This bug is missing log files that will aid in diagnosing the problem.
While running an Ubuntu kernel (not a mainline or third-party kernel)
please enter the following command in a terminal window:
apport-collect 1838627
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu)
Status: New => Incomplete
** Tags added: xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN kernel stack trace
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Confirmed
Bug description:
microk8s has reported on issue with the Xenial kernel where apparmor
causes the following kernel stack trace due to an apparmor AA_BUG
condition being triggered.
[ 225.236085] ------------[ cut here ]------------
[ 225.236104] WARNING: CPU: 1 PID: 13726 at
/build/linux-aUWTNP/linux-4.4.0/security/apparmor/file.c:136
aa_audit_file+0x16e/0x180()
[ 225.236109] AppArmor WARN aa_audit_file:
((!(&sa)->apparmor_audit_data->request)):
[ 225.236113] Modules linked in:
[ 225.236118] btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs
xfs veth xt_nat xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs libcrc32c
ctr ccm ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink
xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 br_netfilter bridge stp llc
pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep aufs
overlay binfmt_misc drbg ansi_cprng dm_crypt snd_hda_codec_hdmi arc4 eeepc_wmi
asus_wmi sparse_keymap nvidia_uvm(POE) mxm_wmi joydev input_leds btusb btrtl
btbcm btintel bluetooth snd_usb_audio snd_usbmidi_lib snd_hda_intel
snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hda_core intel_powerclamp
snd_hwdep coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel snd_ens1371 snd_ac97_codec gameport ac97_bus
[ 225.236305] snd_seq_midi aesni_intel snd_pcm snd_seq_midi_event
aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd snd_rawmidi snd_seq
iwlmvm snd_seq_device serio_raw snd_timer mac80211 snd soundcore iwlwifi
cfg80211 mei_me mei shpchp 8250_fintek wmi acpi_pad mac_hid ip6t_REJECT
nf_reject_ipv6 nf_log_ipv6 xt_hl ip6t_rt nf_conntrack_ipv6 nf_defrag_ipv6
ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_recent xt_limit
xt_tcpudp xt_addrtype nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack
ip6table_filter ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast
nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack parport_pc iptable_filter
ip_tables ppdev x_tables lp parport autofs4 hid_generic usbhid hid
nvidia_drm(POE) nvidia_modeset(POE) nvidia(POE) i915_bpo psmouse e1000e
intel_ips ptp i2c_algo_bit
[ 225.236420] pps_core drm_kms_helper nvme syscopyarea sysfillrect
sysimgblt fb_sys_fops ahci drm libahci video fjes
[ 225.236446] CPU: 1 PID: 13726 Comm: runc:[2:INIT] Tainted: P W OE
4.4.0-154-generic #181-Ubuntu
[ 225.236451] Hardware name: System manufacturer System Product Name/PRIME
H270-PRO, BIOS 0323 01/04/2017
[ 225.236456] 0000000000000286 fa217f3573a84520 ffff88033ade39d0
ffffffff8140b481
[ 225.236464] ffff88033ade3a18 ffffffff81d03018 ffff88033ade3a08
ffffffff81085432
[ 225.236477] ffff88035cb2f000 ffff88033ade3b6c ffff88033bcb8b88
ffff88033ade3d88
[ 225.236484] Call Trace:
[ 225.236498] [<ffffffff8140b481>] dump_stack+0x63/0x82
[ 225.236509] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
[ 225.236518] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
[ 225.236527] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
[ 225.236536] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
[ 225.236544] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
[ 225.236554] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
[ 225.236562] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
[ 225.236571] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
[ 225.236581] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
[ 225.236589] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
[ 225.236596] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
[ 225.236608] [<ffffffffc1439712>] ? ovl_getxattr+0x52/0xb0 [overlay]
[ 225.236617] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
[ 225.236624] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
[ 225.236633] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
[ 225.236642] [<ffffffff812229d5>] prepare_binprm+0x85/0x190
[ 225.236651] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
[ 225.236661] [<ffffffff8122460a>] SyS_execve+0x3a/0x50
[ 225.236671] [<ffffffff81863f15>] stub_execve+0x5/0x5
[ 225.236678] [<ffffffff81863b9b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
[ 225.236684] ---[ end trace 6b2beaa85ae31c29 ]---
This is caused when the change_onexec api is used and permitted by the
profile but the task has the NO_NEW_PRIVS flag set causing the domain
transition specified in the change_onexec request to fail.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838627/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
