[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
** Changed in: lxc (Ubuntu Xenial) Status: Confirmed => Invalid ** No longer affects: lxc (Ubuntu Vivid) ** No longer affects: lxc (Ubuntu Wily) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in linux package in Ubuntu: Fix Released Status in lxc package in Ubuntu: Invalid Status in linux source package in Vivid: Fix Released Status in linux source package in Wily: Fix Released Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Invalid Bug description: [Impact] * Users may encounter situations where they use applications, confined by AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX stream sockets. * These failures typically occur when the confined applications attempts to read from an AF_UNIX stream socket when the other end of the socket has already been closed. * AppArmor is mistakenly denying the socket operations due to the socket shutdown operation making the sun_path no longer being available for AppArmor mediation after the socket is shutdown. [Test Case] The expected test case is: $ sudo apt-get install postfix # installing in 'local only' config is fine $ cat > bug-profile << EOF profile bug-profile flags=(attach_disconnected) { network, file, } EOF $ sudo apparmor_parser -r bug.profile $ aa-exec -p bug-profile -- mailq Mail queue is empty A failed test case will see the mailq command exit with an error: $ aa-exec -p bug-profile -- mailq postqueue: warning: close: Permission denied and these denials will be found in the syslog: Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [Regression Potential] * The changes are local to the path-based AF_UNIX stream socket mediation code so that limits the regression potential to some degree. * John Johansen authored the patch and I reviewed it. It is small and there's no obvious areas of concern to me regarding potential regressions. [Other Info] * None at this time [Original bug report] Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
** Branch linked: lp:~ubuntu-branches/ubuntu/trusty/linux-lts-wily /trusty-proposed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in linux package in Ubuntu: Fix Released Status in lxc package in Ubuntu: Confirmed Status in linux source package in Vivid: Fix Released Status in lxc source package in Vivid: New Status in linux source package in Wily: Fix Released Status in lxc source package in Wily: New Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Confirmed Bug description: [Impact] * Users may encounter situations where they use applications, confined by AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX stream sockets. * These failures typically occur when the confined applications attempts to read from an AF_UNIX stream socket when the other end of the socket has already been closed. * AppArmor is mistakenly denying the socket operations due to the socket shutdown operation making the sun_path no longer being available for AppArmor mediation after the socket is shutdown. [Test Case] The expected test case is: $ sudo apt-get install postfix # installing in 'local only' config is fine $ cat > bug-profile << EOF profile bug-profile flags=(attach_disconnected) { network, file, } EOF $ sudo apparmor_parser -r bug.profile $ aa-exec -p bug-profile -- mailq Mail queue is empty A failed test case will see the mailq command exit with an error: $ aa-exec -p bug-profile -- mailq postqueue: warning: close: Permission denied and these denials will be found in the syslog: Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [Regression Potential] * The changes are local to the path-based AF_UNIX stream socket mediation code so that limits the regression potential to some degree. * John Johansen authored the patch and I reviewed it. It is small and there's no obvious areas of concern to me regarding potential regressions. [Other Info] * None at this time [Original bug report] Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00)
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-vivid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in linux package in Ubuntu: Fix Released Status in lxc package in Ubuntu: Confirmed Status in linux source package in Vivid: Fix Released Status in lxc source package in Vivid: New Status in linux source package in Wily: Fix Released Status in lxc source package in Wily: New Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Confirmed Bug description: [Impact] * Users may encounter situations where they use applications, confined by AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX stream sockets. * These failures typically occur when the confined applications attempts to read from an AF_UNIX stream socket when the other end of the socket has already been closed. * AppArmor is mistakenly denying the socket operations due to the socket shutdown operation making the sun_path no longer being available for AppArmor mediation after the socket is shutdown. [Test Case] The expected test case is: $ sudo apt-get install postfix # installing in 'local only' config is fine $ cat > bug-profile << EOF profile bug-profile flags=(attach_disconnected) { network, file, } EOF $ sudo apparmor_parser -r bug.profile $ aa-exec -p bug-profile -- mailq Mail queue is empty A failed test case will see the mailq command exit with an error: $ aa-exec -p bug-profile -- mailq postqueue: warning: close: Permission denied and these denials will be found in the syslog: Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [Regression Potential] * The changes are local to the path-based AF_UNIX stream socket mediation code so that limits the regression potential to some degree. * John Johansen authored the patch and I reviewed it. It is small and there's no obvious areas of concern to me regarding potential regressions. [Other Info] * None at this time [Original bug report] Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
