Thanks. That confirms it is not the complain leak.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2098730
Title:
Kernel 6.8.0 memory leak
Status in linux package in Ubuntu:
Confirmed
** Changed in: linux (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1508737
Title:
unix domain socket bind causes kernel audit NULL poin
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Xenial)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Yakkety)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Zesty)
Status: Confirmed => Invalid
I have found and fixed a leak in the prompt notification interface. It however
does not account for this.
There is also a circular reference count with complain mode profiles, but it is
not clear if that is the situation encountered here.
The messages in syslog could indicate that there are some
** Changed in: linux (Ubuntu)
Assignee: Roger Knecht (rogerknecht) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Noble)
Assignee: Roger Knecht (rogerknecht) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Oracular)
Assignee: Roger Knecht (rogerknecht) =
@mfuk: the generic 6.8.12 kernel doesn't have the ubuntu patch diff, and
that is likely why you are not seeing this issue with that kernel
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/209
this looks like at a minimum the apparmor profile needs to be updated.
This needs to be done before any other kernel work. Adding an apparmor
task
lsblk trace shows
openat(AT_FDCWD, "/sys/block/sr0/hidden", O_RDONLY|O_CLOEXEC) = -1 EACCES
(Permission denied)
openat(AT_FDCWD, "/sys/block/sr0/dev
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: New => In Progress
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (
Public bug reported:
When snapd crashes or restarts it closes its connection to the kernel
and the listener state, and all existing notifications are lost.
This is a problem for snapd as it means prompt information is lost,
causing failures for the user, and a need to re-prompt the user. The
user
focal apparmor userspace.
The partial mqueue mediation in Focal's kernel has caused some issues,
and the full patchset including the fix for this may need to be SRUed
kernel side.
** Changed in: apparmor
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: apparmor
This has been traced to the compatibility patches in the kernel, and
will need a kernel fix.
** Changed in: linux (Ubuntu Plucky)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed
^^^
AssertionError: 1 != 0 : Got exit code 0, expected 1
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: apparmor (Ubuntu Plucky)
Imp
Currently there isn't a good way to set the flags on a profile without
editing the local copy. There is an overlay mechanism coming, but it has
not landed yet. There is also another mechanism for dealing with
disconnected object coming. But until these extensions land there is a
way to do local pro
conditionally dependent rule, such
that when a specific file is allowed the matching pattern is
automatically allowed.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee
)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Noble)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: New
** Also affects: linux (Ubuntu)
Importance
Looking into it. This appears to be an issue with the parent missing
when trying to create the child in aafs.
** Changed in: linux (Ubuntu Noble)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: ubuntu-realtime
Status: New => Con
This is likely a dup of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lowlatency in Ubuntu.
https://bugs.launchpad.net/bugs/2061869
Title:
Snaps unable to connect to n
the kernel team is already rolling kernels with the fix for 2061851 but
it is also building in https://launchpad.net/~apparmor-
dev/+archive/ubuntu/apparmor-devel ppa
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lowlatency in Ubun
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
I will add here as well that we have an update of the firefox profile
coming that supports the /opt/firefox/firefox location used as the
default install for the firefox downloaded directly from mozilla.org
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
Hi cipricus,
can you specify how and where your firefox was installed? We are trying
to support multiple variations including downloading directly from
mozilla if it is installed to the standard location?
** Changed in: linux (Ubuntu Focal)
Status: New => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-hwe in Ubuntu.
https://bugs.launchpad.net/bugs/2045384
Title:
AppArmor patch for mq-posix interface is missing in ja
1. Yes. The backport was for 5.15 jammy kernels including HWE
derivatives. The user space SRU was done in bug
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146
which included Focal. The intent being Focal will only support mqueue if
it is using and HWE kernel.
2. Yes that makes s
responding to @intrigeri (sorry this got lost some how).
tldr: yes we are basically on the same page.
AppArmor does not fit into the 1400 range formats, every one of our
messages have some custom fields. Some of them could be
reformated/reworked to share more, but we would still need custom
field
AppArmor does mediation post symlink resolution. Using symlinks to move
a file or directories location means the profile for the application
needs to be updated. That is why you see the failure when using symlinks
to move those folders, those applications have not been give access to
the location y
** Tags removed: verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040250
Title:
apparmor notification files
Notifications now work as expected, not triggering the verification
failure
** Tags removed: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is
Tested: the sysctl values can now be read by a non-root user.
