[Bug 1713103] Re: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7
This bug was fixed in the package linux - 4.13.0-11.12 --- linux (4.13.0-11.12) artful; urgency=low * linux: 4.13.0-11.12 -proposed tracker (LP: #1716699) * kernel panic -not syncing: Fatal exception: panic_on_oops (LP: #1708399) - s390/mm: fix local TLB flushing vs. detach of an mm address space - s390/mm: fix race on mm->context.flush_mm * CVE-2017-1000251 - Bluetooth: Properly check L2CAP config option output buffer length -- Seth ForsheeTue, 12 Sep 2017 10:18:38 -0500 ** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000251 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1713103 Title: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1713103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1713103] Re: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7
** Changed in: linux (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1713103 Title: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1713103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1713103] Re: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7
sort of. The code was broken into patches and upstreamed piece meal, so the tighter restrictions when a give patch went it made sense. They also better reflect some of the internal permissions that were being enforced, ie. while profiles was you needed cap mac admin to actual see it. It looks like opening some of those back up dropped of the todo queue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1713103 Title: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1713103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1713103] Re: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7
@jjohansen are the more restrictive file permissions intentional? I see quite a few apparmorfs permissions changes between xenial and upstream: -static struct aa_fs_entry aa_fs_entry_apparmor[] = { - AA_FS_FILE_FOPS(".access", 0666, _fs_access), - AA_FS_FILE_FOPS(".stacked", 0666, _fs_stacked), - AA_FS_FILE_FOPS(".ns_stacked", 0666, _fs_ns_stacked), - AA_FS_FILE_FOPS(".ns_level", 0666, _fs_ns_level), - AA_FS_FILE_FOPS(".ns_name", 0666, _fs_ns_name), - AA_FS_FILE_FOPS("profiles", 0444, _fs_profiles_fops), - AA_FS_DIR("features", aa_fs_entry_features), +static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { + AA_SFS_FILE_FOPS(".access", 0640, _sfs_access), + AA_SFS_FILE_FOPS(".stacked", 0444, _ns_stacked_fops), + AA_SFS_FILE_FOPS(".ns_stacked", 0444, _ns_nsstacked_fops), + AA_SFS_FILE_FOPS(".ns_level", 0666, _ns_level_fops), + AA_SFS_FILE_FOPS(".ns_name", 0640, _ns_name_fops), + AA_SFS_FILE_FOPS("profiles", 0440, _sfs_profiles_fops), + AA_SFS_DIR("features", aa_sfs_entry_features), { } }; -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1713103 Title: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1713103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1713103] Re: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7
The apparmorfs kernel query interface file has more restrictive file permissions in the upstream kernel versus what we've had in the Ubuntu sauce patches. In Artful (Ubuntu 4.11.0-13.19-generic 4.11.12): $ ls -al /sys/kernel/security/apparmor/.access -rw-rw-rw- 1 root root 0 Aug 15 17:38 /sys/kernel/security/apparmor/.access In linux-next (4.13.0-rc6-next-20170824): $ ls -al /sys/kernel/security/apparmor/.access -rw-r- 1 root root 0 Aug 24 21:26 /sys/kernel/security/apparmor/.access This means that the D-Bus session bus cannot perform AppArmor policy queries because it can't open the .access file. ** Package changed: snapd (Ubuntu) => linux (Ubuntu) ** Changed in: linux (Ubuntu) Importance: Undecided => High ** Changed in: linux (Ubuntu) Status: New => Triaged ** Changed in: linux (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1713103 Title: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1713103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1713103] Re: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7
+ su -l -c 'test-snapd-upower-observe-consumer.upower --dump' test (upower:19791): UPower-WARNING **: Cannot connect to upowerd: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Failed to query AppArmor policy: Permission denied -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1713103 Title: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1713103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1713103] Re: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7
+ su -l -c test-snapd-system-observe-consumer.dbus-introspect test Traceback (most recent call last): File "/snap/test-snapd-system-observe-consumer/6/bin/dbus-introspect", line 10, in sys.exit(run()) File "/snap/test-snapd-system-observe-consumer/6/bin/dbus-introspect", line 6, in run obj = dbus.SystemBus().get_object("org.freedesktop.hostname1", "/org/freedesktop/hostname1") File "/snap/test-snapd-system-observe-consumer/6/usr/lib/python3/dist-packages/dbus/_dbus.py", line 194, in __new__ private=private) File "/snap/test-snapd-system-observe-consumer/6/usr/lib/python3/dist-packages/dbus/_dbus.py", line 100, in __new__ bus = BusConnection.__new__(subclass, bus_type, mainloop=mainloop) File "/snap/test-snapd-system-observe-consumer/6/usr/lib/python3/dist-packages/dbus/bus.py", line 122, in __new__ bus = cls._new_for_bus(address_or_type, mainloop=mainloop) dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Failed to query AppArmor policy: Permission denied -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1713103 Title: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1713103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1713103] Re: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7
+ CONNECTED_PATTERN=':avahi-observe +generic-consumer' + DISCONNECTED_PATTERN='^\- +generic-consumer:avahi-observe' + avahi_dbus_call='dbus-send --system --print-reply --dest=org.freedesktop.Avahi / org.freedesktop.Avahi.Server.GetHostName' + echo 'Then the plug is disconnected by default' Then the plug is disconnected by default + MATCH '^\- +generic-consumer:avahi-observe' + snap interfaces ++ snap debug confinement + '[' strict = strict ']' + echo 'And the snap is not able to access avahi provided info' And the snap is not able to access avahi provided info + generic-consumer.cmd dbus-send --system --print-reply --dest=org.freedesktop.Avahi / org.freedesktop.Avahi.Server.GetHostName + MATCH org.freedesktop.DBus.Error.AccessDenied + cat avahi.error error: pattern not found, got: Failed to open connection to "system" message bus: Failed to query AppArmor policy: Permission denied -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1713103 Title: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1713103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1713103] Re: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7
+ su -l -c shutdown-introspection-consumer test Failed to open connection to "system" message bus: Failed to query AppArmor policy: Permission denied -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1713103 Title: snapd 2.27.3+17.10 ADT test failure with linux 4.13.0-6.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1713103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs