[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
This bug was fixed in the package linux - 4.15.0-19.20 --- linux (4.15.0-19.20) bionic; urgency=medium * linux: 4.15.0-19.20 -proposed tracker (LP: #1766021) * Kernel 4.15.0-15 breaks Dell PowerEdge 12th Gen servers (LP: #1765232) - Revert "blk-mq: simplify queue mapping & schedule with each possisble CPU" - Revert "genirq/affinity: assign vectors to all possible CPUs" linux (4.15.0-18.19) bionic; urgency=medium * linux: 4.15.0-18.19 -proposed tracker (LP: #1765490) * [regression] Ubuntu 18.04:[4.15.0-17-generic #18] KVM Guest Kernel: meltdown: rfi/fallback displacement flush not enabled bydefault (kvm) (LP: #1765429) - powerpc/pseries: Fix clearing of security feature flags * signing: only install a signed kernel (LP: #1764794) - [Packaging] update to Debian like control scripts - [Packaging] switch to triggers for postinst.d postrm.d handling - [Packaging] signing -- switch to raw-signing tarballs - [Packaging] signing -- switch to linux-image as signed when available - [Config] signing -- enable Opal signing for ppc64el - [Packaging] printenv -- add signing options * [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154) - [Packaging] signing -- add support for signing Opal kernel binaries * Please cherrypick s390 unwind fix (LP: #1765083) - s390/compat: fix setup_frame32 * Ubuntu 18.04 installer does not detect any IPR based HDD/RAID array [S822L] [ipr] (LP: #1751813) - d-i: move ipr to storage-core-modules on ppc64el * drivers/gpu/drm/bridge/adv7511/adv7511.ko missing (LP: #1764816) - SAUCE: (no-up) rename the adv7511 drm driver to adv7511_drm * Miscellaneous Ubuntu changes - [Packaging] Add linux-oem to rebuild test blacklist. linux (4.15.0-17.18) bionic; urgency=medium * linux: 4.15.0-17.18 -proposed tracker (LP: #1764498) * Eventual OOM with profile reloads (LP: #1750594) - SAUCE: apparmor: fix memory leak when duplicate profile load linux (4.15.0-16.17) bionic; urgency=medium * linux: 4.15.0-16.17 -proposed tracker (LP: #1763785) * [18.04] [bug] CFL-S(CNP)/CNL GPIO testing failed (LP: #1757346) - [Config]: Set CONFIG_PINCTRL_CANNONLAKE=y * [Ubuntu 18.04] USB Type-C test failed on GLK (LP: #1758797) - SAUCE: usb: typec: ucsi: Increase command completion timeout value * Fix trying to "push" an already active pool VP (LP: #1763386) - SAUCE: powerpc/xive: Fix trying to "push" an already active pool VP * hisi_sas: Revert and replace SAUCE patches w/ upstream (LP: #1762824) - Revert "UBUNTU: SAUCE: scsi: hisi_sas: export device table of v3 hw to userspace" - Revert "UBUNTU: SAUCE: scsi: hisi_sas: config for hip08 ES" - scsi: hisi_sas: modify some register config for hip08 - scsi: hisi_sas: add v3 hw MODULE_DEVICE_TABLE() * Realtek card reader - RTS5243 [VEN_10EC_5260] (LP: #1737673) - misc: rtsx: Move Realtek Card Reader Driver to misc - updateconfigs for Realtek Card Reader Driver - misc: rtsx: Add support for RTS5260 - misc: rtsx: Fix symbol clashes * Mellanox [mlx5] [bionic] UBSAN: Undefined behaviour in ./include/linux/net_dim.h (LP: #1763269) - net/mlx5e: Fix int overflow * apparmor bug fixes for bionic (LP: #1763427) - apparmor: fix logging of the existence test for signals - apparmor: make signal label match work when matching stacked labels - apparmor: audit unknown signal numbers - apparmor: fix memory leak on buffer on error exit path - apparmor: fix mediation of prlimit * dangling symlinks to loaded apparmor policy (LP: #1755563) // apparmor bug fixes for bionic (LP: #1763427) - apparmor: fix dangling symlinks to policy rawdata after replacement * [OPAL] Assert fail: core/mem_region.c:447:lock_held_by_me(>free_list_lock) (LP: #1762913) - powerpc/watchdog: remove arch_trigger_cpumask_backtrace * [LTC Test] Ubuntu 18.04: tm_trap_test failed on P8 compat mode guest (LP: #1762928) - powerpc/tm: Fix endianness flip on trap * Add support for RT5660 codec based sound cards on Baytrail (LP: #1657674) - SAUCE: (no-up) ASoC: Intel: Support machine driver for RT5660 on Baytrail - SAUCE: (no-up) ASoC: rt5660: Add ACPI support - SAUCE: (no-up): ASoC: Intel: bytcr-rt5660: Add MCLK, quirks - [Config] CONFIG_SND_SOC_INTEL_BYTCR_RT5660_MACH=m, CONFIG_SND_SOC_RT5660=m * /dev/ipmi enumeration flaky on Cavium Sabre nodes (LP: #1762812) - i2c: xlp9xx: return ENXIO on slave address NACK - i2c: xlp9xx: Handle transactions with I2C_M_RECV_LEN properly - i2c: xlp9xx: Check for Bus state before every transfer - i2c: xlp9xx: Handle NACK on DATA properly * [18.04 FEAT] Add kvm_stat from kernel tree (LP: #1734130) - tools/kvm_stat: simplify the sortkey function - tools/kvm_stat: use a namedtuple for storing the values - tools/kvm_stat: use a more pythonic way to iterate over dictionaries - tools/kvm_stat:
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
** Changed in: linux (Ubuntu Bionic)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1755563
Title:
dangling symlinks to loaded apparmor policy
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Artful:
Confirmed
Status in linux source package in Bionic:
Fix Committed
Bug description:
On my artful system running 4.13.0-36-generic I noticed that there are
dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in
the sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c
"file -b {} | grep -q ^broken" \; -print
The issue was observed on xenial (4.4 kernel), artful (4.13) and
bionic (4.15).
