** Description changed: - Running tcpdump inside of a LXD container results in tcpdump immediately - segfaulting due to an AppArmor denial preventing /usr/sbin/tcpdump from - being mapped. + [Impact] + Running tcpdump inside of a Yakkety LXD container, with a Yakkety host, + results in tcpdump immediately segfaulting due to an AppArmor denial + preventing /usr/sbin/tcpdump from being mapped. + + This change in behavior is caused by the following upstream kernel + change: + + commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 + Date: Mon Aug 22 16:41:46 2016 -0700 + + binfmt_elf: switch to new creds when switching to new mm + + [Test Case] + + tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety tyhicks@host:~$ lxc exec yakkety bash + root@yakkety:~# apt-get update && apt-get dist-upgrade -y + ... root@yakkety:~# tcpdump -i eth0 Segmentation fault - This AppArmor denial can be seen in the logs: + The logs will contain the following AppArmor denial: audit: type=1400 audit(1476204029.500:186): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-yakkety_<var-lib-lxd>" profile="/usr/sbin/tcpdump" name="/usr/sbin/tcpdump" pid=16746 comm="tcpdump" requested_mask="m" denied_mask="m" fsuid=296608 ouid=296608 - This is caused by the following upstream kernel change: + The bug fix can be verified by tcpdump working as intended (capturing + network traffic) with no AppArmor denial for mapping the + /usr/sbin/tcpdump file. - commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 - Date: Mon Aug 22 16:41:46 2016 -0700 + [Regression Potential] - binfmt_elf: switch to new creds when switching to new mm + * Low. The fix is a simply adding an additional file permission in the + tcpdump AppArmor profile. The only regression potential comes from + tcpdump being built in yakkety for the first time. However, a build log + comparison shows that there are no compiler flag changes or any other + unexpected churn in the build log. + + [Other Info] + + * Other tcpdump AppArmor denials, related to accessing the D-Bus system + bus and/or the systemd-resolved D-Bus API, will be seen in the logs + until a fix for bug #1598759 is in place. Those denials are documented + in the following comment: + + - + https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/comments/14
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1632399 Title: AppArmor confinement change in 4.8 and newer kernels causes segfault inside LXD containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/1632399/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs