> Not quite sure now if apparmor upstream is found in launchpad[1] or gitlab[2].
The code moved from bzr to gitlab recently. Bug tracking and translations are still handled on launchpad. > I would go with that versionning approach instead: > > apparmor | 2.11.0-2ubuntu17.1 | artful > apparmor | 2.11.0-2ubuntu19 | bionic 2.11.0? I'd seriously recommend to upgrade to 2.11.1 which has quite some bugfixes, see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.11.1 Note that the 7 digit pid patch was backported to the 2.11 branch after the 2.11.1 release, so you'll still need to apply this patch on top. For bionic, you might even want to use 2.12. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1717714 Title: @{pid} variable broken on systems with pid_max more than 6 digits Status in AppArmor: Fix Committed Status in AppArmor 2.11 series: Fix Committed Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Trusty: New Status in apparmor source package in Xenial: New Status in apparmor source package in Zesty: New Status in apparmor source package in Artful: New Status in apparmor source package in Bionic: Confirmed Bug description: [Impact] If PID is larger than 6 digits. apparmor denies process. this fix is committed, but not released. so all supporting version are affected. [Test Case] 1. making pid over 6 digits - i used touch command to do it 2. snap install canonical-livepatch ( just picked this pkg ) you can see denied msg as original description [Regression] this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily. denied services need to be restarted after fixing this. [Others] * Upstream commit: https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747 * commit 630cb2a981cdc731847e8fdaafc45bcd337fe747 Author: Vincas Dargis <vin...@gmail.com> Date: Sat Sep 30 15:28:15 2017 +0300 Allow seven digit pid * Affecting releases : TXZAB -------------------------------------------------------------------------- $ git describe --contains 630cb2a9 v2.11.95~5^2 $ rmadison apparmor apparmor | 2.8.95~2430-0ubuntu5 | trusty apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates apparmor | 2.10.95-0ubuntu2 | xenial apparmor | 2.10.95-0ubuntu2.6 | xenial-security apparmor | 2.10.95-0ubuntu2.7 | xenial-updates apparmor | 2.11.0-2ubuntu4 | zesty apparmor | 2.11.0-2ubuntu17 | artful apparmor | 2.11.0-2ubuntu18 | bionic $ rmadison -u debian apparmor apparmor | 2.11.1-4 | unstable -------------------------------------------------------------------------- * Revision : http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722 [Original Description] If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it. @{pid} is defined in /etc/apparmor.d/tunables: @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} It only covers up to 6 digits. This Ubuntu 17.04 system has: kernel.pid_max = 4194303 And is showing type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111 Which should be matched by @{PROC}/sys/vm/overcommit_memory r, in /etc/apparmor.d/abstractions/libvirt-qemu I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17) I am aware this is a non-default configuration, but I think this should work. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
