[Touch-packages] [Bug 2032602] Re: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
This bug is awaiting verification that the linux- aws-6.5/6.5.0-1008.8~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux- aws-6.5' to 'verification-done-jammy-linux-aws-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws-6.5' to 'verification-failed-jammy-linux-aws-6.5'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-aws-6.5-v2 verification-needed-jammy-linux-aws-6.5 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2032602 Title: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic Status in apparmor package in Ubuntu: Fix Released Bug description: As per the spec documented at https://discourse.ubuntu.com/t/spec- unprivileged-user-namespace-restrictions-via-apparmor-in- ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this. This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required. This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test- apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The package can be found in https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for- mantic-take2 This includes build logs etc (e.g. for amd64 this is found at https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for- mantic-take2/+build/26530996) Note there is no ChangeLog file in upstream apparmor so instead I am attaching the git history between the current version of apparmor in mantic (3.0.8) and 4.0.0-alpha2. Also note that this new version of apparmor does not actually enable the user namespaces restriction yet - that is planned for a future upload (and hence a future FFe) - however, it lays all the groundwork to enable this, once sufficient testing and integration has been done across the rest of the Ubuntu archive and package ecosystem. As such, there is no risk of regression at this time due to that change - and the extensive regression testing also supports this conclusion as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2032602] Re: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
This bug is awaiting verification that the linux- azure-6.5/6.5.0-1007.7~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux- azure-6.5' to 'verification-done-jammy-linux-azure-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure-6.5' to 'verification-failed-jammy-linux-azure-6.5'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-azure-6.5-v2 verification-needed-jammy-linux-azure-6.5 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2032602 Title: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic Status in apparmor package in Ubuntu: Fix Released Bug description: As per the spec documented at https://discourse.ubuntu.com/t/spec- unprivileged-user-namespace-restrictions-via-apparmor-in- ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this. This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required. This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test- apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The package can be found in https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for- mantic-take2 This includes build logs etc (e.g. for amd64 this is found at https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for- mantic-take2/+build/26530996) Note there is no ChangeLog file in upstream apparmor so instead I am attaching the git history between the current version of apparmor in mantic (3.0.8) and 4.0.0-alpha2. Also note that this new version of apparmor does not actually enable the user namespaces restriction yet - that is planned for a future upload (and hence a future FFe) - however, it lays all the groundwork to enable this, once sufficient testing and integration has been done across the rest of the Ubuntu archive and package ecosystem. As such, there is no risk of regression at this time due to that change - and the extensive regression testing also supports this conclusion as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2032602] Re: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
This bug was fixed in the package apparmor - 4.0.0~alpha2-0ubuntu2 --- apparmor (4.0.0~alpha2-0ubuntu2) mantic; urgency=medium * Fix invalid JSON output from aa-status --json via upstream patch (LP: #2032994) - d/p/u/binutils-aa_status.c-quiet-verbose-outputs-when-json.patch -- Alex Murray Fri, 25 Aug 2023 09:48:24 +0930 ** Changed in: apparmor (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2032602 Title: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic Status in apparmor package in Ubuntu: Fix Released Bug description: As per the spec documented at https://discourse.ubuntu.com/t/spec- unprivileged-user-namespace-restrictions-via-apparmor-in- ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this. This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required. This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test- apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The package can be found in https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for- mantic-take2 This includes build logs etc (e.g. for amd64 this is found at https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for- mantic-take2/+build/26530996) Note there is no ChangeLog file in upstream apparmor so instead I am attaching the git history between the current version of apparmor in mantic (3.0.8) and 4.0.0-alpha2. Also note that this new version of apparmor does not actually enable the user namespaces restriction yet - that is planned for a future upload (and hence a future FFe) - however, it lays all the groundwork to enable this, once sufficient testing and integration has been done across the rest of the Ubuntu archive and package ecosystem. As such, there is no risk of regression at this time due to that change - and the extensive regression testing also supports this conclusion as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