This bug was fixed in the package linux - 3.19.0-51.57 --- linux (3.19.0-51.57) vivid; urgency=low [ Seth Forshee ] * SAUCE: cred: Add clone_cred() interface - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Be more careful about copying up sxid files - LP: #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts - LP: #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 linux (3.19.0-50.56) vivid; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1540576 [ J. R. Okajima ] * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq() - LP: #1533043 * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process - LP: #1533043 [ John Johansen ] * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown - LP: #1446906 [ Upstream Kernel Changes ] * drivers/base/memory.c: fix kernel warning during memory hotplug on ppc64 - LP: #1463654 * sched/wait: Fix signal handling in bit wait helpers - LP: #1537859 * sched/wait: Fix the signal handling fix - LP: #1537859 * ARC: Fix silly typo in MAINTAINERS file - LP: #1537859 * ip6mr: call del_timer_sync() in ip6mr_free_table() - LP: #1537859 * gre6: allow to update all parameters via rtnl - LP: #1537859 * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation - LP: #1537859 * sctp: use the same clock as if sock source timestamps were on - LP: #1537859 * sctp: update the netstamp_needed counter when copying sockets - LP: #1537859 * sctp: also copy sk_tsflags when copying the socket - LP: #1537859 * net: qca_spi: fix transmit queue timeout handling - LP: #1537859 * ipv6: sctp: clone options to avoid use after free - LP: #1537859 * net: add validation for the socket syscall protocol argument - LP: #1537859 * sh_eth: fix kernel oops in skb_put() - LP: #1537859 * net: fix IP early demux races - LP: #1537859 * vlan: Fix untag operations of stacked vlans with REORDER_HEADER off - LP: #1537859 * skbuff: Fix offset error in skb_reorder_vlan_header - LP: #1537859 * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() - LP: #1537859 * bluetooth: Validate socket address length in sco_sock_bind(). - LP: #1537859 * fou: clean up socket with kfree_rcu - LP: #1537859 * af_unix: Revert 'lock_interruptible' in stream receive code - LP: #1537859 * KEYS: Fix race between read and revoke - LP: #1537859 * tools: Add a "make all" rule - LP: #1537859 * efi: Disable interrupts around EFI calls, not in the epilog/prolog calls - LP: #1537859 * fuse: break infinite loop in fuse_fill_write_pages() - LP: #1537859 * usb: gadget: pxa27x: fix suspend callback - LP: #1537859 * iio: fix some warning messages - LP: #1537859 * USB: cp210x: Remove CP2110 ID from compatibility list - LP: #1537859 * USB: cdc_acm: Ignore Infineon Flash Loader utility - LP: #1537859 * ext4: Fix handling of extended tv_sec - LP: #1537859 * jbd2: Fix unreclaimed pages after truncate in data=journal mode - LP: #1537859 * drm/ttm: Fixed a read/write lock imbalance - LP: #1537859 * i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs - LP: #1537859 * AHCI: Fix softreset failed issue of Port Multiplier - LP: #1537859 * sata_sil: disable trim - LP: #1537859 * usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter JMicron - LP: #1537859 * staging: lustre: echo_copy.._lsm() dereferences userland pointers directly - LP: #1537859 * irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB - LP: #1537859 * usb: core : hub: Fix BOS 'NULL pointer' kernel panic - LP: #1537859 * USB: whci-hcd: add check for dma mapping error - LP: #1537859 * usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message - LP: #1537859 * xen/events/fifo: Consume unprocessed events when a CPU dies - LP: #1537859 * dm btree: fix leak of bufio-backed block in btree_split_sibling error path - LP: #1537859 * ARM: 8465/1: mm: keep reserved ASIDs in sync with mm after multiple rollovers - LP: #1537859 * perf: Fix PERF_EVENT_IOC_PERIOD deadlock - LP: #1537859 * usb: xhci: fix config fail of FS hub behind a HS hub with MTT - LP: #1537859 * ALSA: rme96: Fix unexpected volume reset after rate changes - LP: #1537859 * net: mvpp2: fix missing DMA region unmap in egress processing
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
This bug was fixed in the package linux - 3.19.0-51.57 --- linux (3.19.0-51.57) vivid; urgency=low [ Seth Forshee ] * SAUCE: cred: Add clone_cred() interface - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Be more careful about copying up sxid files - LP: #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts - LP: #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 linux (3.19.0-50.56) vivid; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1540576 [ J. R. Okajima ] * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq() - LP: #1533043 * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process - LP: #1533043 [ John Johansen ] * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown - LP: #1446906 [ Upstream Kernel Changes ] * drivers/base/memory.c: fix kernel warning during memory hotplug on ppc64 - LP: #1463654 * sched/wait: Fix signal handling in bit wait helpers - LP: #1537859 * sched/wait: Fix the signal handling fix - LP: #1537859 * ARC: Fix silly typo in MAINTAINERS file - LP: #1537859 * ip6mr: call del_timer_sync() in ip6mr_free_table() - LP: #1537859 * gre6: allow to update all parameters via rtnl - LP: #1537859 * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation - LP: #1537859 * sctp: use the same clock as if sock source timestamps were on - LP: #1537859 * sctp: update the netstamp_needed counter when copying sockets - LP: #1537859 * sctp: also copy sk_tsflags when copying the socket - LP: #1537859 * net: qca_spi: fix transmit queue timeout handling - LP: #1537859 * ipv6: sctp: clone options to avoid use after free - LP: #1537859 * net: add validation for the socket syscall protocol argument - LP: #1537859 * sh_eth: fix kernel oops in skb_put() - LP: #1537859 * net: fix IP early demux races - LP: #1537859 * vlan: Fix untag operations of stacked vlans with REORDER_HEADER off - LP: #1537859 * skbuff: Fix offset error in skb_reorder_vlan_header - LP: #1537859 * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() - LP: #1537859 * bluetooth: Validate socket address