[Bug 1199933] Re: apparmor parser in precise does not support block_suspend capability (needed for backported kernels)

Jeffery von Ronne 1199933 at bugs.launchpad.net
Wed Jul 10 20:17:40 UTC 2013 

Yes.  I think it is fair to characterize this as the inverse of 1058356.

Basically, if one uses precise with a backported kernel, one gets an
implicity "deny capability block_suspend" that can't be changed in all
apparmor profiles, because the tools and profiles do not know about
block_suspend.

I'm not sure that cups really needs block_suspend, but it affects
anything apparmored using precise tools and a raring kernel.  I actually
first saw this when after using aa-genprof on crashplan, which suggested
adding an "capability block_suspend" line, but after adding it, the
profile wouldn't load. (I'm not sure why crashplan needs to
block_suspend either, though.)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/1199933

Title:
  apparmor parser in precise does not support block_suspend capability
  (needed for backported kernels)

Status in “upstart” package in Ubuntu:
  Fix Released
Status in “upstart” source package in Precise:
  Incomplete
Status in “upstart” source package in Saucy:
  Fix Released

Bug description:
  When running an up-to-date precise system with a linux-image-generic-lts-raring HWE kernel (linux 3.8), 
  the precise verion of apparmor will deny all attempts of apparmored apps to call the block_suspend system call:

  For example: 
  type=AVC msg=audit(XXXXXXXXXX.XXX:XXXXX): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1040 comm="cupsd" pid=1040 comm="cupsd" capability=36  capname="block_suspend"

  But it is also impossible to add block_suspend to the apparmor profiles, because the AppArmor parser does not know about it:
    Setting /usr/sbin/cupsd to enforce mode.
    Warning from stdin (line 1): /sbin/apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
    AppArmor parser error, in stdin line 24: Invalid capability block_suspend.

  This seems to make it impossible to have apparmor  not deny block
  suspend when using an LTS HWE kernel.

  This seems to be related to bug #1052098.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: apparmor 2.7.102-0ubuntu3.7
  ProcVersionSignature: Ubuntu 3.8.0-25.37~precise1-generic 3.8.13
  Uname: Linux 3.8.0-25-generic x86_64
  ApportVersion: 2.0.1-0ubuntu17.3
  Architecture: amd64
  Date: Wed Jul 10 12:48:24 2013
  EcryptfsInUse: Yes
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  KernLog: Jul 10 12:34:08 gumdrop kernel: [580960.424225] SGI XFS with ACLs, security attributes, realtime, large block/inode numbers, no debug enabled
  MarkForUpload: True
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.8.0-25-generic root=UUID=981723af-1da9-455d-b776-3a1e8885efde ro rootflags=subvol=@
  SourcePackage: apparmor
  UpgradeStatus: No upgrade log present (probably fresh install)
  audit.log: Error: [Errno 13] Permission denied: '/var/log/audit/audit.log'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1199933/+subscriptions

More information about the foundations-bugs mailing list