[regression] NoNewPrivileges incompatible with Apparmor

This change was made by a bot.

Apparently this seems to be introduced by bug 1839037,
which is related to nnp and the only mention to it in
the changelog of linux 4.15.0-60.67 [1] if read right.

[1] https://launchpad.net/ubuntu/+source/linux/4.15.0-60.67

Yes, that's also what I suspected. I haven't been able to catch John Johansen on IRC to discuss with him about it.

The LSMs respecting the nnp flag was actually mandated by Linus. So yes it breaks apparmor.

Kernel 3.5: Tasks that have nnp block apparmor policy transitions except for unconfined, as transitions in that case always result in reduced permissions.

Kernel 4.13: Loosened these restrictions around stacking. That is a transition adding a new element to a stack was allowed as that is guarenteed to always reduce permissions. Ubuntu had this in Xenial (4.4) kernels.

Kernel 4.17: AppArmor began tracking under what label nnp was set and using that for profile transition tests. This improved the 4.13 stacking test making containers capable of transitioning policy in the container as long as the host policy wasn't transitioned.

To do more apparmor has to be able to override nnp. Selinux has managed to add an nnp override permission and get it upstream, we are looking to do the same with apparmor but I have no time line as to when it will land.

I should add that bug 1839037 is a bug in the subset test introduced in kernel 4.13 (and earlier Ubuntu 4.4 Xenial kernels). Some subsets will properly transition some won't it all depends on what is in the stack being transitioned. The patch fixes it so the all transitions combinations pass correctly. The patch actual allows more transitions under nnp than when it is not applied. The bug does not exist in the 4.17 or later kernel version.

The 5.0 HWE kernel never had the bug addressed in bug 1839037, and did not receive the patch.

The DENY messages above indicate that this is a case of a cross policy namespace check, I am investigating if cross namespace checks are broken.

In the above regression we have

lxd-ns0_</var/snap/lxd/common/lxd>//&:root//lxd-ns0_<var-snap-lxd-common-lxd>://unconfined

transitioning to

lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd//&:root//lxd-ns0_<var-snap-lxd-common-lxd>:///usr/sbin/nsd

this is not a strict subset of profiles, however the unconfined exception needs to be taken into account when nnp is set.

There is a bug in the subset test, so that the unconfined exception is not being handled correctly. This affects all kernels, though to different degrees.

kernels before the patch for bug 1839037 have this bug, but because of where the unconfined exception is tested (at the profile transition) it happens to work in this case. Other cases can be contrived where the transition will fail.

Reverting the patch in bug 1839037 will fix the regression for this particular case.

I am testing a fix for this that won't require reverting the patch. I will put up a test kernel if it passes.

Thanks for working on this. I'll be happy to test whatever you come up with on Xenial/Bionic (4.4, 4.15 and 5.0 kernels) machines.

There are some test kernels at
https://people.canonical.com/~jj/lp1844186/

Tests results on Bionic:

Bionic/4.15:

$ uname -a
Linux c2d.mgmt.sdeziel.info 4.15.0-64-generic #73+lp1844186 SMP Thu Sep 26 15:17:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: works!

Bionic/5.0:

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.0.0-8-generic #9+lp1844186 SMP Thu Sep 26 15:03:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: doesn't work/couldn't test properly. That kernel doesn't let me load an Apparmor policy in the container:

root@ns0:~# aa-status
apparmor module is loaded.
You do not have enough privilege to read the profile set.

Maybe it's just too old or the kernel isn't compatible with the Apparmor version from Bionic? The binary/service starts fine with NoNewPrivileges=yes but there is no Apparmor policy loaded in the container, only in the host.

Tests results on Xenial:

Xenial/4.4:

# uname -a | sed 's/lxd01\.[^ ]\+/lxd01/'
Linux lxd01 4.4.0-164-generic #192+lp1844186 SMP Thu Sep 26 15:17:42 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: works

Xenial/4.15:

# uname -a | sed 's/lxd01\.[^ ]\+/lxd01/'
Linux lxd01 4.15.0-64-generic #73+lp1844186 SMP Thu Sep 26 15:17:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: works

okay, thanks for testing. I'll submit the patch for 4.4 and 4.15 kernels and look into why the 5.0 kernel is blocking policy loads

I was surprised to get such an old 5.0 (5.0.0-8 was released in Mar 2019) kernel while all the others were very current. I'm sure you have you reasons but I'd want to be sure it was not a simple mistake :)

ha, its by mistake. I fetched the new kernel but missed doing the rebase. I'll get a new 5.0 up asap

updated to the 5.0.0-29 kernel

Bionic/5.0:

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.0.0-29-generic #31+lp1844186 SMP Sat Sep 28 18:11:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: doesn't work

Same behavior as with the official/unpatched 5.0.0-29 (and 5.0.0-30) kernel, either NNP or Apparmor needs to be disabled otherwise:

audit: type=1400 audit(1569799739.869:70): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_<var-snap-lxd-common-lxd>" profile="unconfined" name="/usr/sbin/nsd" pid=2754 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd"

I found your 5.0.0-29 *v2* kernel and gave it a try and I'm happy to report that you've fixed the problem!