length in sco_sock_bind(). - LP: #1537859 * fou: clean up socket with kfree_rcu - LP: #1537859 * af_unix: Revert 'lock_interruptible' in stream receive code - LP: #1537859 * KEYS: Fix race between read and revoke - LP: #1537859 * tools: Add a "make all" rule - LP: #1537859 * efi: Disable interrupts around EFI calls, not in the epilog/prolog calls - LP: #1537859 * fuse: break infinite loop in fuse_fill_write_pages() - LP: #1537859 * usb: gadget: pxa27x: fix suspend callback - LP: #1537859 * iio: fix some warning messages - LP: #1537859 * USB: cp210x: Remove CP2110 ID from compatibility list - LP: #1537859 * USB: cdc_acm: Ignore Infineon Flash Loader utility - LP: #1537859 * ext4: Fix handling of extended tv_sec - LP: #1537859 * jbd2: Fix unreclaimed pages after truncate in data=journal mode - LP: #1537859 * drm/ttm: Fixed a read/write lock imbalance - LP: #1537859 * i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs - LP: #1537859 * AHCI: Fix softreset failed issue of Port Multiplier - LP: #1537859 * sata_sil: disable trim - LP: #1537859 * usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter JMicron - LP: #1537859 * staging: lustre: echo_copy.._lsm() dereferences userland pointers directly - LP: #1537859 * irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB - LP: #1537859 * usb: core : hub: Fix BOS 'NULL pointer' kernel panic - LP: #1537859 * USB: whci-hcd: add check for dma mapping error - LP: #1537859 * usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message - LP: #1537859 * xen/events/fifo: Consume unprocessed events when a CPU dies - LP: #1537859 * dm btree: fix leak of bufio-backed block in btree_split_sibling error path - LP: #1537859 * ARM: 8465/1: mm: keep reserved ASIDs in sync with mm after multiple rollovers - LP: #1537859 * perf: Fix PERF_EVENT_IOC_PERIOD deadlock - LP: #1537859 * usb: xhci: fix config fail of FS hub behind a HS hub with MTT - LP: #1537859 * ALSA: rme96: Fix unexpected volume reset after rate changes - LP: #1537859 * net: mvpp2: fix missing DMA region unmap in egress processing
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
This bug was fixed in the package linux - 4.2.0-30.35 --- linux (4.2.0-30.35) wily; urgency=low [ Seth Forshee ] * SAUCE: cred: Add clone_cred() interface - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Be more careful about copying up sxid files - LP: #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts - LP: #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 linux (4.2.0-29.34) wily; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1543167 [ Brad Figg ] * Revert "SAUCE: apparmor: fix sleep from invalid context" - LP: #1542049 [ Upstream Kernel Changes ] * Revert "af_unix: Revert 'lock_interruptible' in stream receive code" - LP: #1540731 linux (4.2.0-28.33) wily; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1540634 [ Brad Figg ] * CONFIG: CONFIG_DEBUG_UART_BCM63XX is not set [ J. R. Okajima ] * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq() - LP: #1533043 * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process - LP: #1533043 [ John Johansen ] * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown - LP: #1446906 * SAUCE: apparmor: fix sleep from invalid context - LP: #1539349 [ Tim Gardner ] * [Config] Add pvpanic to virtual flavour - LP: #1537923 [ Upstream Kernel Changes ] * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()" - LP: #1540532 * tools: Add a "make all" rule - LP: #1536370 * vf610_adc: Fix internal temperature calculation - LP: #1536370 * iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock - LP: #1536370 * iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success - LP: #1536370 * iio: ad5064: Fix ad5629/ad5669 shift - LP: #1536370 * iio:ad7793: Fix ad7785 product ID - LP: #1536370 * iio: adc: vf610_adc: Fix division by zero error - LP: #1536370 * mmc: mmc: Improve reliability of mmc_select_hs200() - LP: #1536370 * mmc: mmc: Fix HS setting in mmc_select_hs400() - LP: #1536370 * mmc: mmc: Move mmc_switch_status() - LP: #1536370 * mmc: mmc: Improve reliability of mmc_select_hs400() - LP: #1536370 * crypto: qat - don't use userspace pointer - LP: #1536370 * iio: si7020: Swap data byte order - LP: #1536370 * iio: adc: xilinx: Fix VREFN scale - LP: #1536370 * ipmi: Start the timer and thread on internal msgs - LP: #1536370 * drm/i915: quirk backlight present on Macbook 4, 1 - LP: #1536370 * drm/i915: get runtime PM reference around GEM set_caching IOCTL - LP: #1536370 * drm/radeon: Disable uncacheable CPU mappings of GTT with RV6xx - LP: #1536370 * drm/radeon: unconditionally set sysfs_initialized - LP: #1536370 * drm/amdgpu: Fix default page access routing - LP: #1536370 * USB: qcserial: Fix support for HP lt4112 LTE/HSPA+ Gobi 4G Modem - LP: #1536370 * ext2, ext4: warn when mounting with dax enabled - LP: #1536370 * arm64: mm: use correct mapping granularity under DEBUG_RODATA - LP: #1536370 * drm/i915: Don't clobber the addfb2 ioctl params - LP: #1536370 * arm64: kernel: pause/unpause function graph tracer in cpu_suspend() - LP: #1536370 * usb: chipidea: debug: disable usb irq while role switch - LP: #1536370 * xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices - LP: #1536370 * fat: fix fake_offset handling on error path - LP: #1536370 * kernel/signal.c: unexport sigsuspend() - LP: #1536370 * parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h - LP: #1536370 * mmc: remove bondage between REQ_META and reliable write - LP: #1536370 * stmmac: avoid ipq806x constant overflow warning - LP: #1536370 * perf symbols: Fix dso lookup by long name and missing buildids - LP: #1536370 * net/mlx4_core: Avoid returning success in case of an error flow - LP: #1536370 * mtd: nand: fix shutdown/reboot for multi-chip systems - LP: #1536370 * FS-Cache: Add missing initialization of ret in cachefiles_write_page() - LP: #1536370 * ipvlan: fix leak in ipvlan_rcv_frame - LP: #1536370 * ipvlan: fix use after free of skb - LP: #1536370 * macvlan: fix leak in macvlan_handle_frame - LP: #1536370 * ALSA: hda - Fix noise on Dell Latitude E6440 - LP: #1536370 * dm thin: restore requested 'error_if_no_space' setting on OODS to WRITE transition - LP: #1536370 * ALSA: hda - Add
