This bug was fixed in the package linux-manta - 3.4.0-6.29
---------------
linux-manta (3.4.0-6.29) utopic; urgency=low
[ John Johansen ]
* SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot
- LP: #1362199
[ Tim Gardner ]
* Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 6
snapshot"
[ Tyler Hicks ]
* Revert "SAUCE: (no-up) apparmor: fix disconnected bind mnts
reconnection"
* Revert "SAUCE: (no-up) apparmor fix: remove unused cxt var for
unix_sendmsg"
* Revert "SAUCE: (no-up) apparmor: use custom write_is_locked macro"
* Revert "SAUCE: (no-up) apparmor: fix bug that constantly spam the
console"
* Revert "SAUCE: (no-up) apparmor: fix apparmor refcount bug in
apparmor_kill"
* Revert "SAUCE: (no-up) apparmor: fix refcount bug in apparmor
pivotroot"
* Revert "SAUCE: (no-up) apparmor: fix apparmor spams log with warning
message"
-- Tim Gardner <[email protected]> Fri, 19 Sep 2014 10:35:55 -0600
** Branch linked: lp:ubuntu/utopic-proposed/linux-flo
** Changed in: linux-flo (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199
Title:
[FFe] apparmor abstract, anonymous and netlink socket mediation
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
Fix Released
Status in “isc-dhcp” package in Ubuntu:
Fix Released
Status in “libvirt” package in Ubuntu:
Fix Released
Status in “lightdm” package in Ubuntu:
Fix Released
Status in “linux” package in Ubuntu:
Fix Released
Status in “linux-flo” package in Ubuntu:
Fix Released
Status in “linux-goldfish” package in Ubuntu:
Fix Released
Status in “linux-mako” package in Ubuntu:
Fix Released
Status in “linux-manta” package in Ubuntu:
Fix Released
Status in “rsyslog” package in Ubuntu:
Fix Released
Status in “tlsdate” package in Ubuntu:
Fix Released
Bug description:
Background: kernel and apparmor userspace updates to support abstract,
anonymous and fine-grained netlink socket mediation. These packages
are listed in one bug because they are related, but the FFes may be
granted and the uploads may happen at different times.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and
fine-grained netlink socket for apparmor userspace. When used with a compatible
kernel, 'unix' and 'network netlink' rules are supported. When used without a
compatible apparmor userspace (eg, on a trusty system with an utopic backport
kernel), abstract, anonymous and fine-grained netlink socket mediation is not
enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernels lacking abstract, anonymous and
fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE
(exploratory manual testing, lxc, libvirt, etc)
* 14.10 system kernel capable of supporting abstract, anonymous and
fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS
(includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE
(except juju since it doesn't have policy itself)
Justification:
This feature is required to support comprehensive application confinement on
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also
adds a welcome improvement to administrators wishing to further protect their
systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract,
anonymous and fine-grained netlink socket can happen at different times, the
apparmor userspace upload must correspond with uploads for packages that ship
AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages
outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles
have been tested to either work without modification to the policy or updated
and tested to work with updated policy. Common rules will be added to the
apparmor base abstraction such that most packages shipping apparmor policy will
not require updating. These updates will be prepared, tested and published en
masse via a silo ppa.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and
fine-grained netlink socket via apparmor in the kernel. When used with a
compatible apparmor userspace, 'unix' and 'network netlink' rules are
supported. When used without a compatible apparmor userspace (eg, on a trusty
system with an utopic backport kernel), abstract, anonymous and fine-grained
netlink socket mediation is not enforced (ie, you can use this kernel with an
old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox,
firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT
passes all tests)
* 14.10 system (non-Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing,
etc)
* 14.10 system (Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing,
etc)
Justification:
This feature is required to support comprehensive application confinement on
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also
adds a welcome improvement to administrators wishing to further protect their
systems.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1362199/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
