Currently there isn't a good way to set the flags on a profile without
editing the local copy. There is an overlay mechanism coming, but it has
not landed yet. There is also another mechanism for dealing with
disconnected object coming. But until these extensions land there is a
way to do local pro
conditionally dependent rule, such
that when a specific file is allowed the matching pattern is
automatically allowed.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee
)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Noble)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Also affects: linux (Ubuntu)
Importance
Looking into it. This appears to be an issue with the parent missing
when trying to create the child in aafs.
** Changed in: linux (Ubuntu Noble)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: ubuntu-realtime
Status: New => Con
This is likely a dup of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lowlatency in Ubuntu.
https://bugs.launchpad.net/bugs/2061869
Title:
Snaps unable to connect to n
the kernel team is already rolling kernels with the fix for 2061851 but
it is also building in https://launchpad.net/~apparmor-
dev/+archive/ubuntu/apparmor-devel ppa
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lowlatency in Ubun
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
I will add here as well that we have an update of the firefox profile
coming that supports the /opt/firefox/firefox location used as the
default install for the firefox downloaded directly from mozilla.org
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
Hi cipricus,
can you specify how and where your firefox was installed? We are trying
to support multiple variations including downloading directly from
mozilla if it is installed to the standard location?
** Changed in: linux (Ubuntu Focal)
Status: New => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-hwe in Ubuntu.
https://bugs.launchpad.net/bugs/2045384
Title:
AppArmor patch for mq-posix interface is missing in ja
1. Yes. The backport was for 5.15 jammy kernels including HWE
derivatives. The user space SRU was done in bug
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146
which included Focal. The intent being Focal will only support mqueue if
it is using and HWE kernel.
2. Yes that makes s
responding to @intrigeri (sorry this got lost some how).
tldr: yes we are basically on the same page.
AppArmor does not fit into the 1400 range formats, every one of our
messages have some custom fields. Some of them could be
reformated/reworked to share more, but we would still need custom
field
AppArmor does mediation post symlink resolution. Using symlinks to move
a file or directories location means the profile for the application
needs to be updated. That is why you see the failure when using symlinks
to move those folders, those applications have not been give access to
the location y
** Tags removed: verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040250
Title:
apparmor notification files
Notifications now work as expected, not triggering the verification
failure
** Tags removed: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is
Tested: the sysctl values can now be read by a non-root user.
** Tags removed: verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.l
No longers ooopses in regression test.
** Tags removed: verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/20402
Tested and the assert is now gone.
** Tags removed: verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040192
T
Public bug reported:
apparmor notifications on the 6.5 kernel are failing verification
between the header size and the returned size.
When strings are appended to the notification the header size should
be updated to reflect the correct size. While the size is also
d
** Also affects: linux (Ubuntu Mantic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040245
Title:
apparmor oops when racing to retrieve a n
Public bug reported:
When there is a race to receive a notification, the failing tasks
oopes when erroring
[ 196.140988] BUG: kernel NULL po
Public bug reported:
lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something like
Public bug reported:
A reply to a prompt request that denies all permissions requested will throw
the following warning, because the auditing code does not expect the request
field to be empty when generating the audit message.
Sep 27 22:48:14 ubuntu-mantic snapd[59
Fix for the ptrace issue
** Patch added:
"0001-UBUNTU-SAUCE-no-up-apparmor-disable-1ea37b26d720-UBU.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2038567/+attachment/5707461/+files/0001-UBUNTU-SAUCE-no-up-apparmor-disable-1ea37b26d720-UBU.patch
--
You received this bug notifi
Thanks John,
it has been confirmed that
1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow
restricting unprivileged change_profile
is causing the issue. It has a sysctl to disable its behavior, but the sysctl
can't be defaulted to off in the kernel. So to disable the sysctl, eith
To test if 1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns -
allow restricting unprivileged change_profile is the cause of the ptrace
denials. You can disable it using
sudo bash -c "echo 0 >
/proc/sys/kernel/apparmor_restrict_unprivileged_unconfined"
--
You received this bug notificati
Oct 05 21:25:27 novel-ram kernel: audit: type=1400
audit(1696541127.240:6185): apparmor="DENIED" operation="ptrace"
class="ptrace" profile="lxd-current-iguana_"
pid=12702 comm="systemctl" requested_mask="read" denied_mask="read"
peer="lxd-current-iguana_//&unconfined"
indicates 1ea37b26d720 UBUNTU
apparmor side there are 2 immediate suspects.
