Public bug reported:

Hey,
Newer systemd makes use of locks placed on AF_UNIX sockets created with
the socketpair() syscall to synchronize various bits and pieces when
isolating services. On kernels prior to 4.18 that do not have backported
the AppArmor socket mediation patchset this will cause the locks to be
denied with EACCESS. This causes systemd to be broken in LXC and LXD
containers that do not run unconfined which is a pretty big deal. We
have seen various bug reports related to this. See for example [1] and
[2].

If feasible it would be excellent if we could backport the socket
mediation patchset to all LTS kernels. Afaict, this should be 4.4 and
4.15. This will unbreak a whole range of use-cases.

The socket mediation patchset is available here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4


[1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779
[2]: https://github.com/systemd/systemd/issues/9493

Thanks!
Christian

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227

Title:
  locking sockets broken due to missing AppArmor socket mediation
  patches

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to