I'm reporting this because according to the apaprmor developer it
seems "racy" and should not happen.
zyga-ubuntu: no, there shouldn't be a way to remove profiles
wrong, there is the potential for a race of sorts because the symlink doesn't
have the same hard reference, but that isn't something you should be seeing
zyga-ubuntu: the raw_data file should not be going away as long
as that profile directory exists
It is likely that this problem occurs when snapd generates profiles
for refreshed snaps or removes profiles for removed snaps but I was
not able to determine that yet.
I updated my bionic system and noticed non-snap-related dangling symlink when
the libreoffice package was updated:
/sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-36-generic 4.13.0-36.40
ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
USERPID ACCESS COMMAND
/dev/snd/controlC0: zyga 2431 F pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 13 19:04:50 2018
InstallationDate: Installed on 2018-02-02 (39 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic
root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg
auto noprompt priority=critical locale=en_US quiet
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.169.3
RfKill:
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/19/2017
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias:
dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755563/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
I've been testing the patch from jj and I cannot see the issue after 24
hours of intense apparmor activity. +1 from me.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1755563
Title:
dangling symlinks to loaded apparmor policy
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Artful:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
On my artful system running 4.13.0-36-generic I noticed that there are
dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in
the sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c
"file -b {} | grep -q ^broken" \; -print
The issue was observed on xenial (4.4 kernel), artful (4.13) and
bionic (4.15).
I'm reporting this because according to the apaprmor developer it
seems "racy" and should not happen.
zyga-ubuntu: no, there shouldn't be a way to remove profiles
wrong, there is the potential for a race of sorts because the symlink doesn't
have the same hard reference, but that isn't something you should be seeing
zyga-ubuntu: the raw_data file should not be going away as long
as that profile directory exists
It is likely that this problem occurs when snapd generates profiles
for refreshed snaps or removes profiles for removed snaps but I was
not able to determine that yet.
I updated my bionic system and noticed non-snap-related dangling symlink when
the libreoffice package was updated:
/sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-36-generic 4.13.0-36.40
ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
USERPID ACCESS COMMAND
/dev/snd/controlC0: zyga 2431 F pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 13 19:04:50 2018
InstallationDate: Installed on 2018-02-02 (39 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic
root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg
auto noprompt priority=critical locale=en_US quiet
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.169.3
RfKill:
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/19/2017
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias:
dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755563/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
** Description changed:
On my artful system running 4.13.0-36-generic I noticed that there are
dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the
sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c
"file -b {} | grep -q ^broken" \; -print
- It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is
- affected though I didn't perform an extensive investigation.
-
- EDIT: This is inaccurate, bionic is affected as well. See below.
+ The issue was observed on xenial (4.4 kernel), artful (4.13) and bionic
+ (4.15).
I'm reporting this because according to the apaprmor developer it seems
"racy" and should not happen.
zyga-ubuntu: no, there shouldn't be a way to remove profiles
wrong, there is the potential for a race of sorts because the symlink doesn't
have the same hard reference, but that isn't something you should be seeing
zyga-ubuntu: the raw_data file should not be going away as long
as that profile directory exists
It is likely that this problem occurs when snapd generates profiles for
refreshed snaps or removes profiles for removed snaps but I was not able
to determine that yet.
