AppArmor

apparmor: checkpoint_restore capability missing with 5.10

Bug #1908417 reported by Andrea Righi on 2020-12-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

Running apparmor's autopkgtest on the latest 5.10 kernel shows the following error:

autopkgtest [10:55:41]: test test-installed: [-----------------------
Running tests in /tmp/tmp.SG9iRdceka/binutils
cc -g -O2 -pipe -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -DPACKAGE=\"aa-binutils\" -DLOCALEDIR=\"/usr/share/locale\" -o aa-enabled aa_enabled.c -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
cc -g -O2 -pipe -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -DPACKAGE=\"aa-binutils\" -DLOCALEDIR=\"/usr/share/locale\" -o aa-exec aa_exec.c -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
cc -g -O2 -pipe -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -DPACKAGE=\"aa-binutils\" -DLOCALEDIR=\"/usr/share/locale\" -o aa-features-abi aa_features_abi.c -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
cc -g -O2 -pipe -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -DPACKAGE=\"aa-binutils\" -DLOCALEDIR=\"/usr/share/locale\" -c -o cJSON.o cJSON.c
cc -g -O2 -pipe -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -DPACKAGE=\"aa-binutils\" -DLOCALEDIR=\"/usr/share/locale\" -o aa-status aa_status.c -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread cJSON.o
no tests atm
Running tests in /tmp/tmp.SG9iRdceka/parser
g++ -g -O2 -pipe -D_GNU_SOURCE -Wall -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -std=gnu++0x -DHAVE_REALLOCARRAY=1 -DPACKAGE=\"apparmor-parser\" -DLOCALEDIR=\"/usr/share/locale\" -c -o parser_common.o parser_common.c
g++ -g -O2 -pipe -D_GNU_SOURCE -Wall -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -std=gnu++0x -DHAVE_REALLOCARRAY=1 -DPACKAGE=\"apparmor-parser\" -DLOCALEDIR=\"/usr/share/locale\" -c -o parser_include.o parser_include.c
g++ -g -O2 -pipe -D_GNU_SOURCE -Wall -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -std=gnu++0x -DHAVE_REALLOCARRAY=1 -DPACKAGE=\"apparmor-parser\" -DLOCALEDIR=\"/usr/share/locale\" -c -o parser_interface.o parser_interface.c
bison -d --define=parse.error=verbose -o parser_yacc.c parser_yacc.y
flex -B -v --noyy_top_state -oparser_lex.c parser_lex.l
parser_lex.l:716: undeclared start condition RLIMIT_MODEINCLUDE
flex version 2.6.4 usage statistics:
  scanner options: -svB8 -Cem -oparser_lex.c
  1195/2000 NFA states
  511/1000 DFA states (5205 words)
  82 rules
  Compressed tables always back-up
  22/40 start conditions
  622 epsilon states, 453 double epsilon states
  133/200 character classes needed 4635/4750 words of storage, 0 reused
  21262 state/nextstate pairs created
  2231/19031 unique/duplicate transitions
  623/1000 base-def entries created
  4120/6000 (peak 8283) nxt-chk entries created
  2240/7500 (peak 6272) template nxt-chk entries created
  352 empty table entries
  128 protos created
  112 templates created, 282 uses
  56/256 equivalence classes created
  20/256 meta-equivalence classes created
  0 (49 saved) hash collisions, 1765 DFAs equal
  22 sets of reallocations needed
  9798 total table entries needed
g++ -g -O2 -pipe -D_GNU_SOURCE -Wall -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -std=gnu++0x -DHAVE_REALLOCARRAY=1 -DPACKAGE=\"apparmor-parser\" -DLOCALEDIR=\"/usr/share/locale\" -c -o parser_lex.o parser_lex.c
g++ -g -O2 -pipe -D_GNU_SOURCE -Wall -Wall -Wsign-compare -Wmissing-field-initializers -Wformat -Wformat-security -Wunused-parameter -Wimplicit-fallthrough -std=gnu++0x -DHAVE_REALLOCARRAY=1 -DPACKAGE=\"apparmor-parser\" -DLOCALEDIR=\"/usr/share/locale\" -c -o parser_main.o parser_main.c
../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE\},\\n/pg" > generated_cap_names.h
+{"checkpoint_restore", CAP_CHECKPOINT_RESTORE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
Error: new capabilities detected please update base_cap_names.h with values from generated_cap_names.h

Adding the following line to base_cap_names.h seems to fix the problem:

{"checkpoint_restore", CAP_CHECKPOINT_RESTORE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},

Revision history for this message

Andrea Righi (arighi) wrote on 2020-12-16:

apparmor-add-checkpoint-restore-capability.debdiff Edit (1.9 KiB, text/plain)

debdiff in attach seems to fix the autopkgtest error on 5.10.

Revision history for this message

John Johansen (jjohansen) wrote on 2020-12-16:

Note that the apparmor 3.0.1 release also includes a similar fix https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.1. So we should decide if we are pulling in that release or just want to cherry-pick fixes

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

apparmor-add-checkpoint-restore-capability.debdiff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.