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
This bug was fixed in the package linux - 4.2.0-30.35 --- linux (4.2.0-30.35) wily; urgency=low [ Seth Forshee ] * SAUCE: cred: Add clone_cred() interface - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs - LP: #1531747, #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Be more careful about copying up sxid files - LP: #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts - LP: #1534961, #1535150 - CVE-2016-1575 CVE-2016-1576 linux (4.2.0-29.34) wily; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1543167 [ Brad Figg ] * Revert "SAUCE: apparmor: fix sleep from invalid context" - LP: #1542049 [ Upstream Kernel Changes ] * Revert "af_unix: Revert 'lock_interruptible' in stream receive code" - LP: #1540731 linux (4.2.0-28.33) wily; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1540634 [ Brad Figg ] * CONFIG: CONFIG_DEBUG_UART_BCM63XX is not set [ J. R. Okajima ] * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq() - LP: #1533043 * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process - LP: #1533043 [ John Johansen ] * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown - LP: #1446906 * SAUCE: apparmor: fix sleep from invalid context - LP: #1539349 [ Tim Gardner ] * [Config] Add pvpanic to virtual flavour - LP: #1537923 [ Upstream Kernel Changes ] * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()" - LP: #1540532 * tools: Add a "make all" rule - LP: #1536370 * vf610_adc: Fix internal temperature calculation - LP: #1536370 * iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock - LP: #1536370 * iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success - LP: #1536370 * iio: ad5064: Fix ad5629/ad5669 shift - LP: #1536370 * iio:ad7793: Fix ad7785 product ID - LP: #1536370 * iio: adc: vf610_adc: Fix division by zero error - LP: #1536370 * mmc: mmc: Improve reliability of mmc_select_hs200() - LP: #1536370 * mmc: mmc: Fix HS setting in mmc_select_hs400() - LP: #1536370 * mmc: mmc: Move mmc_switch_status() - LP: #1536370 * mmc: mmc: Improve reliability of mmc_select_hs400() - LP: #1536370 * crypto: qat - don't use userspace pointer - LP: #1536370 * iio: si7020: Swap data byte order - LP: #1536370 * iio: adc: xilinx: Fix VREFN scale - LP: #1536370 * ipmi: Start the timer and thread on internal msgs - LP: #1536370 * drm/i915: quirk backlight present on Macbook 4, 1 - LP: #1536370 * drm/i915: get runtime PM reference around GEM set_caching IOCTL - LP: #1536370 * drm/radeon: Disable uncacheable CPU mappings of GTT with RV6xx - LP: #1536370 * drm/radeon: unconditionally set sysfs_initialized - LP: #1536370 * drm/amdgpu: Fix default page access routing - LP: #1536370 * USB: qcserial: Fix support for HP lt4112 LTE/HSPA+ Gobi 4G Modem - LP: #1536370 * ext2, ext4: warn when mounting with dax enabled - LP: #1536370 * arm64: mm: use correct mapping granularity under DEBUG_RODATA - LP: #1536370 * drm/i915: Don't clobber the addfb2 ioctl params - LP: #1536370 * arm64: kernel: pause/unpause function graph tracer in cpu_suspend() - LP: #1536370 * usb: chipidea: debug: disable usb irq while role switch - LP: #1536370 * xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices - LP: #1536370 * fat: fix fake_offset handling on error path - LP: #1536370 * kernel/signal.c: unexport sigsuspend() - LP: #1536370 * parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h - LP: #1536370 * mmc: remove bondage between REQ_META and reliable write - LP: #1536370 * stmmac: avoid ipq806x constant overflow warning - LP: #1536370 * perf symbols: Fix dso lookup by long name and missing buildids - LP: #1536370 * net/mlx4_core: Avoid returning success in case of an error flow - LP: #1536370 * mtd: nand: fix shutdown/reboot for multi-chip systems - LP: #1536370 * FS-Cache: Add missing initialization of ret in cachefiles_write_page() - LP: #1536370 * ipvlan: fix leak in ipvlan_rcv_frame - LP: #1536370 * ipvlan: fix use after free of skb - LP: #1536370 * macvlan: fix leak in macvlan_handle_frame - LP: #1536370 * ALSA: hda - Fix noise on Dell Latitude E6440 - LP: #1536370 * dm thin: restore requested 'error_if_no_space' setting on OODS to WRITE transition - LP: #1536370 * ALSA: hda - Add
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- vivid' to 'verification-done-vivid'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-vivid ** Tags added: verification-needed-wily -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in linux package in Ubuntu: Fix Released Status in lxc package in Ubuntu: Confirmed Status in linux source package in Vivid: Fix Committed Status in lxc source package in Vivid: New Status in linux source package in Wily: Fix Committed Status in lxc source package in Wily: New Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Confirmed Bug description: [Impact] * Users may encounter situations where they use applications, confined by AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX stream sockets. * These failures typically occur when the confined applications attempts to read from an AF_UNIX stream socket when the other end of the socket has already been closed. * AppArmor is mistakenly denying the socket operations due to the socket shutdown operation making the sun_path no longer being available for AppArmor mediation after the socket is shutdown. [Test Case] The expected test case is: $ sudo apt-get install postfix # installing in 'local only' config is fine $ cat > bug-profile << EOF profile bug-profile flags=(attach_disconnected) { network, file, } EOF $ sudo apparmor_parser -r bug.profile $ aa-exec -p bug-profile -- mailq Mail queue is empty A failed test case will see the mailq command exit with an error: $ aa-exec -p bug-profile -- mailq postqueue: warning: close: Permission denied and these denials will be found in the syslog: Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [Regression Potential] * The changes are local to the path-based AF_UNIX stream socket mediation code so that limits the regression potential to some degree. * John Johansen authored the patch and I reviewed it. It is small and there's no obvious areas of concern to me regarding potential regressions. [Other Info] * None at this time [Original bug report] Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- wily' to 'verification-done-wily'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in linux package in Ubuntu: Fix Released Status in lxc package in Ubuntu: Confirmed Status in linux source package in Vivid: Fix Committed Status in lxc source package in Vivid: New Status in linux source package in Wily: Fix Committed Status in lxc source package in Wily: New Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Confirmed Bug description: [Impact] * Users may encounter situations where they use applications, confined by AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX stream sockets. * These failures typically occur when the confined applications attempts to read from an AF_UNIX stream socket when the other end of the socket has already been closed. * AppArmor is mistakenly denying the socket operations due to the socket shutdown operation making the sun_path no longer being available for AppArmor mediation after the socket is shutdown. [Test Case] The expected test case is: $ sudo apt-get install postfix # installing in 'local only' config is fine $ cat > bug-profile << EOF profile bug-profile flags=(attach_disconnected) { network, file, } EOF $ sudo apparmor_parser -r bug.profile $ aa-exec -p bug-profile -- mailq Mail queue is empty A failed test case will see the mailq command exit with an error: $ aa-exec -p bug-profile -- mailq postqueue: warning: close: Permission denied and these denials will be found in the syslog: Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [Regression Potential] * The changes are local to the path-based AF_UNIX stream socket mediation code so that limits the regression potential to some degree. * John Johansen authored the patch and I reviewed it. It is small and there's no obvious areas of concern to me regarding potential regressions. [Other Info] * None at this time [Original bug report] Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions:
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
This bug was fixed in the package linux - 4.4.0-2.16 --- linux (4.4.0-2.16) xenial; urgency=low [ Andy Whitcroft ] * Release Tracking Bug - LP: #1539090 * SAUCE: hv: hv_set_ifconfig -- convert to python3 - LP: #1506521 * SAUCE: dm: introduce a target_ioctl op to allow target specific ioctls - LP: #1538618 [ Colin Ian King ] * SAUCE: ACPI / tables: Add acpi_force_32bit_fadt_addr option to force 32 bit FADT addresses (LP: #1529381) - LP: #1529381 [ John Johansen ] * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown - LP: #1446906 [ Mahesh Salgaonkar ] * SAUCE: Powernv: Remove the usage of PACAR1 from opal wrappers - LP: #1537881 * SAUCE: powerpc/book3s: Fix TB corruption in guest exit path on HMI interrupt. - LP: #1537881 * SAUCE: KVM: PPC: Book3S HV: Fix soft lockups in KVM on HMI for time base errors - LP: #1537881 [ Paolo Pisati ] * SAUCE: arm64: errata: Add -mpc-relative-literal-loads to erratum #843419 build flags - LP: #1533009 * [Config] MFD_TPS65217=y && REGULATOR_TPS65217=y * [Config] disable ARCH_ZX (ZTE ZX Soc) [ Tim Gardner ] * Revert "SAUCE: (noup) cxlflash: a couple off by one bugs" * SAUCE: (no-up) Update bnx2x firmware to 7.12.30.0 - LP: #1536719 * SAUCE: drop obsolete bnx2x firmware * SAUCE: i40e: Silence 'may be used uninitialized' warnings - LP: #1536474 * [Config] CONFIG_ZONE_DMA=y for amd64 lowlatency - LP: #1534647 * [Config] Add pvpanic to virtual flavour - LP: #1537923 * [Config] CONFIG_INTEL_PUNIT_IPC=m, CONFIG_INTEL_TELEMETRY=m - LP: #1520457 [ Upstream Kernel Changes ] * i40evf: fix compiler warning of unused variable - LP: #1536474 * intel: i40e: fix confused code - LP: #1536474 * i40e/i40evf: remove unused tunnel parameter - LP: #1536474 * i40e: Change BUG_ON to WARN_ON in service event complete - LP: #1536474 * i40e: remove BUG_ON from feature string building - LP: #1536474 * i40e: remove BUG_ON from FCoE setup - LP: #1536474 * i40e: Workaround fix for mss < 256 issue - LP: #1536474 * i40e/i40evf: Add a stat to track how many times we have to do a force WB - LP: #1536474 * i40e: Move the saving of old link info from handle_link_event to link_event - LP: #1536474 * i40e/i40evf: Add comment to #endif - LP: #1536474 * i40e/i40evf: clean up error messages - LP: #1536474 * i40evf: handle many MAC filters correctly - LP: #1536474 * i40e: return the number of enabled queues for ETHTOOL_GRXRINGS - LP: #1536474 * i40e: rework the functions to configure RSS with similar parameters - LP: #1536474 * i40e: create a generic configure rss function - LP: #1536474 * i40e: Bump version to 1.4.2 - LP: #1536474 * i40e: add new fields to store user configuration - LP: #1536474 * i40e: rename rss_size to alloc_rss_size in i40e_pf - LP: #1536474 * i40e/i40evf: Fix RS bit update in Tx path and disable force WB workaround - LP: #1536474 * i40e/i40evf: prefetch skb data on transmit - LP: #1536474 * i40evf: rename VF adapter specific RSS function - LP: #1536474 * i40evf: create a generic config RSS function - LP: #1536474 * i40evf: create a generic get RSS function - LP: #1536474 * i40evf: add new fields to store user configuration of RSS - LP: #1536474 * i40e: Update error messaging - LP: #1536474 * i40e: fix confusing message - LP: #1536474 * i40e: make error message more useful - LP: #1536474 * i40evf: quoth the VF driver, Nevermore - LP: #1536474 * i40evf: allocate queue vectors dynamically - LP: #1536474 * i40evf: allocate ring structs dynamically - LP: #1536474 * i40e/i40evf: Bump i40e version to 1.4.4 and i40evf to 1.4.1 - LP: #1536474 * i40e: fix: do not sleep in netdev_ops - LP: #1536474 * i40e: remove unused argument - LP: #1536474 * i40evf: increase max number of queues - LP: #1536474 * i40evf: set real num queues - LP: #1536474 * i40evf: remove duplicate string - LP: #1536474 * i40e: Detection and recovery of TX queue hung logic moved to service_task from tx_timeout - LP: #1536474 * i40e: Fix memory leaks, sideband filter programming - LP: #1536474 * i40evf: don't use atomic allocation - LP: #1536474 * i40e: propagate properly - LP: #1536474 * i40evf: use correct types - LP: #1536474 * i40e: use priv flags to control packet split - LP: #1536474 * i40e: Remove separate functions gathering XOFF Rx stats - LP: #1536474 * i40e: fix whitespace - LP: #1536474 * i40e/i40evf: use logical operator - LP: #1536474 * i40e/i40evf: Bump version to 1.4.7 for i40e and 1.4.3 for i40evf - LP: #1536474 * i40e: trivial fixes - LP: #1536474 * i40e: Fix i40e_print_features() VEB mode output - LP: #1536474 * i40e: chomp the
