@Doug, not a kernel regression and not an incompatible kernel change either. The kernel does support the older abi, however the compiled policy being sent to the kernel is for the new abi that the kernel is now advertising as being supported.
The kernel advertises its supported feature set and abis through the /sys/kernel/security/apparmor/features directory. The userspace side of things can choose to take advantage of the current kernel feature set/abi or to pin its supported feature set by setting the features file. This is not being done on ubuntu so the newest version of kernel features is always being supported, generally the userspace has been ahead of kernel features so it is more than willing to compile for them. What is odd, is that Ubuntu carries profiles with fine grained unix socket rules and these should be downgraded to basic the basic socket rules that the 4.13 kernel supports. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Xenial: Confirmed Status in apparmor source package in Zesty: Confirmed Status in apparmor source package in Artful: Confirmed Bug description: With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor 2.10.95-0ubuntu2.7, in the system log each second the error message below is printed to. ``` […] [Mi Okt 4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" […] ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
