Upgrade from 2.8.0-0ubuntu38 to 2.8.95~2430-0ubuntu2 breaks LXC containers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Critical
|
Tyler Hicks |
Bug Description
I've been getting a few issues on a bunch of machines over the past few days, mostly unprivileged LXC containers reporting mount failures at boot time, leading to them failing miserably.
The failures in question are:
[ 1084.404894] type=1400 audit(139561706
[ 1084.405042] type=1400 audit(139561706
[ 1084.406013] type=1400 audit(139561706
[ 1084.406127] type=1400 audit(139561706
Those happen when running under our usual, unmodified lxc-container-
root@vorash:~# grep tmpfs /etc/apparmor.
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
Downgrading to 2.8.0-0ubuntu38 and reloading apparmor appears to resolve the issue, so this appears to be a parser bug rather than one of our usual kernel regressions...
Related branches
Changed in apparmor (Ubuntu): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
This bug was fixed in the package apparmor - 2.8.95~ 2430-0ubuntu3
--------------- 2430-0ubuntu3) trusty; urgency=medium
apparmor (2.8.95~
[ Jamie Strandboge ] lib/apparmor/ functions: properly calculate number of profiles in lib/apparmor/ profiles (LP: #1295816) notify/ 90apparmor- notify notify/ apparmor- notify. desktop apparmor- notify. install: adjust for the above apparmor- notify. maintscript to remove 90apparmor-notify notify/ notify. conf: use_group should be set to "sudo" instead of
* debian/
/var/
* autostart aa-notify via /etc/xdg/autostart instead of /etc/X11/Xsession.d
(LP: #1288241)
- remove debian/
- add debian/
- debian/
- add debian/
* debian/
"admin" (LP: #1009666)
[ Tyler Hicks ] patches/ initialize- mount-flags. patch: Initialize the variables patches/ fix-typo- in-dbus_ write.patch: Fix a bug in the patches/ limited- mount-rule- support. patch: Fix a bug in the patches/ bare-capability -rule-support. patch: Fix a bug in the patches/ check-config- for-sysctl. patch, patches/ increase- swap-size. patch: Fix bugs in the regression test patches/ test-v6- policy. patch, patches/ test-mount- mediation. patch: Improve the regression tests
* debian/
containing mount rule flags to zero. Otherwise, the parser may set
unexpected bits in the mount flags field for rules that do not specify
mount flags. The uninitialized mount flag variables may have caused
unexpected AppArmor denials during mount mediation. (LP: #1296459)
* debian/
apparmor/aa.py module that caused the utilities in the apparmor-utils
package to write out network rules instead of dbus rules
* debian/
apparmor/aa.py module that caused the utilities in the apparmor-utils
package to traceback when encountering a mount rule (LP: #1294825)
* debian/
apparmor/aa.py module that caused the utilities in the apparmor-utils
package to traceback when encountering a bare capability rule
(LP: #1294819)
* debian/
debian/
suite that caused errors when running on ppc64el
* debian/
debian/
by increasing the mount rule test coverage
-- Tyler Hicks <email address hidden> Thu, 27 Mar 2014 14:12:29 -0500