Ubuntu
linux package

  1. Xenial (16.04)
  2. Bug #1844186
  3. Comment #0

Comment 0 for bug 1844186

Revision history for this message
Simon Déziel (sdeziel) wrote : [regression] NoNewPrivileges breaks Apparmor

Description:

Host: Bionic 64 bit with GA kernel (4.15)
Container: Bionic 64 bit

The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes.

  # systemctl show nsd | grep ^NoNew
  NoNewPrivileges=yes

This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg:

audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_</var/snap/lxd/common/lxd>" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd"
audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_<var-snap-lxd-common-lxd>" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd"

Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again.

I check with a couple of kernels:

4.15.0-52-generic works
4.15.0-58-generic works
4.15.0-60-generic is broken

The 5.0 HWE kernel has always been broken it seems:

5.0.0-15-generic is broken
5.0.0-17-generic is broken
5.0.0-20-generic is broken
5.0.0-23-generic is broken
5.0.0-25-generic is broken
5.0.0-27-generic is broken

Additional information:

# lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04

# apt-cache policy nsd
nsd:
  Installed: 4.1.26-1ubuntu0.18.04.1~ppa2
  Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2
  Version table:
 *** 4.1.26-1ubuntu0.18.04.1~ppa2 500
        500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     4.1.17-1build1 500
        500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

nsd comes from a custom backport this should be irrelevant.
nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-60-generic 4.15.0-60.67
ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21
Uname: Linux 5.0.0-27-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Sep 16 18:02 seq
 crw-rw---- 1 root audio 116, 33 Sep 16 18:02 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay'
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found.
Date: Mon Sep 16 18:14:02 2019
InstallationDate: Installed on 2019-08-22 (24 days ago)
InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig'
MachineType: Dell Inc. Inspiron 530s
PciMultimedia:

ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
 TERM=xterm-256color
 PATH=(custom, no user)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none
RelatedPackageVersions:
 linux-restricted-modules-5.0.0-27-generic N/A
 linux-backports-modules-5.0.0-27-generic N/A
 linux-firmware 1.173.9
RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 02/24/2009
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.0.18
dmi.board.name: 0RY007
dmi.board.vendor: Dell Inc.
dmi.chassis.type: 3
dmi.chassis.vendor: Dell Inc.
dmi.chassis.version: OEM
dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM:
dmi.product.name: Inspiron 530s
dmi.sys.vendor: Dell Inc.