Bionic/5.0 v2:

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.0.0-29-generic #31+v2lp1844186 SMP Wed Oct 2 18:47:25 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: works

sorry it appears I added the comments about the v2 patch to the wrong bug

thanks for testing. I will get the request sent out to the kt.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

I pulled the various .deb packages from https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+build/17945283 and installed them on my Bionic host.

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.0.0-33-generic #35-Ubuntu SMP Tue Oct 22 01:48:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

With that kernel it works so marking as verified for Disco.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

I pulled the various .deb packages from https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+build/17953251/+files/ and installed them on my Bionic host.

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.3.0-20-generic #21-Ubuntu SMP Wed Oct 23 16:20:37 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

With that kernel it works so marking as verified for Eoan.

@jjohansen, I see that you've included the fix in most of the kernels currently in -proposed, thanks for that! Although, I'm not seeing those for 4.4 and 4.15 and I'd like to make sure they don't fall through the cracks ;)

All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-1008.9~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

linux-gcp-5.3/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-gcp-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

This bug was fixed in the package linux - 5.3.0-22.24

---------------
linux (5.3.0-22.24) eoan; urgency=medium

  * [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout
    setting (LP: #1849682)
    - Revert "md/raid0: avoid RAID0 data corruption due to layout confusion."

  * refcount underflow and type confusion in shiftfs (LP: #1850867) // CVE-2019-15793
    - SAUCE: shiftfs: Correct id translation for lower fs operations
    - SAUCE: shiftfs: prevent type confusion
    - SAUCE: shiftfs: Fix refcount underflow in btrfs ioctl handling

  * CVE-2018-12207
    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
    - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
      active
    - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
    - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
    - SAUCE: kvm: Add helper function for creating VM worker threads
    - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
    - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
    - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

  * CVE-2019-11135
    - x86/msr: Add the IA32_TSX_CTRL MSR
    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
    - x86/speculation/taa: Add mitigation for TSX Async Abort
    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
    - x86/speculation/taa: Add documentation for TSX Async Abort
    - x86/tsx: Add config options to set tsx=on|off|auto
    - [Config] Disable TSX by default when possible

  * CVE-2019-0154
    - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

  * CVE-2019-0155
    - SAUCE: drm/i915: Rename gen7 cmdparser tables
    - SAUCE: drm/i915: Disable Secure Batches for gen6+
    - SAUCE: drm/i915: Remove Master tables from cmdparser
    - SAUCE: drm/i915: Add support for mandatory cmdparsing
    - SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
    - SAUCE: drm/i915: Allow parsing of unsized batches
    - SAUCE: drm/i915: Add gen9 BCS cmdparsing
    - SAUCE: drm/i915/cmdparser: Use explicit goto for error paths
    - SAUCE: drm/i915/cmdparser: Add support for backward jumps
    - SAUCE: drm/i915/cmdparser: Ignore Length operands during command matching

linux (5.3.0-21.22) eoan; urgency=medium

  * eoan/linux: 5.3.0-21.22 -proposed tracker (LP: #1850486)

  * Fix signing of staging modules in eoan (LP: #1850234)
    - [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

linux (5.3.0-20.21) eoan; urgency=medium

  * eoan/linux: 5.3.0-20.21 -proposed tracker (LP: #1849064)

  * eoan: alsa/sof: Enable SOF_HDA link and codec (LP: #1848490)
    - [Config] Enable SOF_HDA link and codec

  * Eoan update: 5.3.7 upstream stable release (LP: #1848750)
    - panic: ensure preemption is disabled during panic()
    - [Config] updateconfigs for USB_RIO500
    - USB: rio500: Remove Rio 500 kernel driver
   ...

This bug was fixed in the package linux - 5.0.0-35.38

---------------
linux (5.0.0-35.38) disco; urgency=medium

  * [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout
    setting (LP: #1849682)
    - SAUCE: Fix revert "md/raid0: avoid RAID0 data corruption due to layout
      confusion."

  * refcount underflow and type confusion in shiftfs (LP: #1850867) // CVE-2019-15793
    - SAUCE: shiftfs: Correct id translation for lower fs operations
    - SAUCE: shiftfs: prevent type confusion
    - SAUCE: shiftfs: Fix refcount underflow in btrfs ioctl handling

  * CVE-2018-12207
    - kvm: Convert kvm_lock to a mutex
    - kvm: x86: Do not release the page inside mmu_set_spte()
    - KVM: x86: make FNAME(fetch) and __direct_map more similar
    - KVM: x86: remove now unneeded hugepage gfn adjustment
    - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
    - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
    - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
      active
    - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
    - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
    - SAUCE: kvm: Add helper function for creating VM worker threads
    - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
    - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
    - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

  * CVE-2019-11135
    - KVM: x86: use Intel speculation bugs and features as derived in generic x86
      code
    - x86/msr: Add the IA32_TSX_CTRL MSR
    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
    - x86/speculation/taa: Add mitigation for TSX Async Abort
    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
    - x86/speculation/taa: Add documentation for TSX Async Abort
    - x86/tsx: Add config options to set tsx=on|off|auto
    - SAUCE: x86/speculation/taa: Call tsx_init()
    - [Config] Disable TSX by default when possible

  * CVE-2019-0154
    - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

  * CVE-2019-0155
    - SAUCE: drm/i915: Rename gen7 cmdparser tables
    - SAUCE: drm/i915: Disable Secure Batches for gen6+
    - SAUCE: drm/i915: Remove Master tables from cmdparser
    - SAUCE: drm/i915: Add support for mandatory cmdparsing
    - SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
    - SAUCE: drm/i915: Allow parsing of unsized batches
    - SAUCE: drm/i915: Add gen9 BCS cmdparsing
    - SAUCE: drm/i915/cmdparser: Use explicit goto for error paths
    - SAUCE: drm/i915/cmdparser: Add support for backward jumps
    - SAUCE: drm/i915/cmdparser: Ignore Length operands during command matching

linux (5.0.0-34.36) disco; urgency=medium

  * disco/linux: <version to be filled> -proposed tracker (LP: #1850574)

  * [REGRESSION] md/raid0: cannot as...

I don't see the patch queued up in Xenial/Bionic for the 4.4.0-170.199 and 4.15.0-72.81 kernels. If I can do anything to help those land (like test more versions), please let me know.

Thank you!
Simon

Based on a suggestion from sarnold in #ubuntu-kernel, I re-ran the tests of the 4.15, 5.0 and 5.3 kernels in combination with a snap (lxd's snap specifically) and found no problem.

This bug was fixed in the package linux - 5.3.0-24.26

---------------
linux (5.3.0-24.26) eoan; urgency=medium

  * eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232)

  * Eoan update: 5.3.9 upstream stable release (LP: #1851550)
    - io_uring: fix up O_NONBLOCK handling for sockets
    - dm snapshot: introduce account_start_copy() and account_end_copy()
    - dm snapshot: rework COW throttling to fix deadlock
    - Btrfs: fix inode cache block reserve leak on failure to allocate data space
    - btrfs: qgroup: Always free PREALLOC META reserve in
      btrfs_delalloc_release_extents()
    - iio: adc: meson_saradc: Fix memory allocation order
    - iio: fix center temperature of bmc150-accel-core
    - libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
    - perf tests: Avoid raising SEGV using an obvious NULL dereference
    - perf map: Fix overlapped map handling
    - perf script brstackinsn: Fix recovery from LBR/binary mismatch
    - perf jevents: Fix period for Intel fixed counters
    - perf tools: Propagate get_cpuid() error
    - perf annotate: Propagate perf_env__arch() error
    - perf annotate: Fix the signedness of failure returns
    - perf annotate: Propagate the symbol__annotate() error return
    - perf annotate: Fix arch specific ->init() failure errors
    - perf annotate: Return appropriate error code for allocation failures
    - perf annotate: Don't return -1 for error when doing BPF disassembly
    - staging: rtl8188eu: fix null dereference when kzalloc fails
    - RDMA/siw: Fix serialization issue in write_space()
    - RDMA/hfi1: Prevent memory leak in sdma_init
    - RDMA/iw_cxgb4: fix SRQ access from dump_qp()
    - RDMA/iwcm: Fix a lock inversion issue
    - HID: hyperv: Use in-place iterator API in the channel callback
    - kselftest: exclude failed TARGETS from runlist
    - selftests/kselftest/runner.sh: Add 45 second timeout per test
    - nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
    - arm64: cpufeature: Effectively expose FRINT capability to userspace
    - arm64: Fix incorrect irqflag restore for priority masking for compat
    - arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
    - tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
    - tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
    - serial/sifive: select SERIAL_EARLYCON
    - tty: n_hdlc: fix build on SPARC
    - misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
    - RDMA/core: Fix an error handling path in 'res_get_common_doit()'
    - RDMA/cm: Fix memory leak in cm_add/remove_one
    - RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path
    - RDMA/mlx5: Do not allow rereg of a ODP MR
    - RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu
    - RDMA/mlx5: Add missing synchronize_srcu() for MW cases
    - gpio: max77620: Use correct unit for debounce times
    - fs: cifs: mute -Wunused-const-variable message
    - arm64: vdso32: Fix broken compat vDSO build warnings
    - arm64: vdso32: Detect binutils support for dmb ishld
    - serial: mctrl_gpio: Check for NULL pointer
    - serial: 8250_...