # installing in 'local only' config is fine
   $ cat > bug-profile << EOF
   profile bug-profile flags=(attach_disconnected) {
 network,
 file,
   }
   EOF
   $ sudo apparmor_parser -r bug.profile 
   $ aa-exec -p bug-profile -- mailq
   Mail queue is empty

   A failed test case will see the mailq command exit with an error:

   $ aa-exec -p bug-profile -- mailq
   postqueue: warning: close: Permission denied

   and these denials will be found in the syslog:

   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [Regression Potential]

   * The changes are local to the path-based AF_UNIX stream socket mediation 
code
 so that limits the regression potential to some degree.

   * John Johansen authored the patch and I reviewed it. It is small and there's
 no obvious areas of concern to me regarding potential regressions.

  [Other Info]

   * None at this time

  [Original bug report]

  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Tyler Hicks]

** Description changed:

+ [Impact]
+ 
+  * Users may encounter situations where they use applications, confined by
+AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
+stream sockets.
+ 
+  * These failures typically occur when the confined applications attempts to
+read from an AF_UNIX stream socket when the other end of the socket has
+already been closed.
+ 
+  * AppArmor is mistakenly denying the socket operations due to the socket
+shutdown operation making the sun_path no longer being available for
+AppArmor mediation after the socket is shutdown.
+ 
+ [Test Case]
+ 
+  The expected test case is:
+ 
+  $ sudo apt-get install postfix # installing in 'local only' config is fine
+  $ cat > bug-profile << EOF
+  profile bug-profile flags=(attach_disconnected) {
+network,
+file,
+  }
+  EOF
+  $ sudo apparmor_parser -r bug.profile 
+  $ aa-exec -p bug-profile -- mailq
+  Mail queue is empty
+ 
+  A failed test case will see the mailq command exit with an error:
+ 
+  $ aa-exec -p bug-profile -- mailq
+  postqueue: warning: close: Permission denied
+ 
+  and these denials will be found in the syslog:
+ 
+  Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+  Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+ 
+ [Regression Potential]
+ 
+  * The changes are local to the path-based AF_UNIX stream socket mediation 
code
+so that limits the regression potential to some degree.
+ 
+  * John Johansen authored the patch and I reviewed it. It is small and there's
+no obvious areas of concern to me regarding potential regressions.
+ 
+ [Other Info]
+ 
+  * None at this time
+ 
+ [Original bug report]
+ 
  Hello,
  
  on three Vivid host, all of them up-to-date, I have the problem
  described here:
  
  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223
  
  That bug report shows the problem was fixed, but it is not (at least on
  current Vivid)
  
- 
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor
- 
  
  Reproducible with:
  
  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test
  
  (inside container)
  
  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied
  
- 
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
- --- 
+ ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
-  USERPID ACCESS COMMAND
-  /dev/snd/controlC0:  zoolook1913 F pulseaudio
+  USERPID ACCESS COMMAND
+  /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
-  linux-restricted-modules-3.19.0-15-generic N/A
-  linux-backports-modules-3.19.0-15-generic  N/A
-  linux-firmware 1.143
+  linux-restricted-modules-3.19.0-15-generic N/A
+  linux-backports-modules-3.19.0-15-generic  N/A
+  linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Tim Gardner]

** Also affects: linux (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: lxc (Ubuntu Xenial)
   Importance: Medium
   Status: Confirmed

** Also affects: linux (Ubuntu Vivid)
   Importance: Undecided
   Status: New

** Also affects: lxc (Ubuntu Vivid)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Also affects: lxc (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu Vivid)
   Status: New => In Progress

** Changed in: linux (Ubuntu Vivid)
 Assignee: (unassigned) => Tim Gardner (timg-tpi)

** Changed in: linux (Ubuntu Wily)
   Status: New => In Progress

** Changed in: linux (Ubuntu Wily)
 Assignee: (unassigned) => Tim Gardner (timg-tpi)

** Changed in: linux (Ubuntu Xenial)
   Status: New => Fix Committed

** Changed in: linux (Ubuntu Xenial)
 Assignee: (unassigned) => Tim Gardner (timg-tpi)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in linux package in Ubuntu:
  Fix Committed
Status in lxc package in Ubuntu:
  Confirmed
Status in linux source package in Vivid:
  In Progress
Status in lxc source package in Vivid:
  New
Status in linux source package in Wily:
  In Progress
Status in lxc source package in Wily:
  New
Status in linux source package in Xenial:
  Fix Committed
Status in lxc source package in Xenial:
  Confirmed

Bug description:
  [Impact]

   * Users may encounter situations where they use applications, confined by
 AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
 stream sockets.