** Tags removed: verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.l
No longers ooopses in regression test.
** Tags removed: verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/20402
Tested and the assert is now gone.
** Tags removed: verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040192
T
Public bug reported:
apparmor notifications on the 6.5 kernel are failing verification
between the header size and the returned size.
When strings are appended to the notification the header size should
be updated to reflect the correct size. While the size is also
d
** Also affects: linux (Ubuntu Mantic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040245
Title:
apparmor oops when racing to retrieve a n
Public bug reported:
When there is a race to receive a notification, the failing tasks
oopes when erroring
[ 196.140988] BUG: kernel NULL po
Public bug reported:
lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something like
Public bug reported:
A reply to a prompt request that denies all permissions requested will throw
the following warning, because the auditing code does not expect the request
field to be empty when generating the audit message.
Sep 27 22:48:14 ubuntu-mantic snapd[59
Fix for the ptrace issue
** Patch added:
"0001-UBUNTU-SAUCE-no-up-apparmor-disable-1ea37b26d720-UBU.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2038567/+attachment/5707461/+files/0001-UBUNTU-SAUCE-no-up-apparmor-disable-1ea37b26d720-UBU.patch
--
You received this bug notifi
Thanks John,
it has been confirmed that
1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow
restricting unprivileged change_profile
is causing the issue. It has a sysctl to disable its behavior, but the sysctl
can't be defaulted to off in the kernel. So to disable the sysctl, eith
To test if 1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns -
allow restricting unprivileged change_profile is the cause of the ptrace
denials. You can disable it using
sudo bash -c "echo 0 >
/proc/sys/kernel/apparmor_restrict_unprivileged_unconfined"
--
You received this bug notificati
Oct 05 21:25:27 novel-ram kernel: audit: type=1400
audit(1696541127.240:6185): apparmor="DENIED" operation="ptrace"
class="ptrace" profile="lxd-current-iguana_"
pid=12702 comm="systemctl" requested_mask="read" denied_mask="read"
peer="lxd-current-iguana_//&unconfined"
indicates 1ea37b26d720 UBUNTU
apparmor side there are 2 immediate suspects.
1. kernel
0191e8433f76 UBUNTU: SAUCE: apparmor4.0.0: apparmor: Fix regression in mount
mediation
2. userspace mount work to fix the mount CVE
https://bugs.launchpad.net/apparmor/+bug/1597017
https://gitlab.com/apparmor/apparmor/-/merge_requests/10
This should be fixed by upstream commit
ec6851ae0ab4 apparmor: fix: kzalloc perms tables for shared dfas
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2024599
Title:
linux-image-5.15.0
** Changed in: apparmor
Status: New => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2016908
Title:
udev fails to make prctl() syscall with apparmor=0 (as used by m
prctl behavior was changed by
c2350a7eca5c UBUNTU: SAUCE: Stacking v38: LSM: Specify which LSM to
display
it introduces a short circuit to protect against 2 new lsm prctl
commands being invoked without a major lsm, and unfortunately makes the
mistake that using lsm_slot == 0 means there are no LS
Specially crafted tests that can reliably trigger this issue will be
added to the test suite.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2017903
Title:
LSM stacking and AppArmor for
The fix for the getattr issue in comment #26-#39 has now landed in
upstream 6.2 and be part of the final release.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot cha
This is popping up more and looks to be a regression in apparmor. I
don't have a fix yet
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Stat
Philip so possibly snapd will need to add some new rules. This isn't a
case of missing on older kernels but the new kernel requiring something
more/new. I need to investigate the why more. There are three potential
options I see
1. this is a regression in apparmor, around the handling of getattr.
So yes those look to be the culprit.
To snap-update.ns.slack profile you will need to add the rule
r @{run}/user/@{uid}/doc/,
you can do this to the generated profile (it will get thrown away when
it gets regenerated but should be sufficient to test). The profiles are
stored in
/var/lib/sn
we do have several apparmor denials in there but none of them are
directly related to namespace creation. I have pasted then below just to
make sure they don't disappear when the pastebin is reaped. It is
possible that one of these denials is blocking the creation of a
namespace if its calling a fu
Is there a message in the kernel ring buffer (dmesg) or kernel audit
log?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1991691
Title:
cannot change mount namespace
Status in Linux:
The apparmor patch in this bug is not in the upstream kernel because the
userns mediation code it is patching is not in the upstream kernel. If
the mainline kernel ppa it is failing it will be for a different reason.
