Denying
/proc/1095210/task/1095213/comm
prevents the task from introspecting (reading), and changing (write) the
command text associated with the task. In this case it would appear one
thread is attempting to change the comm of another thread in the process
(this is generally allowed), see man 5
Okay adding the suggested rule
works for me. So it would seem dhclient is treating denied access to comm as a
fatal error.
Interestingly I also had it throw a rejection for capability sys_module
[ 1645.480546] audit: type=1400 audit(1616847221.859:73):
apparmor="DENIED" operation="capable" pro
To further elaborate on why dhclient is accessing the comm
$ pstree -at 3395
dhclient ens3
├─{isc-socket}
├─{isc-timer}
└─{isc-worker}
where 3395 is the process. It has 3 additional threads and it is
providing functional names for them.
--
You received this bug notification because yo
@tubastuff that is definitely not the same problem, please see
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1413232
Title:
[systemd]
Merge upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/730
it will be part of the next apparmor point releases
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1918410
Title:
isc-dhcp-cl
unfortunately the kernel actually uses ptrace_access_check for more than
just ptrace, and the LSM (and hence apparmor) is not given context as to
where the check is coming from. The current full list that can trigger
an apparmor ptrace check is below. We can discard any that are not using
a variant
@paelzer per the proposed fix in #7 you can stick my sign-off on it.
Signed-off-by: John Johansen
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1872175
Title:
gpsd unable to open chrony PPS
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
** Changed in: apparmor (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878333
Title:
A
Daniel,
Currently it is expected that manually deleting a profile also requires manual
profile removal from the kernel, using an of
- aa-remove-unknown
- apparmor_parser -R
- sudo bash -c "echo -n '' >
/sys/kernel/security/apparmor/.remove"
However this does indeed currently leave behind the c
Daniel,
Right the profile should be removed on reboot, or service restart,
having stale cache files loaded is a huge problem.
It is the auto-cleanup of old cache files when a profile is manually
deleted/renamed that is a wishlist item.
With this clarification I am moving this from wishlist back
/etc/init.d/apparmor stop cannot and should not invoke aa-teardown. Such
a stop mechanism was the source of many problems and the reason stop was
switch to a no-opin /etc/init.d/apparmor and teardown was added.
Unfortunately systemd implements restart as stop followed by start. This
a very poor fi
@Seth, is this new for those kernels? This is the first I have heard of
it.
And just to double check these failures were all on groovy?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1887542
Title:
@seth-arnold: yeah another autopackage test failure but that one is
definitely a different issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1887542
Title:
apparmor 2.13.3-7ubuntu6 ADT test failu
It is fixed to the degree it can be fixed until upstream agrees on
changes in the LSM layer.
The apparmor devs certainly can do the work of proposing new hooks, etc
that are necessary but it hasn't been the highest priority item. I will
note that this is a high priority item, just that others have
Can you please provide the Ubuntu version
In a terminal
lsb_release -a
perhaps even better
uname -a
attach the appropriate logs?
/var/log/syslog
or possibly
/var/log/messages
your dbus conf, everything in
/etc/dbus-1/
--
You received this bug notification because you are a mem
So
[ 7152.173377] audit: type=1400 audit(1560925171.038:439):
apparmor="DENIED" operation="file_r50-221da1d95974" pid=18422 comm
="qemu-system-x86" family="unix" sock_type="stream" protocol=0 "
is really bothering me. This should not be possible.
operation="file_r50-221da1d95974" does NOT exist,
Sadly yes. AppArmor currently doesn't do audit message deduping, leaving
it entirely to the audit infrastructure. Which means denial messages can
fill the logs.
There is current work to fix this by providing a dedup cache that will
hopefully land in 4.20
** Changed in: apparmor (Ubuntu)
Impor
Its being caused by the gnome system-monitor snap. Its author is missing
some permissions required to use it properly on your system. It looks
like the system monitor is running and it keeps polling the file causing
this denial.
The apparmor rule to fix this is
/run/mount/utab r,
You coul
Public bug reported:
No more I can't see what was wrong!
ProblemType: Package
DistroRelease: Ubuntu 18.04
Package: samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.2
ProcVersionSignature: Ubuntu 4.15.0-29.31-generic 4.15.18
Uname: Linux 4.15.0-29-generic x86_64
NonfreeKernelModules: kpatch_livepatch_Ubuntu_4_1
An explanation for Seth's change:
AppArmor will nest and stack within a container environment, but it
relies on the container environment to setup the correct namespacing.
