Public bug reported:
Running tcpdump inside of a LXD container results in tcpdump immediately
segfaulting due to an AppArmor denial preventing /usr/sbin/tcpdump from
being mapped.
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# tcpdump -i eth0
Segmentation fault
This AppArmor denial can be seen in the logs:
audit: type=1400 audit(1476204029.500:186): apparmor="DENIED"
operation="file_mmap" namespace="root//lxd-yakkety_<var-lib-lxd>"
profile="/usr/sbin/tcpdump" name="/usr/sbin/tcpdump" pid=16746
comm="tcpdump" requested_mask="m" denied_mask="m" fsuid=296608
ouid=296608
This is caused by the following upstream kernel change:
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm
** Affects: tcpdump (Ubuntu)
Importance: High
Assignee: Tyler Hicks (tyhicks)
Status: In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1632399
Title:
AppArmor confinement change in 4.8 and newer kernels causes segfault
inside LXD containers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/1632399/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