--
You received this bug notification because you are a member of Kernel
Package
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: linux (Ubuntu)
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/
Note: this bug report has two parts to it.
1. Snap issue: mkdir failing covered by bug 1951210 and fixed in
https://github.com/snapcore/snapd/pull/12127
2. apparmor module issue in the kernel, covered by patch in #18
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johan
The following patch fixes the issue for me.
** Patch added: "kernel patch to apparmor"
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1991691/+attachment/5623421/+files/0001-UBUNTU-SAUCE-apparmor-Fix-getattr-mediation-causing-.patch
--
You received this bug notification because you are
This is not related to the change in lp1990064. If it was you would see
log messages similar to
apparmor="DENIED" operation="userns_create" class="namespace" info="User
namespace creation restricted" error=-13 profile="unconfined" pid=21323
comm="steamwebhelper" requested="userns_create" denied="u
So re: issue/132 that code path has always been enabled. How we have
worked around it is by implicitly adding the GETATTR perm to the
mapping.
Their were significant changes around permission lookup and mapping but
not around how/where the check is done, so I assume it is in the mapping
code thoug
There is an apparmor userspace update in flight as well can you confirm
your apparmor version by adding the output of
dpkg -l apparmor
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/199169
So in short yes we are talking blocking this however its not as bad as
that makes it sound. There is the immediate technical side, and the
reason we must do that, and then there is longer term practical use
side.
So the technical short answer is yes that will be blocked at least
without additional
It will affect both. The exact effect will depend on how things are set
up. Unconfined privileged processes will still have access to create
user namespaces as they see fit. The processes within the user namespace
will be subject to similar restrictions.
There is still room for refinement of the m
In short unprivileged user namespaces a vector for exploit chains, as
they expose interfaces that otherwise would not be available.
4 out 5 exploits chains in pwn2own 2022 used unprivileged user
namespaces. They were also used in 2021, 2020, ... Yes the actual
vulnerabilities were in other interf
Not a regression, or at least an intended regression (ie. it is doing
exactly what is intended). This is exactly what has been talked about
for 6+ months. unprivileged user_namespaces are going away, but instead
of the big system level sysctl we can allow them on a per application
basis.
The only
Indeed https://bugs.launchpad.net/apparmor/+bug/1384746/comments/2
should be tracked else where. It really should split out into two
separate tracking issues.
1. either generating the feature file from the kernel on build. To track
this I have opened https://gitlab.com/apparmor/apparmor/-/issues/2
This is indeed upstream, and works as far as it goes. There are
currently issues when crossing system namespace boundaries but those are
being treated as separate issues. The stacking it self works policy when
crossing ns boundaries has to be aware of it and more relaxed than we
would like.
--
Yo
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1898280
Title:
Please unrevert the apparmor audit rule filtering f
We didn't pick this up automatically because its fixes tag is for when
ptrace rules landed upstream. But ubuntu was carrying ptrace rules prior
to this
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad
We need to pick the upstream fix
338d0be437ef apparmor: fix ptrace read check
and we should probably pick
1f8266ff5884 (fix-setuid) apparmor: don't try to replace stale label in
ptrace access check
to avoid other problems.
--
You received this bug notification because you are a member of Kern
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Eoan)
Importance: Undecided
Status: Confirmed
** Also affects: linux (Ubuntu Bionic)
Im
sorry it appears I added the comments about the v2 patch to the wrong
bug
thanks for testing. I will get the request sent out to the kt.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844
updated to the 5.0.0-29 kernel
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivileges incompatible with Apparmor
Status in linux package in Ubuntu:
ha, its by mistake. I fetched the new kernel but missed doing the
rebase. I'll get a new 5.0 up asap
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivi
okay, thanks for testing. I'll submit the patch for 4.4 and 4.15 kernels
and look into why the 5.0 kernel is blocking policy loads
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Ti
There are some test kernels at
https://people.canonical.com/~jj/lp1844186/
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivileges incompatible with Ap
I am testing a fix for this that won't require reverting the patch. I
will put up a test kernel if it passes.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] N
In the above regression we have
lxd-ns0_//&:root//lxd-ns0_://unconfined
transitioning to
lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd//&:root//lxd-ns0_:///usr/sbin/nsd
this is not a strict subset of profiles, however the unconfined
exception needs to be taken into account when nnp is set.