I updated my bionic system and noticed non-snap-related dangling symlink when
the libreoffice package was updated:
/sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data
-
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-36-generic 4.13.0-36.40
ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
USERPID ACCESS COMMAND
/dev/snd/controlC0: zyga 2431 F pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 13 19:04:50 2018
InstallationDate: Installed on 2018-02-02 (39 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic
root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg
auto noprompt priority=critical locale=en_US quiet
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.169.3
RfKill:
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/19/2017
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias:
dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1755563
Title:
dangling symlinks to loaded apparmor policy
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Artful:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
On my artful system running 4.13.0-36-generic I noticed that there are
dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in
the sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c
"file -b {} | grep -q ^broken" \; -print
The issue was observed on xenial (4.4 kernel), artful (4.13) and
bionic (4.15).
I'm reporting this because according to the apaprmor developer it
seems "racy" and should not happen.
zyga-ubuntu: no, there
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
** Tags added: kernel-da-key
** Changed in: linux (Ubuntu)
Importance: Undecided => Medium
** Also affects: linux (Ubuntu Bionic)
Importance: Medium
Status: Confirmed
** Also affects: linux (Ubuntu Artful)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Artful)
Status: New => Confirmed
** Changed in: linux (Ubuntu Artful)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1755563
Title:
dangling symlinks to loaded apparmor policy
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Artful:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
On my artful system running 4.13.0-36-generic I noticed that there are
dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in
the sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c
"file -b {} | grep -q ^broken" \; -print
It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is
affected though I didn't perform an extensive investigation.
EDIT: This is inaccurate, bionic is affected as well. See below.
I'm reporting this because according to the apaprmor developer it
seems "racy" and should not happen.
zyga-ubuntu: no, there shouldn't be a way to remove profiles
wrong, there is the potential for a race of sorts because the symlink doesn't
have the same hard reference, but that isn't something you should be seeing
zyga-ubuntu: the raw_data file should not be going away as long
as that profile directory exists
It is likely that this problem occurs when snapd generates profiles
for refreshed snaps or removes profiles for removed snaps but I was
not able to determine that yet.
I updated my bionic system and noticed non-snap-related dangling symlink when
the libreoffice package was updated:
/sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-36-generic 4.13.0-36.40
ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
USERPID ACCESS COMMAND
/dev/snd/controlC0: zyga 2431 F pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 13 19:04:50 2018
InstallationDate: Installed on 2018-02-02 (39 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic
root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg
auto noprompt priority=critical locale=en_US quiet
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.169.3
RfKill:
0: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/19/2017
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias:
dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755563/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
** Description changed:
On my artful system running 4.13.0-36-generic I noticed that there are
dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the
sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c
"file -b {} | grep -q ^broken" \; -print
It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is
affected though I didn't perform an extensive investigation.
+ EDIT: This is inaccurate, bionic is affected as well. See below.
+
I'm reporting this because according to the apaprmor developer it seems
"racy" and should not happen.
zyga-ubuntu: no, there shouldn't be a way to remove profiles
wrong, there is the potential for a race of sorts because the symlink doesn't
have the same hard reference, but that isn't something you should be seeing
zyga-ubuntu: the raw_data file should not be going away as long
as that profile directory exists
It is likely that this problem occurs when snapd generates profiles for
refreshed snaps or removes profiles for removed snaps but I was not able
to determine that yet.
+ I updated my bionic system and noticed non-snap-related dangling symlink when
the libreoffice package was updated:
+ /sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data
+
+
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-36-generic 4.13.0-36.40
ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
- USERPID ACCESS COMMAND
- /dev/snd/controlC0: zyga 2431 F pulseaudio
+ USERPID ACCESS COMMAND
+ /dev/snd/controlC0: zyga 2431 F pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 13 19:04:50 2018
InstallationDate: Installed on 2018-02-02 (39 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic
root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg
auto noprompt priority=critical locale=en_US quiet
RelatedPackageVersions:
- linux-restricted-modules-4.13.0-36-generic N/A
- linux-backports-modules-4.13.0-36-generic N/A
- linux-firmware 1.169.3
+ linux-restricted-modules-4.13.0-36-generic N/A
+ linux-backports-modules-4.13.0-36-generic N/A
+ linux-firmware 1.169.3
RfKill:
- 0: hci0: Bluetooth
- Soft blocked: no
- Hard blocked: no
+ 0: hci0: Bluetooth
+ Soft blocked: no
+ Hard blocked: no
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/19/2017
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias:
dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1755563
Title:
dangling symlinks to loaded apparmor policy
Status in linux package in Ubuntu:
Confirmed
Bug description:
On my artful system running 4.13.0-36-generic I noticed that there are
dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in
the sysfs path containing loaded apparmor profiles.
Sample of profiles that had dangling symlinks:
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi
/sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1
The following command can be used to find such files:
find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c
"file -b {} | grep -q ^broken" \; -print
It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is
affected though I didn't
