This bug was fixed in the package linux - 4.8.0-40.43
---------------
linux (4.8.0-40.43) yakkety; urgency=low
* linux: 4.8.0-40.43 -proposed tracker (LP: #1667066)
[ Andy Whitcroft ]
* NFS client : permission denied when trying to access subshare, since kernel
4.4.0-31 (LP: #1649292)
- fs: Better permission checking for submounts
* shaking screen (LP: #1651981)
- drm/radeon: drop verde dpm quirks
* [0bda:0328] Card reader failed after S3 (LP: #1664809)
- usb: hub: Wait for connection to be reestablished after port reset
* linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
4.4.0-63.84~14.04.2 (LP: #1664912)
- SAUCE: apparmor: fix link auditing failure due to, uninitialized var
* In Ubuntu 17.04 : after reboot getting message in console like Unable to
open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
- SAUCE: ima: Downgrade error to warning
* 16.04.2: Extra patches for POWER9 (LP: #1664564)
- powerpc/mm: Fix no execute fault handling on pre-POWER5
- powerpc/mm: Fix spurrious segfaults on radix with autonuma
* ibmvscsis: Add SGL LIMIT (LP: #1662551)
- ibmvscsis: Add SGL limit
* [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
(LP: #1663687)
- scsi: storvsc: Enable tracking of queue depth
- scsi: storvsc: Remove the restriction on max segment size
- scsi: storvsc: Enable multi-queue support
- scsi: storvsc: use tagged SRB requests if supported by the device
- scsi: storvsc: properly handle SRB_ERROR when sense message is present
- scsi: storvsc: properly set residual data length on errors
* Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
caused KVM host hung and all KVM guests down. (LP: #1651248)
- KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
- KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
- KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
- KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
- KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend
* ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
- blk-mq: Avoid memory reclaim when remapping queues
- blk-mq: Fix failed allocation path when mapping queues
- blk-mq: Always schedule hctx->next_cpu
* systemd-udevd hung in blk_mq_freeze_queue_wait testing unpartitioned NVMe
drive (LP: #1662673)
- percpu-refcount: fix reference leak during percpu-atomic transition
* [Yakkety SRU] Enable KEXEC support in ARM64 kernel (LP: #1662554)
- [Config] Enable KEXEC support in ARM64.
* [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
- Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
- Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the
host
- Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()
* brd module compiled as built-in (LP: #1593293)
- CONFIG_BLK_DEV_RAM=m
* regession tests failing after stackprofile test is run (LP: #1661030)
- SAUCE: fix regression with domain change in complain mode
* Permission denied and inconsistent behavior in complain mode with 'ip netns
list' command (LP: #1648903)
- SAUCE: fix regression with domain change in complain mode
* flock not mediated by 'k' (LP: #1658219)
- SAUCE: apparmor: flock mediation is not being enforced on cache check
* unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
from a unshared mount namespace (LP: #1656121)
- SAUCE: apparmor: null profiles should inherit parent control flags
* apparmor refcount leak of profile namespace when removing profiles
(LP: #1660849)
- SAUCE: apparmor: fix ns ref count link when removing profiles from policy
* tor in lxd: apparmor="DENIED" operation="change_onexec"
namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
name="system_tor" (LP: #1648143)
- SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using
stacked
namespaces
* apparmor_parser hangs indefinitely when called by multiple threads
(LP: #1645037)
- SAUCE: apparmor: fix lock ordering for mkdir
* apparmor leaking securityfs pin count (LP: #1660846)
- SAUCE: apparmor: fix leak on securityfs pin count
* apparmor reference count leak when securityfs_setup_d_inode\ () fails
(LP: #1660845)
- SAUCE: apparmor: fix reference count leak when securityfs_setup_d_inode()
fails
* apparmor not checking error if security_pin_fs() fails (LP: #1660842)
- SAUCE: apparmor: fix not handling error case when securityfs_pin_fs()
fails
* apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
- SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails
* apparmor auditing denied access of special apparmor .null fi\ le
(LP: #1660836)
- SAUCE: apparmor: Don't audit denied access of special apparmor .null file
