Thanks for clearing that up, Seth!
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor signal and ptrace mediation
Status in apparmor package in Ubuntu:
Fix
Ken,
The ptrace mediation in 12.04 LTS is very rudimentary; if you add
capability sys_ptrace, to a profile then processes running in that
profile are allowed to trace any process the discretionary access
controls allow. The fine-grained permissions introduced in 14.04 LTS
require both the new
Did these changes end up in Precise? I see no sensible way to tell
AppArmor to allow a ptrace. The parser is totally confused by this.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
The debdiff attached for apparmor looks good, aside from missing some
Breaks: on the old versions of the packages that need to go in at the
same time (because their policies will cease to be sufficient once
ptrace/signal mediation support lands). Jamie has pushed the added
Breaks; once they're
** Branch linked: lp:ubuntu/trusty-proposed/apparmor-easyprof-ubuntu
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor signal and ptrace mediation
Status in
This bug was fixed in the package lightdm - 1.9.14-0ubuntu2
---
lightdm (1.9.14-0ubuntu2) trusty; urgency=medium
* debian/patches/06_guest_signal_and_ptrace_aa_rules.patch: Grant
permission for guest session processes to signal and ptrace each
other (LP: #1298611)
*
This bug was fixed in the package libvirt - 1.2.2-0ubuntu9
---
libvirt (1.2.2-0ubuntu9) trusty; urgency=medium
[ Jamie Strandboge ]
* updates for AppArmor signals and ptrace mediation (LP: #1298611)
- debian/apparmor/libvirt-qemu: allow guests to receive signals from and
This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5
---
apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium
* debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
lightdm and apparmor-easyprof-ubuntu
apparmor (2.8.95~2430-0ubuntu4) trusty;
This bug was fixed in the package apparmor-easyprof-ubuntu - 1.1.14
---
apparmor-easyprof-ubuntu (1.1.14) trusty; urgency=medium
* 1.1/webview: update for ptrace and signal mediation (LP: #1298611)
* debian/control: Depends on apparmor = 2.8.95~2430-0ubuntu4
-- Jamie Strandboge
This bug was fixed in the package lxc - 1.0.2-0ubuntu2
---
lxc (1.0.2-0ubuntu2) trusty; urgency=medium
* updates for AppArmor signal and ptrace mediation (LP: #1298611)
- debian/patches/apparmor-signal-ptrace.patch: add signal and ptrace rules
to
Here is a debdiff for lxc. It is tested on trusty. To ease backporting,
I updated debian/rules for strip out the signal and ptrace rules for
Ubuntu releases earlier than 14.04 (using the same method as for
stripping out dbus for earlier than 13.10), but could not test earlier
releases because
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
The LXC change looks good, it's in line with what I was planning to push
upstream. Feel free to upload that directly to the archive and I'll do a
similar upstream change right around the same time so our PPA users
don't break, then shortly after that will tag 1.0.3 and get that into
trusty so we
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
The apparmor-easyprof-ubuntu change is not strictly needed in this
upload since it is primarily used for Touch and the Touch kernels don't
yet have the updated patchset. However, it could affect people testing
click packages on the desktop and it is a change we need to make anyway.
** Also
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0055
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0131
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
** Patch added: apparmor-easyprof-ubuntu_1.1.14.debdiff
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1298611/+attachment/4064055/+files/apparmor-easyprof-ubuntu_1.1.14.debdiff
--
You received this bug notification because you are a member of Kernel
Packages, which
Here's the lightdm debdiff to allow the guest session to start with
AppArmor signal and ptrace mediation. It is tested on Trusty amd64.
** Patch added: lightdm_1.9.14-0ubuntu2.debdiff
Here's an updated libvirt debdiff. I rebase Jamie's debdiff on top of
the libvirt that was uploaded to the archive yesterday.
** Patch added: libvirt_1.2.2-0ubuntu9.debdiff
Here's the apparmor debdiff. The testing performed in described in the
bug description. Let me know if there are any questions.
** Patch added: apparmor_2.8.95~2430-0ubuntu4.debdiff
** Changed in: apparmor (Ubuntu)
Status: In Progress = Fix Committed
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: In Progress = Fix Committed
** Changed in: libvirt (Ubuntu)
Status: In Progress = Fix Committed
** Changed in: lightdm (Ubuntu)
Status: In
FYI, retested all the packages in the PPA on desktop/server for TestPlan
with and without the kernel that supports signal/ptrace mediation and
everything passes (barring expected test-libvirt.py errors unrelated to
apparmor).
--
You received this bug notification because you are a member of
** Changed in: apparmor (Ubuntu)
Status: Fix Committed = New
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: Fix Committed = New
** Changed in: libvirt (Ubuntu)
Status: Fix Committed = New
** Changed in: lightdm (Ubuntu)
Status: Fix Committed = New
**
This bug was fixed in the package linux - 3.13.0-21.43
---
linux (3.13.0-21.43) trusty; urgency=low
[ Andy Whitcroft ]
* SAUCE: kvm: BIOS disabled kvm support should be a warning
- LP: #1300247
* SAUCE: nouveau: missing outputs should be warnings
- LP: #1300244
[
I've added tasks for lightdm and lxc. The lightdm guest session
abstraction needs to be updated for signal and ptrace mediation and I'm
currently working on that. In previous IRC discussions, stgraber
mentioned that he had a handle on what was needed for the lxc policy so
I've assigned him but I
Note: I only did rudimentary testing: create, ls, start, shutdown,
destroy.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor signal and ptrace mediation
Stéphane, all that is needed is to add the following to
abstractions/lxc/container-base and abstractions/lxc/start-container:
signal,
ptrace,
Obviously, confinement could be more interesting, but like with dbus we
should err on the side of caution and just let these through. Adding
this
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
Adding libvirt task for if the apparmor and linux tasks are accepted.
Debdiff should be applied at same time as apparmor upload.
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
** Changed in: linux (Ubuntu)
Status: Confirmed = Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor signal and ptrace mediation
Status
Approving the kernel side of this. Please re-test against the -21
kernel when it spits out of the buildds.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor
Adam, thanks for the review and we will test that kernel. FYI, if by
some chance the userspace bits aren't granted the FFe, the kernel bits
are safe to keep in trusty.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may happen at
different times.
= linux =
Summary:
This
** Changed in: linux (Ubuntu)
Status: Incomplete = Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor signal and ptrace mediation
Status in
** Description changed:
= linux =
This feature freeze exception is requested for signal and ptrace mediation
via apparmor in the kernel. When used with a compatible apparmor userspace,
signals and ptrace rules are supported. When used without a compatible apparmor
userspace (eg, on a
** Description changed:
+ Background: kernel and apparmor userspace updates to support signal and
+ ptrace mediation. These packages are listed in one bug because they are
+ related, but the FFes may be granted and the uploads may happen at
+ different times.
+
= linux =
+ Summary:
This
** Changed in: linux (Ubuntu)
Status: Incomplete = New
** Description changed:
Background: kernel and apparmor userspace updates to support signal and
ptrace mediation. These packages are listed in one bug because they are
related, but the FFes may be granted and the uploads may
** Changed in: linux (Ubuntu)
Status: Incomplete = New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor signal and ptrace mediation
Status in
** Tags removed: bot-stop-nagging
** Tags added: kernel-bot-stop-nagging
** Changed in: linux (Ubuntu)
Status: Incomplete = New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
45 matches
Mail list logo