>From the look of this, this is a policy issue where the apparmor policy
is not being setup correctly. In this case the polic
Profile state should never crash apparmor.
The userspace no matter it state should never be able to crash the
kernel. Profiles go through a verification process before the kernel
will make them available.
The "half" configured state may mean that not all apparmor profiles are
loaded, or that some
can you please test with a kernel that is Ubuntu-4.4.0-37.56 or later
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615144
Title:
BUG: unable to handle kernel NULL pointer dereference
To manage no
** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
To manage notification
I will try to get the point releases out today.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
To manage noti
Sadly we ran into two separate issues.
1. the kernel mapping of the permission won't allow the lock perm to be
carried through on all kernels.
I have a patch for it now, but pita
2. the release process needed some updating to uhm work with the move to
git and gitlab as hosting.
So with the abo
I have placed ubuntu test kernels for xenial and bionic in
http://people.canonical.com/~jj/lp1780227/
the patch is attached
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+attachment/5168755/+
The 4.17 patch set did not have any changes that should affect this. I
will have to investigate what is going on further. At this time DO NOT
backport the 4.17 patchset.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.laun
Okay, so lets split this between upstream and ubuntu kernels
previous upstream kernels did not have socket mediation and could NOT
have generated the denial message being seen.
Jul 04 15:11:11 host audit[28404]: AVC apparmor="DENIED" operation="file_lock"
profile="lxc-container-default-cgns" pi
You are correct that the kernel reports a supported abi, and currently
the abi does not export that it is supporting link mediation for
sockets. However the kernel is currently enforcing link mediation on
sockets and there are reasons to want to continue to do so.
The plan would be to let the pars
Every release that supports prlimit is at least partially affected.
However the xenial, yakkety, zesty releases that have support stacking
code compound the issue.
I'll look into the ppc64el build, I'm sure its possible it just one that
I have never done a test kernel for so I will have to learn t
Its true there are a few issues with apparmor profiles being loaded as
part of a stack when namespacing is involved. However this does not
appear to be one of them.
However the application may be behaving slightly differently resulting
in the profile needed to be extended. Can you please attach yo
Hey Christian,
thanks for the profiles, I haven't had a chance to dig into them yet,
but after a quick first pass they look as expected.
so very interesting. First up apparmor has always done mediation post
symlink resolution, this is not new with stacking. What is new with
stacking is we are now
Thanks Stéphane,
@Christian, it looks like adding a rule
/dev/pts/ptmx rw,
to the profile is necessary for now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Title:
KVM guest execution s
I have done some light testing on this, trying to develop a none snap
based test to verify it. The test is no where near as reliable as the
snappy test. I haven't been able to trigger the bug on the new kernel
yet, with the caveat that it could just be the test. I am inclined to
declare this verifi
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Yakkety)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Zesty)
Assignee: (unassigned) => John Johansen (jjohansen)
** C
This occurs in a stacked policy situation, where there is a system
policy is being applied but within the container namespace, the policy
is unconfined.
The special casing for unconfined with no-new-privs is not properly
detecting this case. I will have a test kernel with a fix for this issue
earl
There is a bug in the /etc/apparmor.d/abstractions/libvirt-qemu file on
line 183
/sys/devices/system/cpu/cpu*/online r
is missing the the trailing ,
it should be
/sys/devices/system/cpu/cpu*/online r,
this prevents libvirt from loading the vm profile. Unfortunately it does
not report the err
Note, if we are running the right kernel, there is no reason that we
couldn't have a trusty containers load profiles.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686612
Title:
Stacked profiles fa
@Jamie may be right in his guesses but there is not enough information
here to be sure. The stacking work exists in the Xenial, Yakkety, and
Zesty kernels. But the patch Jamie is referring to only exists in the
Zesty kernel (it did exist in Xenial and Yakkety until reverted).