There is a bug
I should add that bug 1839037 is a bug in the subset test introduced in
kernel 4.13 (and earlier Ubuntu 4.4 Xenial kernels). Some subsets will
properly transition some won't it all depends on what is in the stack
being transitioned. The patch fixes it so the all transitions
combinations pass correc
The LSMs respecting the nnp flag was actually mandated by Linus. So yes
it breaks apparmor.
Kernel 3.5: Tasks that have nnp block apparmor policy transitions except
for unconfined, as transitions in that case always result in reduced
permissions.
Kernel 4.13: Loosened these restrictions around st
This might be in the compiler
The feature file you are inning supports v8 socket mediation. The user
space however does not. The ubuntu kernel supports v7 and v8 socket
mediation, but the user space only supports v7. I need to dig into this
more but it looks like the user space compiler is generat
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1842459
Title:
apparmor abi-feature pinning
Can you please attach the features file you are setting in
/etc/apparmor/apparmor.conf
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1842459
Title:
apparmor abi-feature pinning not work
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN k
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1839037
Title:
Stacked onexec transitions fail when under NO NEW PRIVS restrictions
Status in linu
** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1839037
Title:
Stacked onexe
*** This bug is a duplicate of bug 1658219 ***
https://bugs.launchpad.net/bugs/1658219
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.
Public bug reported:
running the apparmor nnp regression tests results in the following
failure
Error: transition failed. Test 'NNP (stack onexec - NNP)' was expected
to 'pass'. Reason for failure 'FAIL - execv: Operation not permitted'
with a log message of
[ 1169.863302] audit: type=1400 audi
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658219
Title:
flock not mediated by 'k'
Status in AppArmor:
In
Fix selected and backported from a larger patch that originally landed
in Zesty and subsequently landed in upstream.
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-audit-failures-when-perfor.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838627/+attachment/5280320/+files/0001-
The patch has been tested against a reproducer and fixes the issue.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN kernel stack trac
ntu Xenial)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: Confirmed
** Tags: xenial
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen
It is fixed to the degree it can be fixed until upstream agrees on
changes in the LSM layer.
The apparmor devs certainly can do the work of proposing new hooks, etc
that are necessary but it hasn't been the highest priority item. I will
note that this is a high priority item, just that others have
There was an attempt to revive this Dec. 6, 2017
https://lists.ubuntu.com/archives/apparmor/2017-December/011370.html
upstream there is belief in using a generic audit message types. The
problem is that apparmor, selinux and smack messages differ, so they
aren't so common.
This is going to have
In 4.20 we landed some of the infrastructure to support this.
Specifically secmark support was landed which provides the
infrastructure needed for apparmor labels to interact with iptables and
iptables to interact with apparmor.
This isn't something generally available for use yet as it
infrastruc
No disagreement that this is a high priority item. There is some work
around fine grained mediation happening but I am unsure when it will
land.
The problem is that this is not the only high priority item that needs
to be addressed. Changing priority of these items can certainly be
discussed again
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
Status in
** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking socke
I have placed ubuntu test kernels for xenial and bionic in
http://people.canonical.com/~jj/lp1780227/
the patch is attached
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+attachment/5168755/+
Sadly we ran into two separate issues.
1. the kernel mapping of the permission won't allow the lock perm to be
carried through on all kernels.
I have a patch for it now, but pita
2. the release process needed some updating to uhm work with the move to
git and gitlab as hosting.
So with the abo
I will try to get the point releases out today.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
S
You are correct that the kernel reports a supported abi, and currently
the abi does not export that it is supporting link mediation for
sockets. However the kernel is currently enforcing link mediation on
sockets and there are reasons to want to continue to do so.
The plan would be to let the pars
Okay, so lets split this between upstream and ubuntu kernels
previous upstream kernels did not have socket mediation and could NOT
have generated the denial message being seen.
Jul 04 15:11:11 host audit[28404]: AVC apparmor="DENIED" operation="file_lock"
profile="lxc-container-default-cgns" pi
The 4.17 patch set did not have any changes that should affect this. I
will have to investigate what is going on further. At this time DO NOT
backport the 4.17 patchset.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
http
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1758471
Title:
apparmor: fix bad __initdata tagging on,
1 - 100 of 4228 matches
Mail list logo