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
** Changed in: linux (Ubuntu Vivid) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Wily) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in linux package in Ubuntu: Fix Committed Status in lxc package in Ubuntu: Confirmed Status in linux source package in Vivid: Fix Committed Status in lxc source package in Vivid: New Status in linux source package in Wily: Fix Committed Status in lxc source package in Wily: New Status in linux source package in Xenial: Fix Committed Status in lxc source package in Xenial: Confirmed Bug description: [Impact] * Users may encounter situations where they use applications, confined by AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX stream sockets. * These failures typically occur when the confined applications attempts to read from an AF_UNIX stream socket when the other end of the socket has already been closed. * AppArmor is mistakenly denying the socket operations due to the socket shutdown operation making the sun_path no longer being available for AppArmor mediation after the socket is shutdown. [Test Case] The expected test case is: $ sudo apt-get install postfix # installing in 'local only' config is fine $ cat > bug-profile << EOF profile bug-profile flags=(attach_disconnected) { network, file, } EOF $ sudo apparmor_parser -r bug.profile $ aa-exec -p bug-profile -- mailq Mail queue is empty A failed test case will see the mailq command exit with an error: $ aa-exec -p bug-profile -- mailq postqueue: warning: close: Permission denied and these denials will be found in the syslog: Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [Regression Potential] * The changes are local to the path-based AF_UNIX stream socket mediation code so that limits the regression potential to some degree. * John Johansen authored the patch and I reviewed it. It is small and there's no obvious areas of concern to me regarding potential regressions. [Other Info] * None at this time [Original bug report] Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date:
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
** Changed in: linux (Ubuntu Xenial) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in linux package in Ubuntu: Fix Committed Status in lxc package in Ubuntu: Confirmed Status in linux source package in Vivid: In Progress Status in lxc source package in Vivid: New Status in linux source package in Wily: In Progress Status in lxc source package in Wily: New Status in linux source package in Xenial: Fix Committed Status in lxc source package in Xenial: Confirmed Bug description: [Impact] * Users may encounter situations where they use applications, confined by AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX stream sockets. * These failures typically occur when the confined applications attempts to read from an AF_UNIX stream socket when the other end of the socket has already been closed. * AppArmor is mistakenly denying the socket operations due to the socket shutdown operation making the sun_path no longer being available for AppArmor mediation after the socket is shutdown. [Test Case] The expected test case is: $ sudo apt-get install postfix # installing in 'local only' config is fine $ cat > bug-profile << EOF profile bug-profile flags=(attach_disconnected) { network, file, } EOF $ sudo apparmor_parser -r bug.profile $ aa-exec -p bug-profile -- mailq Mail queue is empty A failed test case will see the mailq command exit with an error: $ aa-exec -p bug-profile -- mailq postqueue: warning: close: Permission denied and these denials will be found in the syslog: Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [Regression Potential] * The changes are local to the path-based AF_UNIX stream socket mediation code so that limits the regression potential to some degree. * John Johansen authored the patch and I reviewed it. It is small and there's no obvious areas of concern to me regarding potential regressions. [Other Info] * None at this time [Original bug report] Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00)
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
** Description changed: + [Impact] + + * Users may encounter situations where they use applications, confined by +AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX +stream sockets. + + * These failures typically occur when the confined applications attempts to +read from an AF_UNIX stream socket when the other end of the socket has +already been closed. + + * AppArmor is mistakenly denying the socket operations due to the socket +shutdown operation making the sun_path no longer being available for +AppArmor mediation after the socket is shutdown. + + [Test Case] + + The expected test case is: + + $ sudo apt-get install postfix # installing in 'local only' config is fine + $ cat > bug-profile << EOF + profile bug-profile flags=(attach_disconnected) { +network, +file, + } + EOF + $ sudo apparmor_parser -r bug.profile + $ aa-exec -p bug-profile -- mailq + Mail queue is empty + + A failed test case will see the mailq command exit with an error: + + $ aa-exec -p bug-profile -- mailq + postqueue: warning: close: Permission denied + + and these denials will be found in the syslog: + + Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 + Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 + + [Regression Potential] + + * The changes are local to the path-based AF_UNIX stream socket mediation code +so that limits the regression potential to some degree. + + * John Johansen authored the patch and I reviewed it. It is small and there's +no obvious areas of concern to me regarding potential regressions. + + [Other Info] + + * None at this time + + [Original bug report] + Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) - ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor - Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied - dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 - --- + --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: - USERPID ACCESS COMMAND - /dev/snd/controlC0: zoolook1913 F pulseaudio + USERPID ACCESS COMMAND + /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: - linux-restricted-modules-3.19.0-15-generic N/A - linux-backports-modules-3.19.0-15-generic N/A - linux-firmware 1.143 + linux-restricted-modules-3.19.0-15-generic N/A + linux-backports-modules-3.19.0-15-generic N/A + linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias:
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: lxc (Ubuntu Xenial) Importance: Medium Status: Confirmed ** Also affects: linux (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: lxc (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Wily) Importance: Undecided Status: New ** Also affects: lxc (Ubuntu Wily) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Vivid) Status: New => In Progress ** Changed in: linux (Ubuntu Vivid) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux (Ubuntu Wily) Status: New => In Progress ** Changed in: linux (Ubuntu Wily) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed ** Changed in: linux (Ubuntu Xenial) Assignee: (unassigned) => Tim Gardner (timg-tpi) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in linux package in Ubuntu: Fix Committed Status in lxc package in Ubuntu: Confirmed Status in linux source package in Vivid: In Progress Status in lxc source package in Vivid: New Status in linux source package in Wily: In Progress Status in lxc source package in Wily: New Status in linux source package in Xenial: Fix Committed Status in lxc source package in Xenial: Confirmed Bug description: [Impact] * Users may encounter situations where they use applications, confined by AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX stream sockets. * These failures typically occur when the confined applications attempts to read from an AF_UNIX stream socket when the other end of the socket has already been closed. * AppArmor is mistakenly denying the socket operations due to the socket shutdown operation making the sun_path no longer being available for AppArmor mediation after the socket is shutdown. [Test Case] The expected test case is: $ sudo apt-get install postfix # installing in 'local only' config is fine $ cat > bug-profile << EOF profile bug-profile flags=(attach_disconnected) { network, file, } EOF $ sudo apparmor_parser -r bug.profile $ aa-exec -p bug-profile -- mailq Mail queue is empty A failed test case will see the mailq command exit with an error: $ aa-exec -p bug-profile -- mailq postqueue: warning: close: Permission denied and these denials will be found in the syslog: Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [Regression Potential] * The changes are local to the path-based AF_UNIX stream socket mediation code so that limits the regression potential to some degree. * John Johansen authored the patch and I reviewed it. It is small and there's no obvious areas of concern to me regarding potential regressions. [Other Info] * None at this time [Original bug report] Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
@jjohansen, I've tested your build and can confirm it fixes the issue. root@host:~# uname -a Linux host 3.19.0-31-generic #36+lp1446906v3 SMP Fri Dec 18 08:37:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux root@lxc:~# mailq Mail queue is empty -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
Kernels with version 3 of the fix can be found at http://people.canonical.com/~jj/lp1446906/ please test and leave feedback as to whether this fixes the issue -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
I encountered this problem too on Ubuntu 15.04 running 3.19.0-39 kernel. Fixed it by turned off apparmor profile for LXC container by adding "lxc.aa_profile = unconfined" into container's config. In my case increased security risk is acceptable, but it's desirable to fix it the right way. Is there any information in what kernel version it will be fixed and when this updates will be available in standartd ubuntu repositories? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
@astatutov, Could you please test the kernels posted in comment #28? @jjohansen, confused, why is this bug not marked as affecting linux? Is there a reason? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
Please try the test kernels at http://people.canonical.com/~jj/lp1446906/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
Making this bug NOT a duplicate of Bug 1390223, which will be for just the bad unix_fs macro fix that has already been committed. This one will track the deleted entry/socket shutdown revalidation issue. ** This bug is no longer a duplicate of bug 1390223 Apparmor related regression on access to unix sockets on a candidate 3.16 backport kernel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