Please attach the out
Okay, this kernel does NOT contain the caching fix. So it is not the
cause of the issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655982
Title:
cups-browsed fails to start in containers after
So the first kernel tried may have had the flock mediation patch. It was in
4.4.0-67.88
Reverted in
4.4.0-70.91
which would help explain the switch in denial from
file_mmap rm
to
file_mprotect r
I am unsure why the request for mprotect is showing up. At this point we
need to start str
The peer="---" is likely due to bug 1660832, which has been fixed in the
latest set of kernels that should be rolling out this week.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666748
Title:
Appa
You can try the set of kernel in
http://people.canonical.com/~jj/linux+jj/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666748
Title:
Apparmor problem inside a lxd container
To manage notificati
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615893
Title:
change_hat is logging failures during expected hat pr
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1579135
Title:
AppArmor profile reloading causes an intermittent ker
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615890
Title:
stacking to unconfined in a child namespace confuses
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615895
Title:
apparmor module parameters can be changed after the p
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615887
Title:
profiles from different namespaces can block other na
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615892
Title:
deleted files outside of the namespace are not being
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615889
Title:
label vec reductions can result in reference labels i
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615880
Title:
The inherit check for new to old label comparison for
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615878
Title:
__label_update proxy comparison test is wrong
To man
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615881
Title:
The label build for onexec when stacking is wrong
To
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593874
Title:
warning stack trace while playing with apparmor names
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615882
Title:
dfa is missing a bounds check which can cause an oops
*** This bug is a security vulnerability ***
Public security bug reported:
An issue was discovered in the size of the stack guard page on Linux,
specifically a 4k stack guard page is not sufficiently large and can be
jumped over
Break-Fix: 320b2b8de12698082609ebbc1a17165727f4c893 -
** Affects:
CVE-2017-1000364
** Also affects: linux (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: linux-ti-omap4 (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: linux-raspi2 (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affec
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696352
Title:
linux: 3.13.0-120.167 -propose
Loooks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696357
Title:
linux: 4.4.0-80.101 -proposed
looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696358
Title:
linux-lts-xenial: 4.4.0-80.101
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696359
Title:
linux-raspi2: 4.4.0-1058.65 -p
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696362
Title:
linux-aws: 4.4.0-1019.28 -prop
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696360
Title:
linux-snapdragon: 4.4.0-1060.6
Looks good
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696362
Title:
linux-aws: 4.4.0-1019.28 -proposed tracker
To manage notifications about this bug go to:
https://bugs.launchpad.net/kernel-sr
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696363
Title:
linux-gke: 4.4.0-1015.15 -prop
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696364
Title:
linux-joule: 4.4.0-1002.7 -pro
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696365
Title:
linux: 4.8.0-55.58 -proposed t
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696366
Title:
linux-hwe: 4.8.0-55.58~16.04.1
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696367
Title:
linux-raspi2: 4.8.0-1039.42 -p
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696372
Title:
linux-raspi2: 4.10.0-1007.9 -p
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696369
Title:
linux: 4.10.0-23.25 -proposed
Looks good
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696372
Title:
linux-raspi2: 4.10.0-1007.9 -proposed tracker
To manage notifications about this bug go to:
https://bugs.launchpad.net/kernel
yes something like this should work. However 600 will not be the correct
check, as in some cases the owner may differ, especially in the
virtualized case because vfs doesn't let us virtualize the file's owner.
Currently this file isn't virtualized to the poilicy namespace, and that
is why the rest
The message type certain could be added. However it is not the only way
this separation can be achieved.
The label in particular should be able to be used without tying it to a
specific service. Admittedly this is somewhat limited atm.
1. the label name on a service does not have to match its exe
There are actually a couple of ways to add it, and still keep userspace
compatibility. Kernel side we are actually often checking partial
matches, and due is a permission but AA_CONTINUE to indicate that if
permissions aren't satisfied to continue the match.
This could be emulated in userspace a c
I think performance, and flexibility wise, the best solution would be to
move mediation entirely to userspace.
Use the key/value store to provide flexibility on what match ordering to
use, userspace policy caching so we don't have to round trip the kernel
except when the policy is invalidated by a
@Simmon,
You are right, that will require extending what is supported in the
mediation, beyond even landing support for #2. It will take a bit of
work, but we can definitely do it. My preferred solution is more work
than the quickest/easiest solution, as it requires landing a few things
that haven
This is caused do a change made upstream in the 4.11 kernel, which
forbids writing the buffer size parameter after boot. The change to boot
time preallocated work buffers made this parameter useless, but 4.11
only partially merged that work, making writing the buffer size an
attack vector on the ke
Klaus,
agreed logs are not needed, thanks for the confirmation. The comment in
#1 is generated by a bot so don't worry about it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1737005
Title:
Mainlin
Fixed in
commit 393d5cca6af1070709f2baaf291d16e27fbea366
Author: John Johansen
Date: Thu Oct 5 13:50:51 2017 -0700
Fix test-kernel-security.py when LSM stacking based kernel is used.