1. kernel
0191e8433f76 UBUNTU: SAUCE: apparmor4.0.0: apparmor: Fix regression in mount
mediation
2. userspace mount work to fix the mount CVE
https://bugs.launchpad.net/apparmor/+bug/1597017
https://gitlab.com/apparmor/apparmor/-/merge_requests/10
This should be fixed by upstream commit
ec6851ae0ab4 apparmor: fix: kzalloc perms tables for shared dfas
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2024599
Title:
linux-image-5.15.0
** Changed in: apparmor
Status: New => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2016908
Title:
udev fails to make prctl() syscall with apparmor=0 (as used by m
prctl behavior was changed by
c2350a7eca5c UBUNTU: SAUCE: Stacking v38: LSM: Specify which LSM to
display
it introduces a short circuit to protect against 2 new lsm prctl
commands being invoked without a major lsm, and unfortunately makes the
mistake that using lsm_slot == 0 means there are no LS
Specially crafted tests that can reliably trigger this issue will be
added to the test suite.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2017903
Title:
LSM stacking and AppArmor for
The fix for the getattr issue in comment #26-#39 has now landed in
upstream 6.2 and be part of the final release.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot cha
This is popping up more and looks to be a regression in apparmor. I
don't have a fix yet
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Stat
Philip so possibly snapd will need to add some new rules. This isn't a
case of missing on older kernels but the new kernel requiring something
more/new. I need to investigate the why more. There are three potential
options I see
1. this is a regression in apparmor, around the handling of getattr.
So yes those look to be the culprit.
To snap-update.ns.slack profile you will need to add the rule
r @{run}/user/@{uid}/doc/,
you can do this to the generated profile (it will get thrown away when
it gets regenerated but should be sufficient to test). The profiles are
stored in
/var/lib/sn
we do have several apparmor denials in there but none of them are
directly related to namespace creation. I have pasted then below just to
make sure they don't disappear when the pastebin is reaped. It is
possible that one of these denials is blocking the creation of a
namespace if its calling a fu
Is there a message in the kernel ring buffer (dmesg) or kernel audit
log?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Status in Linux:
The apparmor patch in this bug is not in the upstream kernel because the
userns mediation code it is patching is not in the upstream kernel. If
the mainline kernel ppa it is failing it will be for a different reason.
--
You received this bug notification because you are a member of Kernel
Package
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: linux (Ubuntu)
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/
Note: this bug report has two parts to it.
1. Snap issue: mkdir failing covered by bug 1951210 and fixed in
https://github.com/snapcore/snapd/pull/12127
2. apparmor module issue in the kernel, covered by patch in #18
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johan
The following patch fixes the issue for me.
** Patch added: "kernel patch to apparmor"
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1991691/+attachment/5623421/+files/0001-UBUNTU-SAUCE-apparmor-Fix-getattr-mediation-causing-.patch
--
You received this bug notification because you are
This is not related to the change in lp1990064. If it was you would see
log messages similar to
apparmor="DENIED" operation="userns_create" class="namespace" info="User
namespace creation restricted" error=-13 profile="unconfined" pid=21323
comm="steamwebhelper" requested="userns_create" denied="u
So re: issue/132 that code path has always been enabled. How we have
worked around it is by implicitly adding the GETATTR perm to the
mapping.
Their were significant changes around permission lookup and mapping but
not around how/where the check is done, so I assume it is in the mapping
code thoug
There is an apparmor userspace update in flight as well can you confirm
your apparmor version by adding the output of
dpkg -l apparmor
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/199169
So in short yes we are talking blocking this however its not as bad as
that makes it sound. There is the immediate technical side, and the
reason we must do that, and then there is longer term practical use
side.
So the technical short answer is yes that will be blocked at least
without additional
It will affect both. The exact effect will depend on how things are set
up. Unconfined privileged processes will still have access to create
user namespaces as they see fit. The processes within the user namespace
will be subject to similar restrictions.
There is still room for refinement of the m
In short unprivileged user namespaces a vector for exploit chains, as
they expose interfaces that otherwise would not be available.
4 out 5 exploits chains in pwn2own 2022 used unprivileged user
namespaces. They were also used in 2021, 2020, ... Yes the actual
vulnerabilities were in other interf
Not a regression, or at least an intended regression (ie. it is doing
exactly what is intended). This is exactly what has been talked about
for 6+ months. unprivileged user_namespaces are going away, but instead
of the big system level sysctl we can allow them on a per application
basis.
