I encountered this issue on xenial after updating to Azure's 4.15 kernel
for testing. We started encountering an apparmor deny which doesn't
happen on the latest 4.4 kernel. I had missed setting the k flag for a
policy, and everything worked on the new kerenl once we fixed the

Given that this bug leads to incorrect enforcement of policy does it
make sense to release a fix for xenial?

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  flock not mediated by 'k'

Status in AppArmor:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
Status in linux source package in Yakkety:
  Won't Fix

Bug description:
  $ cat ./apparmor.profile 
  #include <tunables/global>

  profile test {
    #include <abstractions/base>

    /bin/bash ixr,
    /dev/pts/* rw,
    /usr/bin/flock ixr,
    # Not blocked:
    # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true
    /tmp/test.lock rw,


  $ sudo apparmor_parser -r ./apparmor.profile

  $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes

  $ ls -l /tmp/test.lock 
  -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock

  The flock command uses flock(LOCK_EX) and I expected it to be blocked
  due to the lack of 'k'.

  apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic
  kernel on amd64.

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to