* apparmor label leak when new label is unused (LP: #1660834)
- SAUCE: apparmor: fix label leak when new label is unused
* apparmor reference count bug in label_merge_insert() (LP: #1660833)
- SAUCE: apparmor: fix reference count bug in label_merge_insert()
* apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
- SAUCE: apparmor: fix replacement race in reading rawdata
* unix domain socket cross permission check failing with nested namespaces
(LP: #1660832)
- SAUCE: apparmor: fix cross ns perm of unix domain sockets
* Enable CONFIG_NET_DROP_MONITOR=m in Ubuntu Kernel (LP: #1660634)
- [Config] CONFIG_NET_DROP_MONITOR=m
* Linux kernel 4.8 hangs at boot up (LP: #1659340)
- SAUCE: x86/efi: Always map first physical page into EFI pagetables
* s390/kconfig: CONFIG_NUMA without CONFIG_NUMA_EMU does not make any sense on
s390x (LP: #1557690)
- [Config] CONFIG_NUMA_BALANCING=y
- [Config] CONFIG_NUMA=y, CONFIG_NUMA_EMU=y for s390x
-- Thadeu Lima de Souza Cascardo <casca...@canonical.com> Wed, 22 Feb
2017 15:03:35 -0300
** Changed in: linux (Ubuntu Yakkety)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1648143
Title:
tor in lxd: apparmor="DENIED" operation="change_onexec"
namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
name="system_tor"
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Incomplete
Status in tor package in Ubuntu:
New
Status in apparmor source package in Xenial:
New
Status in linux source package in Xenial:
Fix Released
Status in tor source package in Xenial:
New
Status in apparmor source package in Yakkety:
New
Status in linux source package in Yakkety:
Fix Released
Status in tor source package in Yakkety:
New
Bug description:
Environment:
----------------
Distribution: ubuntu
Distribution version: 16.10
lxc info:
apiextensions:
storage_zfs_remove_snapshots
container_host_shutdown_timeout
container_syscall_filtering
auth_pki
container_last_used_at
etag
patch
usb_devices
https_allowed_credentials
image_compression_algorithm
directory_manipulation
container_cpu_time
storage_zfs_use_refquota
storage_lvm_mount_options
network
profile_usedby
container_push
apistatus: stable
apiversion: "1.0"
auth: trusted
environment:
addresses:
163.172.48.149:8443
172.20.10.1:8443
172.20.11.1:8443
172.20.12.1:8443
172.20.22.1:8443
172.20.21.1:8443
10.8.0.1:8443
architectures:
x86_64
i686
certificate: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
certificatefingerprint:
3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b
driver: lxc
driverversion: 2.0.5
kernel: Linux
kernelarchitecture: x86_64
kernelversion: 4.8.0-27-generic
server: lxd
serverpid: 32694
serverversion: 2.4.1
storage: btrfs
storageversion: 4.7.3
config:
core.https_address: '[::]:8443'
core.trust_password: true
Container: ubuntu 16.10
Issue description
------------------
tor can't start in a non privileged container
Logs from the container:
-------------------------
Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step
APPARMOR spawning /usr/bin/tor: No such file or directory
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process
exited, code=exited, status=231/APPARMOR
Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay
network for TCP.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed
state.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result
'exit-code'.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off
time over, scheduling restart.
Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for
TCP.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset
devices.list: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on
/system.slice/system-tor.slice/tor@default.service: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to
set devices.allow on /system.slice/system-tor.slice/tor@default.service:
Operation not permitted]
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device
/run/systemd/inaccessible/chr
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device
/run/systemd/inaccessible/blk
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on
/system.slice/system-tor.slice/tor@default.service: Operation not permitted
Logs from the host
--------------------
audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED"
operation="change_onexec" info="label not found" error=-2
namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor"
pid=12164 comm="(tor)"
Steps to reproduce
---------------------
install ubuntu container 16.10 on a ubuntu 16.10 host
install tor in the container
Launch tor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