*** This bug is a duplicate of bug 1390223 *** https://bugs.launchpad.net/bugs/1390223 Alright, so this is not the disconnected path issue I thought it was, I am looking into it more. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
*** This bug is a duplicate of bug 1390223 *** https://bugs.launchpad.net/bugs/1390223 Alright, this is failing the way it is because it is a race on the socket being shutdown. If the mediate_deleted flag was removed from the profile, an additional info flag would show up in the DENIED message. info="Failed name lookup - deleted entry" I am still looking into how to best fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
*** This bug is a duplicate of bug 1390223 *** https://bugs.launchpad.net/bugs/1390223 yes, sorry I'm not sure why I missed adding the leading / -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
*** This bug is a duplicate of bug 1390223 *** https://bugs.launchpad.net/bugs/1390223 nearly correct - the rule needs to be /public/showq r, (note the leading "/") -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
*** This bug is a duplicate of bug 1390223 *** https://bugs.launchpad.net/bugs/1390223 The issue is that the path is disconnected from the namespace. Currently the only way to deal with this is by using the attach_disconnect flag in the profile, and then place rules for the attached files into the profile eg. profile lxc-container-default flags=(attach_disconnected) { public/showq r, ... } -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
*** This bug is a duplicate of bug 1390223 *** https://bugs.launchpad.net/bugs/1390223 This is not actually a container problem but an apparmor3 problem. You can reproduce it by using aa-exec on the host (with any profile) starting with commit b3c3d641f1de (UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot) of the wily kernel: see https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/wily/log/security/apparmor Also if I change my postfix service files on my host to use aa-exec so they're even in the same profile and then run mailq with aa-exec, or even just socat on that socket, the connect() will succeed, the read() will EACCESS. We also managed to hit the case described in 1390223 where executing mailq in a loop will *sometimes* succeed (though I could not myself reproduce this on my host machine.) We do have a server where it fails in only *some* containers (the only significant difference between them is that one set is 32 bit and one is 64 bit, but I couldn't reproduce that by simply running 32 bit postfix binaries on the host, so the differences might go beyond that). Here's an example session with the wily kernel and postfix on a host modified to spawn with aa-exec: # ps aux |grep postfix root 556 0.0 0.5 108108 5124 ?Ss 10:21 0:00 /usr/lib/postfix/bin/master -w postfix557 0.0 0.6 110176 6868 ?S10:21 0:00 pickup -l -t unix -u postfix558 0.0 0.6 110224 6768 ?S10:21 0:00 qmgr -l -t unix -u postfix560 0.0 0.6 110176 6808 ?S10:21 0:00 showq -t unix -u # aa-status |grep -A5 'processes are in enforce mode.' 4 processes are in enforce mode. lxc-container-default (556) lxc-container-default (557) lxc-container-default (558) lxc-container-default (560) 0 processes are in complain mode. # lsof -n |grep showq master556 root 61u unix 0x88003c99e000 0t0 12486 public/showq type=STREAM # aa-exec -p lxc-container-default -- mailq postqueue: warning: close: Permission denied # aa-exec -p lxc-container-default -- socat UNIX:/var/spool/postfix/public/showq - 2015/11/03 10:23:48 socat[597] E read(5, 0x2103a00, 8192): Permission denied # strace -f -- aa-exec -p lxc-container-default -- mailq (...) socket(PF_LOCAL, SOCK_STREAM, 0)= 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR) = 0 connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0 poll([{fd=4, events=POLLIN}], 1, 360) = 1 ([{fd=4, revents=POLLIN|POLLHUP}]) read(4, 0x5606d5407f00, 4096) = -1 EACCES (Permission denied) log: Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 03 10:25:08 akern audit[643]: SYSCALL arch=c03e syscall=0 success=no exit=-13 a0=4 a1=55bdbc538f00 a2=1000 a3=3dc items=0 ppid=433 pid=643 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=75 sgid=75 fsgid=75 tty=pts3 ses=3 comm="postqueue" exe="/usr/bin/postqueue" key=(null) Nov 03 10:25:08 akern audit: PROCTITLE proctitle=706F73747175657565002D70 Nov 03 10:25:08 akern postfix/postqueue[643]: warning: close: Permission denied -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse:
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
*** This bug is a duplicate of bug 1390223 *** https://bugs.launchpad.net/bugs/1390223 So I ran postfix' master process with strace to see what it does, didn't find anything out of the ordinary, however, this way the read() succeeded 15 out of 20 times, only 5 EACCES. The strace output of postfix' master is the same in both cases. So maybe this helps with reproducing the issue. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
*** This bug is a duplicate of bug 1390223 *** https://bugs.launchpad.net/bugs/1390223 ** Changed in: lxc (Ubuntu) Status: Incomplete = Confirmed ** This bug has been marked a duplicate of bug 1390223 Apparmor related regression on access to unix sockets on a candidate 3.16 backport kernel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Confirmed Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor=DENIED operation=file_perm profile=lxc-container-default name=public/showq pid=27742 comm=postqueue requested_mask=r denied_mask=r fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS Trusty Tahr - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1446906] Re: lxc container with postfix, permission denied on mailq
Q: What's status incomplete? Thanks ** Package changed: linux (Ubuntu) = lxc (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in lxc package in Ubuntu: Incomplete Bug description: Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor=DENIED operation=file_perm profile=lxc-container-default name=public/showq pid=27742 comm=postqueue requested_mask=r denied_mask=r fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zoolook1913 F pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS Trusty Tahr - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 3194WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr3194WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp