[Kernel-packages] [Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

Tue, 20 Sep 2016 22:22:34 -0700 

This bug was fixed in the package linux - 4.8.0-11.12

---------------
linux (4.8.0-11.12) yakkety; urgency=low

  * change_hat is logging failures during expected hat probing (LP: #1615893)
    - SAUCE: apparmor: Fix auditing behavior for change_hat probing

  * deleted files outside of the namespace are not being treated as
    disconnected
    (LP: #1615892)
    - SAUCE: apparmor: deleted dentries can be disconnected

  * stacking to unconfined in a child namespace confuses mediation
    (LP: #1615890)
    - SAUCE: apparmor: special case unconfined when determining the mode

  * apparmor module parameters can be changed after the policy is locked
    (LP: #1615895)
    - SAUCE: apparmor: fix: parameters can be changed after policy is locked

  * AppArmor profile reloading causes an intermittent kernel BUG (LP:
    #1579135)
    - SAUCE: apparmor: fix vec_unique for vectors larger than 8

  * label vec reductions can result in reference labels instead of direct
    access
    to labels (LP: #1615889)
    - SAUCE: apparmor: reduction of vec to single entry is just that entry

  * profiles from different namespaces can block other namespaces from being
    able to load a profile (LP: #1615887)
    - SAUCE: apparmor: profiles in one ns can affect mediation in another ns

  * The label build for onexec when stacking is wrong (LP: #1615881)
    - SAUCE: apparmor: Fix label build for onexec stacking.

  * The inherit check for new to old label comparison for domain transitions
    is
    wrong (LP: #1615880)
    - SAUCE: apparmor: Fix new to old label comparison for domain transitions

  * warning stack trace while playing with apparmor namespaces (LP: #1593874)
    - SAUCE: apparmor: fix stack trace when removing namespace with profiles

  * __label_update proxy comparison test is wrong (LP: #1615878)
    - SAUCE: apparmor: Fix __label_update proxy comparison test

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
    (LP: #1560583)
    - SAUCE: apparmor: Allow ns_root processes to open profiles file
    - SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * policy namespace stacking (LP: #1379535)
    - SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
    - SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Miscellaneous Ubuntu changes
    - [Debian] Dynamically determine linux udebs package name
    - [Debian] d-i -- fix dtb handling in new kernel-wedge form
    - SAUCE: apparmor: Fix FTBFS due to bad include path
    - SAUCE: apparmor: add data query support
    - [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y

  * Miscellaneous upstream changes
    - fixup backout policy view capable for forward port
    - apparmor: fix: Rework the iter loop for label_update
    - apparmor: add more assertions for updates/merges to help catch errors
    - apparmor: Make pivot root transitions work with stacking
    - apparmor: convert delegating deleted files to mediate deleted files
    - apparmor: add missing parens. not a bug fix but highly recommended
    - apparmor: add a stack_version file to allow detection of bug fixes
    - apparmor: push path lookup into mediation loop
    - apparmor: default to allowing unprivileged userns policy
    - apparmor: fix: permissions test to view and manage policy
    - apparmor: Add Basic ns cross check condition for ipc

 -- Leann Ogasawara <leann.ogasaw...@canonical.com>  Sat, 17 Sep 2016
10:03:16 -0700

** Changed in: linux (Ubuntu Yakkety)
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1615890

Title:
  stacking to unconfined in a child namespace confuses mediation

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Yakkety:
  Fix Released

Bug description:
  when viewing a stack involving unconfined from across a ns boundary           
  
  the mode is reported as mixed.                                                
  
                                                                                
  
  Eg.                                                                           
  
  lxc-container-default//&:lxdns1://unconfined (mixed)                          
  
                                                                                
  
  This is because the unconfined profile is in the special unconfined           
  
  mode. Which will result in a (mixed) mode for any stack with profiles         
  
  in enforcing or complain mode.                                                
  
                                                                                
  
  This can however lead to confusion as to what mode is being used as           
  
  mixed is also used for enforcing stacked with complain, and This can
  also currently messes up mediation of trusted helpers like dbus.

  Since unconfined doesn't affect the stack just special case it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615890/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to