The only
Indeed https://bugs.launchpad.net/apparmor/+bug/1384746/comments/2
should be tracked else where. It really should split out into two
separate tracking issues.
1. either generating the feature file from the kernel on build. To track
this I have opened https://gitlab.com/apparmor/apparmor/-/issues/2
This is indeed upstream, and works as far as it goes. There are
currently issues when crossing system namespace boundaries but those are
being treated as separate issues. The stacking it self works policy when
crossing ns boundaries has to be aware of it and more relaxed than we
would like.
--
Yo
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1898280
Title:
Please unrevert the apparmor audit rule filtering f
We didn't pick this up automatically because its fixes tag is for when
ptrace rules landed upstream. But ubuntu was carrying ptrace rules prior
to this
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad
We need to pick the upstream fix
338d0be437ef apparmor: fix ptrace read check
and we should probably pick
1f8266ff5884 (fix-setuid) apparmor: don't try to replace stale label in
ptrace access check
to avoid other problems.
--
You received this bug notification because you are a member of Kern
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Eoan)
Importance: Undecided
Status: Confirmed
** Also affects: linux (Ubuntu Bionic)
Im
sorry it appears I added the comments about the v2 patch to the wrong
bug
thanks for testing. I will get the request sent out to the kt.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844
updated to the 5.0.0-29 kernel
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivileges incompatible with Apparmor
Status in linux package in Ubuntu:
ha, its by mistake. I fetched the new kernel but missed doing the
rebase. I'll get a new 5.0 up asap
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivi
okay, thanks for testing. I'll submit the patch for 4.4 and 4.15 kernels
and look into why the 5.0 kernel is blocking policy loads
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Ti
There are some test kernels at
https://people.canonical.com/~jj/lp1844186/
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivileges incompatible with Ap
I am testing a fix for this that won't require reverting the patch. I
will put up a test kernel if it passes.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] N
In the above regression we have
lxd-ns0_//&:root//lxd-ns0_://unconfined
transitioning to
lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd//&:root//lxd-ns0_:///usr/sbin/nsd
this is not a strict subset of profiles, however the unconfined
exception needs to be taken into account when nnp is set.
There is a bug
I should add that bug 1839037 is a bug in the subset test introduced in
kernel 4.13 (and earlier Ubuntu 4.4 Xenial kernels). Some subsets will
properly transition some won't it all depends on what is in the stack
being transitioned. The patch fixes it so the all transitions
combinations pass correc
The LSMs respecting the nnp flag was actually mandated by Linus. So yes
it breaks apparmor.
Kernel 3.5: Tasks that have nnp block apparmor policy transitions except
for unconfined, as transitions in that case always result in reduced
permissions.
Kernel 4.13: Loosened these restrictions around st
This might be in the compiler
The feature file you are inning supports v8 socket mediation. The user
space however does not. The ubuntu kernel supports v7 and v8 socket
mediation, but the user space only supports v7. I need to dig into this
more but it looks like the user space compiler is generat
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1842459
Title:
apparmor abi-feature pinning
Can you please attach the features file you are setting in
/etc/apparmor/apparmor.conf
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1842459
Title:
apparmor abi-feature pinning not work
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN k
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1839037
Title:
Stacked onexec transitions fail when under NO NEW PRIVS restrictions
Status in linu
** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1839037
Title:
Stacked onexe
*** This bug is a duplicate of bug 1658219 ***
https://bugs.launchpad.net/bugs/1658219
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.
Public bug reported:
running the apparmor nnp regression tests results in the following
failure
Error: transition failed. Test 'NNP (stack onexec - NNP)' was expected
to 'pass'. Reason for failure 'FAIL - execv: Operation not permitted'
with a log message of
[ 1169.863302] audit: type=1400 audi
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658219
Title:
flock not mediated by 'k'
Status in AppArmor:
In
Fix selected and backported from a larger patch that originally landed
in Zesty and subsequently landed in upstream.
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-audit-failures-when-perfor.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838627/+attachment/5280320/+files/0001-
The patch has been tested against a reproducer and fixes the issue.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN kernel stack trac
ntu Xenial)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: Confirmed
** Tags: xenial
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen
It is fixed to the degree it can be fixed until upstream agrees on
changes in the LSM layer.