In the LSM stacking kernel DEFAULT_SECURITY_APPARMOR is not set instead
Marking it Fix Released. Please re-open if you find you still have
issues.
** Changed in: linux (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/172
yep thanks, fixed and pushed
** Changed in: linux (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1720660
Title:
linux 4.13.0-13.14 ADT test failure
I have not had time to chase this one enough to answer it, yet. It is
high on the priority list but it seems that list is growing faster than
I can service it lately.
In general I can say ubuntu does have both rules as there are some in
the includes. And their is of course the unconfined exception
signal is actually in 4.13 as well
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1719471
Title:
ptrace doesnt't trigger/work as expected
To manage notifications about this bug go to:
https://bugs.l
sort of. The code was broken into patches and upstreamed piece meal, so
the tighter restrictions when a give patch went it made sense. They also
better reflect some of the internal permissions that were being
enforced, ie. while profiles was you needed cap mac admin to actual
see it. It looks
On 09/25/2017 12:16 PM, Vincas Dargis wrote:
> I can provide merge request, and I would like to suggest simplifying
> that ever-growing expression.
>
> Couldn't it be just [0-9]*? Are there possibility that `/proc` will have
well it could but, its not as tight as I would like, ideally we could giv
Public bug reported:
I get a message saying "no boot device available".
Cannot find either of the files you mentioned on the computer.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ubiquity 2.21.63.4
ProcVersionSignature: Ubuntu 4.10.0-28.32~16.04.2-generic 4.10.17
Uname: Linux 4.10.0-28-
Yes, the split parser has been a issue for a long time. There has been a
plan to make the flex/yacc/C parser code available as a lib for the
other tools but its one of those things that never gets resources
allocated.
The short term fix for this is probably a backport of a newer version of
the pyt
Public bug reported:
LXD containers on an artful or bionic host with aa namespaces, should be
able to load the lxc policies. However /lib/apparmor/profile-load skips
that part when running in a container.
aa-status shows 0 policies
/lib/apparmor/profile-load is failing due to
is_container_with_i
Maybe but we would more information to say for sure.
There have been no changes in apparmor between the reported working
20180109 and 20180126.
The warning
> "Warning failed to create cache: usr.sbin.sssd" before the instance
just means that apparmor was not able to cache the binary policy that
The are no changes to apparmor in that range, but that does cover the
kaiser changes. Since there were no apparmor changes and kaiser changes
the kernel userspace memory interaction my guess is that something is
triggering in the copy_from_user when policy is loaded.
--
You received this bug noti
I can certainly understand this being a show stopper and needing to stop
fiddling with it.
There are a few more things you can try before going through all the
work of reverting or switching your system. First restarting cups is
loading the apparmor profile (sorry I was unaware it was doing this)
aa-status is part of the apparmor package
aa-disabled is part of the apparmor-utils package
the package split is done to reduce the install foot print to a minimum
for base installs, iso images etc.
The failure of the apparmor_parser -R is odd, perhaps the profile had
been already removed by a pr
** Changed in: linux-ec2 (Ubuntu Lucid)
Status: New => Fix Committed
** Changed in: linux (Ubuntu Lucid)
Status: New => Fix Committed
** Description changed:
Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c
in the Linux kernel through 3.11.4 makes it easie
** Changed in: linux (Ubuntu Trusty)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1248700
Title:
CVE-2013-4348
To manage notifications about this bug go to:
https://b
** Changed in: linux-ec2 (Ubuntu Lucid)
Status: New => Fix Committed
** Changed in: linux (Ubuntu Lucid)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/125242
*** This bug is a security vulnerability ***
Public security bug reported:
The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux
kernel through 3.12, when UDP Fragmentation Offload (UFO) is enabled,
does not properly perform a certain size comparison before inserting a
fragment he
CVE-2013-4563
** Also affects: linux (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux-fsl-imx51 (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux-mvl-dove (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affec
*** This bug is a security vulnerability ***
Public security bug reported:
Buffer overflow in the __nfs4_get_acl_uncached function in
fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to
cause a denial of service (memory corruption and system crash) or
possibly have unspecifie
401 - 500 of 8478 matches
Mail list logo