   * These failures typically occur when the confined applications attempts to
 read from an AF_UNIX stream socket when the other end of the socket has
 already been closed.

   * AppArmor is mistakenly denying the socket operations due to the socket
 shutdown operation making the sun_path no longer being available for
 AppArmor mediation after the socket is shutdown.

  [Test Case]

   The expected test case is:

   $ sudo apt-get install postfix # installing in 'local only' config is fine
   $ cat > bug-profile << EOF
   profile bug-profile flags=(attach_disconnected) {
 network,
 file,
   }
   EOF
   $ sudo apparmor_parser -r bug.profile 
   $ aa-exec -p bug-profile -- mailq
   Mail queue is empty

   A failed test case will see the mailq command exit with an error:

   $ aa-exec -p bug-profile -- mailq
   postqueue: warning: close: Permission denied

   and these denials will be found in the syslog:

   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096168] audit: type=1400 
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   Jan 25 16:56:29 sec-vivid-amd64 kernel: [  241.096175] audit: type=1400 
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" 
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [Regression Potential]

   * The changes are local to the path-based AF_UNIX stream socket mediation 
code
 so that limits the regression potential to some degree.

   * John Johansen authored the patch and I reviewed it. It is small and there's
 no obvious areas of concern to me regarding potential regressions.

  [Other Info]

   * None at this time

  [Original bug report]

  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  ---
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Anton Statutov]

@jjohansen, I've tested your build and can confirm it fixes the issue.

root@host:~# uname -a
Linux host 3.19.0-31-generic #36+lp1446906v3 SMP Fri Dec 18 08:37:50 UTC 2015 
x86_64 x86_64 x86_64 GNU/Linux

root@lxc:~# mailq
Mail queue is empty

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[John Johansen]

Kernels with version 3 of the fix can be found at
   http://people.canonical.com/~jj/lp1446906/

please test and leave feedback as to whether this fixes the issue

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Anton Statutov]

I encountered this problem too on Ubuntu 15.04 running 3.19.0-39 kernel.
Fixed  it by turned off apparmor profile for LXC container by adding
"lxc.aa_profile = unconfined" into container's config. In my case
increased security risk is acceptable, but it's desirable to fix it the
right way.  Is there any information in what kernel version it will be
fixed and when this updates will be available in standartd ubuntu
repositories?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Serge Hallyn]

@astatutov,

Could you please test the kernels posted in comment #28?

@jjohansen, confused, why is this bug not marked as affecting linux?  Is
there a reason?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[John Johansen]

Please try the test kernels at

http://people.canonical.com/~jj/lp1446906/

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[John Johansen]

Making this bug NOT a duplicate of Bug 1390223, which will be for just
the bad unix_fs macro fix that has already been committed. This one will
track the deleted entry/socket shutdown revalidation issue.


** This bug is no longer a duplicate of bug 1390223
   Apparmor related regression on access to unix sockets on a candidate 3.16 
backport kernel

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[John Johansen]

*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223

Alright, so this is not the disconnected path issue I thought it was, I
am looking into it more.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[John Johansen]

*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223

Alright, this is failing the way it is because it is a race on the
socket being shutdown.  If the mediate_deleted flag was removed from the
profile, an additional info flag would show up in the DENIED message.

info="Failed name lookup - deleted entry"

I am still looking into how to best fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[John Johansen]

*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223

yes, sorry I'm not sure why I missed adding the leading /

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Christian Boltz]

*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223

nearly correct - the rule needs to be

/public/showq r,

(note the leading "/")

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[John Johansen]

*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223

The issue is that the path is disconnected from the namespace. Currently
the only way to deal with this is by using the attach_disconnect flag in
the profile, and then place rules for the attached files into the
profile

eg.

profile lxc-container-default flags=(attach_disconnected) {
  
   public/showq r,

   ...

