After discussing with Field, snapd, kernel and the security team, this will break existing Ubuntu Core devices that use the 4.4 kernel and the network-manager snap in the default channel (per reporter, the 1.10 channel is unaffected). Therefore, the 4.4 kernels snaps that include this change (ie, 4.4.0-160.188 based) must not be promoted to stable at this time.
The snapd team is investigating an idea to gate the kernel snap refresh on snapd 2.41 (ie, that has the updated policy) and should know more tomorrow. If it works, we'll coordinate with the kernel team for any necessary changes. While this change may still be suitable for the Ubuntu archive, I'm marking it as verification-failed-xenial for now to ensure that automated processes don't promote 4.4.0-160.188 to stable without coordination. ** Tags removed: verification-done-xenial ** Tags added: verification-failed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include <tunables/global> profile test { #include <abstractions/base> /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