The apparmor devs certainly can do the work of proposing new hooks, etc
that are necessary but it hasn't been the highest priority item. I will
note that this is a high priority item, just that others have
There was an attempt to revive this Dec. 6, 2017
https://lists.ubuntu.com/archives/apparmor/2017-December/011370.html
upstream there is belief in using a generic audit message types. The
problem is that apparmor, selinux and smack messages differ, so they
aren't so common.
This is going to have
In 4.20 we landed some of the infrastructure to support this.
Specifically secmark support was landed which provides the
infrastructure needed for apparmor labels to interact with iptables and
iptables to interact with apparmor.
This isn't something generally available for use yet as it
infrastruc
No disagreement that this is a high priority item. There is some work
around fine grained mediation happening but I am unsure when it will
land.
The problem is that this is not the only high priority item that needs
to be addressed. Changing priority of these items can certainly be
discussed again
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
Status in
** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking socke
I have placed ubuntu test kernels for xenial and bionic in
http://people.canonical.com/~jj/lp1780227/
the patch is attached
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+attachment/5168755/+
Sadly we ran into two separate issues.
1. the kernel mapping of the permission won't allow the lock perm to be
carried through on all kernels.
I have a patch for it now, but pita
2. the release process needed some updating to uhm work with the move to
git and gitlab as hosting.
So with the abo
I will try to get the point releases out today.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
S
You are correct that the kernel reports a supported abi, and currently
the abi does not export that it is supporting link mediation for
sockets. However the kernel is currently enforcing link mediation on
sockets and there are reasons to want to continue to do so.
The plan would be to let the pars
Okay, so lets split this between upstream and ubuntu kernels
previous upstream kernels did not have socket mediation and could NOT
have generated the denial message being seen.
Jul 04 15:11:11 host audit[28404]: AVC apparmor="DENIED" operation="file_lock"
profile="lxc-container-default-cgns" pi
The 4.17 patch set did not have any changes that should affect this. I
will have to investigate what is going on further. At this time DO NOT
backport the 4.17 patchset.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
http
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1758471
Title:
apparmor: fix bad __initdata tagging on,
No logs needed as its a build warning
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1758471
Title:
apparmor: fix b
This only affect Xenial.
** Changed in: linux (Ubuntu Xenial)
Status: New => Confirmed
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscri
Status: Incomplete
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: Confirmed
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member
The are no changes to apparmor in that range, but that does cover the
kaiser changes. Since there were no apparmor changes and kaiser changes
the kernel userspace memory interaction my guess is that something is
triggering in the copy_from_user when policy is loaded.
--
You received this bug noti
Maybe but we would more information to say for sure.
There have been no changes in apparmor between the reported working
20180109 and 20180126.
The warning
> "Warning failed to create cache: usr.sbin.sssd" before the instance
just means that apparmor was not able to cache the binary policy that
Klaus,
agreed logs are not needed, thanks for the confirmation. The comment in
#1 is generated by a bot so don't worry about it.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1737005
Tit
The Ubuntu mainline kernel build unfortunately currently does not have
apparmor set as the default LSM. This is due to some config changes done
when adding the LSM stacking patches (Ubuntu tries to keep the configs
as close as possible). Addressing this is wip and should land with the
next revision
Yes, the split parser has been a issue for a long time. There has been a
plan to make the flex/yacc/C parser code available as a lib for the
other tools but its one of those things that never gets resources
allocated.
The short term fix for this is probably a backport of a newer version of
the pyt
yep thanks, fixed and pushed
** Changed in: linux (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1720660
Title:
linux 4.13.0-13.14 ADT
Marking it Fix Released. Please re-open if you find you still have
issues.
** Changed in: linux (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad
Fixed in
commit 393d5cca6af1070709f2baaf291d16e27fbea366
Author: John Johansen
Date: Thu Oct 5 13:50:51 2017 -0700
Fix test-kernel-security.py when LSM stacking based kernel is used.
In the LSM stacking kernel DEFAULT_SECURITY_APPARMOR is not set instead
sort of. The code was broken into patches and upstreamed piece meal, so
the tighter restrictions when a give patch went it made sense. They also
better reflect some of the internal permissions that were being
enforced, ie. while profiles was you needed cap mac admin to actual
see it. It looks
1 - 100 of 4216 matches
Mail list logo
