Sadly we ran into two separate issues. 1. the kernel mapping of the permission won't allow the lock perm to be carried through on all kernels.
I have a patch for it now, but pita 2. the release process needed some updating to uhm work with the move to git and gitlab as hosting. So with the above issues I have come up with an alternative kernel patch that just ignores the lock perm for now. I don't like it but it will get the fix out faster, and the original reasoning to do a userspace fix is faulty so going with only a kernel fix is better. I am going to split off the userspace lock perm and the needed kernel mapping fix to a separate bug and we will keep this one for the kernel solution that ignores lock permission requests on none fs based unix socakets. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Invalid Status in apparmor source package in Xenial: Triaged Status in linux source package in Xenial: Invalid Status in apparmor source package in Bionic: Triaged Status in linux source package in Bionic: Invalid Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