}

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Wolfgang]

*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223

This is not actually a container problem but an apparmor3 problem. You can 
reproduce it by using aa-exec on the host (with any profile) starting with 
commit b3c3d641f1de (UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 
snapshot) of the wily kernel: see 
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/wily/log/security/apparmor
Also if I change my postfix service files on my host to use aa-exec so they're 
even in the same profile and then run mailq with aa-exec, or even just socat on 
that socket, the connect() will succeed, the read() will EACCESS.
We also managed to hit the case described in 1390223 where executing mailq in a 
loop will *sometimes* succeed (though I could not myself reproduce this on my 
host machine.)
We do have a server where it fails in only *some* containers (the only 
significant difference between them is that one set is 32 bit and one is 64 
bit, but I couldn't reproduce that by simply running 32 bit postfix binaries on 
the host, so the differences might go beyond that).

Here's an example session with the wily kernel and postfix on a host
modified to spawn with aa-exec:

# ps aux |grep postfix
root   556  0.0  0.5 108108  5124 ?Ss   10:21   0:00 
/usr/lib/postfix/bin/master -w
postfix557  0.0  0.6 110176  6868 ?S10:21   0:00 pickup -l -t 
unix -u
postfix558  0.0  0.6 110224  6768 ?S10:21   0:00 qmgr -l -t 
unix -u
postfix560  0.0  0.6 110176  6808 ?S10:21   0:00 showq -t unix 
-u
# aa-status  |grep -A5 'processes are in enforce mode.' 
4 processes are in enforce mode.
   lxc-container-default (556) 
   lxc-container-default (557) 
   lxc-container-default (558) 
   lxc-container-default (560) 
0 processes are in complain mode.
# lsof -n |grep showq  
master556 root   61u unix 0x88003c99e000  0t0   
   12486 public/showq type=STREAM
# aa-exec -p lxc-container-default -- mailq 
  
postqueue: warning: close: Permission denied
# aa-exec -p lxc-container-default -- socat 
UNIX:/var/spool/postfix/public/showq -
2015/11/03 10:23:48 socat[597] E read(5, 0x2103a00, 8192): Permission denied
# strace -f -- aa-exec -p lxc-container-default -- mailq
(...)
socket(PF_LOCAL, SOCK_STREAM, 0)= 4
fcntl(4, F_GETFL)   = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR)   = 0
connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0
poll([{fd=4, events=POLLIN}], 1, 360) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
read(4, 0x5606d5407f00, 4096)   = -1 EACCES (Permission denied)


log:
Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" 
profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" 
profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 03 10:25:08 akern audit[643]: SYSCALL arch=c03e syscall=0 success=no 
exit=-13 a0=4 a1=55bdbc538f00 a2=1000 a3=3dc items=0 ppid=433 pid=643 auid=0 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=75 sgid=75 fsgid=75 tty=pts3 ses=3 
comm="postqueue" exe="/usr/bin/postqueue" key=(null)
Nov 03 10:25:08 akern audit: PROCTITLE proctitle=706F73747175657565002D70
Nov 03 10:25:08 akern postfix/postqueue[643]: warning: close: Permission denied

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
 

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Wolfgang]

*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223

So I ran postfix' master process with strace to see what it does, didn't find 
anything out of the ordinary, however, this way the read() succeeded 15 out of 
20 times, only 5 EACCES. The strace output of postfix' master is the same in 
both cases.
So maybe this helps with reproducing the issue.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor="DENIED" operation="file_perm" profile="lxc-container-default" 
name="public/showq" pid=27742 comm="postqueue" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[Joseph Salisbury]

*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223

** Changed in: lxc (Ubuntu)
   Status: Incomplete = Confirmed

** This bug has been marked a duplicate of bug 1390223
   Apparmor related regression on access to unix sockets on a candidate 3.16 
backport kernel

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor=DENIED operation=file_perm profile=lxc-container-default 
name=public/showq pid=27742 comm=postqueue requested_mask=r 
denied_mask=r fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS Trusty Tahr - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq

[zoolook]

Q: What's status incomplete? Thanks

** Package changed: linux (Ubuntu) = lxc (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Incomplete

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64  Generic Linux kernel 
image
  ii  lxc 1.1.2-0ubuntu3 amd64  Linux Containers 
userspace tools
  ii  apparmor2.9.1-0ubuntu9 amd64  User-space parser 
utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): 
apparmor=DENIED operation=file_perm profile=lxc-container-default 
name=public/showq pid=27742 comm=postqueue requested_mask=r 
denied_mask=r fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook1913 F pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS Trusty Tahr - Release amd64 
(20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic 
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet 
splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware 1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 3194WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: 
dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp