[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Tags added: cscc -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Fix Released Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Fix Released Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
Thanks John for having that already fixed. I wanted to let everybody subscribed here know that as of today Cosmic has the new systemd 239. That said people (like me) who reboot rarely and still have a kernel before that will from now on see this when booting a cosmic container: # systemctl status systemd-resolved ● systemd-resolved.service - Network Name Resolution Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2018-08-29 10:39:04 UTC; 10min ago And obviously name resolution in there is broken due to that. I hope people will find bug 1789627 and not debug too long on their own to eventually get here. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Fix Released Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Fix Released Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
This bug was fixed in the package linux - 4.4.0-134.160 --- linux (4.4.0-134.160) xenial; urgency=medium * linux: 4.4.0-134.160 -proposed tracker (LP: #1787177) * locking sockets broken due to missing AppArmor socket mediation patches (LP: #1780227) - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets * Backport namespaced fscaps to xenial 4.4 (LP: #1778286) - Introduce v3 namespaced file capabilities - commoncap: move assignment of fs_ns to avoid null pointer dereference - capabilities: fix buffer overread on very short xattr - commoncap: Handle memory allocation failure. * Xenial update to 4.4.140 stable release (LP: #1784409) - usb: cdc_acm: Add quirk for Uniden UBC125 scanner - USB: serial: cp210x: add CESINEL device ids - USB: serial: cp210x: add Silicon Labs IDs for Windows Update - n_tty: Fix stall at n_tty_receive_char_special(). - staging: android: ion: Return an ERR_PTR in ion_map_kernel - n_tty: Access echo_* variables carefully. - x86/boot: Fix early command-line parsing when matching at end - ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode - i2c: rcar: fix resume by always initializing registers before transfer - ipv4: Fix error return value in fib_convert_metrics() - kprobes/x86: Do not modify singlestep buffer while resuming - nvme-pci: initialize queue memory before interrupts - netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() - ARM: dts: imx6q: Use correct SDMA script for SPI5 core - ubi: fastmap: Correctly handle interrupted erasures in EBA - mm: hugetlb: yield when prepping struct pages - tracing: Fix missing return symbol in function_graph output - scsi: sg: mitigate read/write abuse - s390: Correct register corruption in critical section cleanup - drbd: fix access after free - cifs: Fix infinite loop when using hard mount option - jbd2: don't mark block as modified if the handle is out of credits - ext4: make sure bitmaps and the inode table don't overlap with bg descriptors - ext4: always check block group bounds in ext4_init_block_bitmap() - ext4: only look at the bg_flags field if it is valid - ext4: verify the depth of extent tree in ext4_find_extent() - ext4: include the illegal physical block in the bad map ext4_error msg - ext4: clear i_data in ext4_inode_info when removing inline data - ext4: add more inode number paranoia checks - ext4: add more mount time checks of the superblock - ext4: check superblock mapped prior to committing - HID: i2c-hid: Fix "incomplete report" noise - HID: hiddev: fix potential Spectre v1 - HID: debug: check length before copy_to_user() - x86/mce: Detect local MCEs properly - x86/mce: Fix incorrect "Machine check from unknown source" message - media: cx25840: Use subdev host data for PLL override - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset - dm bufio: avoid sleeping while holding the dm_bufio lock - dm bufio: drop the lock when doing GFP_NOIO allocation - mtd: rawnand: mxc: set spare area size register explicitly - dm bufio: don't take the lock in dm_bufio_shrink_count - mtd: cfi_cmdset_0002: Change definition naming to retry write operation - mtd: cfi_cmdset_0002: Change erase functions to retry for error - mtd: cfi_cmdset_0002: Change erase functions to check chip good only - netfilter: nf_log: don't hold nf_log_mutex during user access - staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() - Linux 4.4.140 * Xenial update to 4.4.139 stable release (LP: #1784382) - xfrm6: avoid potential infinite loop in _decode_session6() - netfilter: ebtables: handle string from userspace with care - ipvs: fix buffer overflow with sync daemon and service - atm: zatm: fix memcmp casting - net: qmi_wwan: Add Netgear Aircard 779S - net/sonic: Use dma_mapping_error() - Revert "Btrfs: fix scrub to repair raid6 corruption" - tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() - Btrfs: make raid6 rebuild retry more - usb: musb: fix remote wakeup racing with suspend - bonding: re-evaluate force_primary when the primary slave name changes - tcp: verify the checksum of the first data segment in a new connection - ext4: update mtime in ext4_punch_hole even if no blocks are released - ext4: fix fencepost error in check for inode count overflow during resize - driver core: Don't ignore class_dir_create_and_add() failure. - btrfs: scrub: Don't use inode pages for device replace - ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() - ALSA: hda: add dock and led support for HP EliteBook 830 G5 - ALSA: hda: add dock and led support for HP ProBook 640 G4 - cpufreq: Fix new policy initialization during limits updates via
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
This bug was fixed in the package linux - 4.15.0-33.36 --- linux (4.15.0-33.36) bionic; urgency=medium * linux: 4.15.0-33.36 -proposed tracker (LP: #1787149) * RTNL assertion failure on ipvlan (LP: #1776927) - ipvlan: drop ipv6 dependency - ipvlan: use per device spinlock to protect addrs list updates - SAUCE: fix warning from "ipvlan: drop ipv6 dependency" * ubuntu_bpf_jit test failed on Bionic s390x systems (LP: #1753941) - test_bpf: flag tests that cannot be jited on s390 * HDMI/DP audio can't work on the laptop of Dell Latitude 5495 (LP: #1782689) - drm/nouveau: fix nouveau_dsm_get_client_id()'s return type - drm/radeon: fix radeon_atpx_get_client_id()'s return type - drm/amdgpu: fix amdgpu_atpx_get_client_id()'s return type - platform/x86: apple-gmux: fix gmux_get_client_id()'s return type - ALSA: hda: use PCI_BASE_CLASS_DISPLAY to replace PCI_CLASS_DISPLAY_VGA - vga_switcheroo: set audio client id according to bound GPU id * locking sockets broken due to missing AppArmor socket mediation patches (LP: #1780227) - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets * Update2 for ocxl driver (LP: #1781436) - ocxl: Fix page fault handler in case of fault on dying process * netns: unable to follow an interface that moves to another netns (LP: #1774225) - net: core: Expose number of link up/down transitions - dev: always advertise the new nsid when the netns iface changes - dev: advertise the new ifindex when the netns iface changes * [Bionic] Disk IO hangs when using BFQ as io scheduler (LP: #1780066) - block, bfq: fix occurrences of request finish method's old name - block, bfq: remove batches of confusing ifdefs - block, bfq: add requeue-request hook * HP ProBook 455 G5 needs mute-led-gpio fixup (LP: #1781763) - ALSA: hda: add mute led support for HP ProBook 455 G5 * [Bionic] bug fixes to improve stability of the ThunderX2 i2c driver (LP: #1781476) - i2c: xlp9xx: Fix issue seen when updating receive length - i2c: xlp9xx: Make sure the transfer size is not more than I2C_SMBUS_BLOCK_SIZE * x86/kvm: fix LAPIC timer drift when guest uses periodic mode (LP: #1778486) - x86/kvm: fix LAPIC timer drift when guest uses periodic mode * Please include ax88179_178a and r8152 modules in d-i udeb (LP: #1771823) - [Config:] d-i: Add ax88179_178a and r8152 to nic-modules * Nvidia fails after switching its mode (LP: #1778658) - PCI: Restore config space on runtime resume despite being unbound * Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364) - SAUCE: (noup) zfs to 0.7.5-1ubuntu16.3 * CVE-2018-12232 - PATCH 1/1] socket: close race condition between sock_close() and sockfs_setattr() * CVE-2018-10323 - xfs: set format back to extents if xfs_bmap_extents_to_btree * change front mic location for more lenovo m7/8/9xx machines (LP: #1781316) - ALSA: hda/realtek - Fix the problem of two front mics on more machines - ALSA: hda/realtek - two more lenovo models need fixup of MIC_LOCATION * Cephfs + fscache: unable to handle kernel NULL pointer dereference at IP: jbd2__journal_start+0x22/0x1f0 (LP: #1783246) - ceph: track read contexts in ceph_file_info * Touchpad of ThinkPad P52 failed to work with message "lost sync at byte" (LP: #1779802) - Input: elantech - fix V4 report decoding for module with middle key - Input: elantech - enable middle button of touchpads on ThinkPad P52 * xhci_hcd :00:14.0: Root hub is not suspended (LP: #1779823) - usb: xhci: dbc: Fix lockdep warning - usb: xhci: dbc: Don't decrement runtime PM counter if DBC is not started * CVE-2018-13406 - video: uvesafb: Fix integer overflow in allocation * CVE-2018-10840 - ext4: correctly handle a zero-length xattr with a non-zero e_value_offs * CVE-2018-11412 - ext4: do not allow external inodes for inline data * CVE-2018-10881 - ext4: clear i_data in ext4_inode_info when removing inline data * CVE-2018-12233 - jfs: Fix inconsistency between memory allocation and ea_buf->max_size * CVE-2018-12904 - kvm: nVMX: Enforce cpl=0 for VMX instructions * Error parsing PCC subspaces from PCCT (LP: #1528684) - mailbox: PCC: erroneous error message when parsing ACPI PCCT * CVE-2018-13094 - xfs: don't call xfs_da_shrink_inode with NULL bp * other users' coredumps can be read via setgid directory and killpriv bypass (LP: #1779923) // CVE-2018-13405 - Fix up non-directory creation in SGID directories * Invoking obsolete 'firmware_install' target breaks snap build (LP: #1782166) - snapcraft.yaml: stop invoking the obsolete (and non-existing) 'firmware_install' target * snapcraft.yaml: missing ubuntu-retpoline-extract-one script breaks the build (LP: #1782116) - snapcraft.yaml: copy
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
This bug was fixed in the package linux - 4.17.0-7.8
---
linux (4.17.0-7.8) cosmic; urgency=medium
* linux: 4.17.0-7.8 -proposed tracker (LP: #1785242)
* Cosmic update to 4.17.12 stable release (LP: #1785211)
- spi: spi-s3c64xx: Fix system resume support
- Input: elan_i2c - add ACPI ID for lenovo ideapad 330
- Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
- Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST
- mm: disallow mappings that conflict for devm_memremap_pages()
- kvm, mm: account shadow page tables to kmemcg
- delayacct: fix crash in delayacct_blkio_end() after delayacct init failure
- tracing: Fix double free of event_trigger_data
- tracing: Fix possible double free in event_enable_trigger_func()
- kthread, tracing: Don't expose half-written comm when creating kthreads
- tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
- tracing: Quiet gcc warning about maybe unused link variable
- arm64: fix vmemmap BUILD_BUG_ON() triggering on !vmemmap setups
- drm/i915/glk: Add Quirk for GLK NUC HDMI port issues.
- mlxsw: spectrum_switchdev: Fix port_vlan refcounting
- kcov: ensure irq code sees a valid area
- mm: check for SIGKILL inside dup_mmap() loop
- drm/amd/powerplay: Set higher SCLK frequency than dpm7 in OD (v2)
- xen/netfront: raise max number of slots in xennet_get_responses()
- hv_netvsc: fix network namespace issues with VF support
- skip LAYOUTRETURN if layout is invalid
- ixgbe: Fix setting of TC configuration for macvlan case
- ALSA: emu10k1: add error handling for snd_ctl_add
- ALSA: fm801: add error handling for snd_ctl_add
- NFSv4.1: Fix the client behaviour on NFS4ERR_SEQ_FALSE_RETRY
- nfsd: fix error handling in nfs4_set_delegation()
- nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo
- vfio: platform: Fix reset module leak in error path
- vfio/mdev: Check globally for duplicate devices
- vfio/type1: Fix task tracking for QEMU vCPU hotplug
- kernel/hung_task.c: show all hung tasks before panic
- mem_cgroup: make sure moving_account, move_lock_task and stat_cpu in the
same cacheline
- mm: /proc/pid/pagemap: hide swap entries from unprivileged users
- mm: vmalloc: avoid racy handling of debugobjects in vunmap
- mm/slub.c: add __printf verification to slab_err()
- rtc: ensure rtc_set_alarm fails when alarms are not supported
- rxrpc: Fix terminal retransmission connection ID to include the channel
- perf tools: Fix pmu events parsing rule
- netfilter: ipset: forbid family for hash:mac sets
- netfilter: ipset: List timing out entries with "timeout 1" instead of zero
- irqchip/ls-scfg-msi: Map MSIs in the iommu
- watchdog: da9063: Fix updating timeout value
- media: arch: sh: migor: Fix TW9910 PDN gpio
- printk: drop in_nmi check from printk_safe_flush_on_panic()
- bpf, arm32: fix inconsistent naming about emit_a32_lsr_{r64,i64}
- ceph: fix alignment of rasize
- ceph: fix use-after-free in ceph_statfs()
- e1000e: Ignore TSYNCRXCTL when getting I219 clock attributes
- infiniband: fix a possible use-after-free bug
- powerpc/lib: Adjust .balign inside string functions for PPC32
- powerpc/64s: Add barrier_nospec
- powerpc/eeh: Fix use-after-release of EEH driver
- hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common()
- powerpc/64s: Fix compiler store ordering to SLB shadow area
- clk-si544: Properly round requested frequency to nearest match
- clk: ingenic: jz4770: Modify C1CLK clock to disable CPU clock stop on idle
- RDMA/mad: Convert BUG_ONs to error flows
- lightnvm: fix partial read error path
- lightnvm: proper error handling for pblk_bio_add_pages
- lightnvm: pblk: warn in case of corrupted write buffer
- netfilter: nf_tables: check msg_type before nft_trans_set(trans)
- pnfs: Don't release the sequence slot until we've processed layoutget on
open
- NFS: Fix up nfs_post_op_update_inode() to force ctime updates
- disable loading f2fs module on PAGE_SIZE > 4KB
- f2fs: fix error path of move_data_page
- f2fs: don't drop dentry pages after fs shutdown
- f2fs: fix to don't trigger writeback during recovery
- f2fs: fix to wait page writeback during revoking atomic write
- f2fs: Fix deadlock in shutdown ioctl
- f2fs: fix missing clear FI_NO_PREALLOC in some error case
- f2fs: fix to detect failure of dquot_initialize
- f2fs: fix race in between GC and atomic open
- block, bfq: remove wrong lock in bfq_requests_merged
- usbip: usbip_detach: Fix memory, udev context and udev leak
- usbip: dynamically allocate idev by nports found in sysfs
- perf/x86/intel/uncore: Correct fixed counter index check in generic code
- perf/x86/intel/uncore: Correct fixed counter index check for NHM
-
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Committed Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Fix Committed Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Fix Committed Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Tags removed: verification-needed-bionic verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Committed Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Fix Committed Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Fix Committed Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Committed Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Fix Committed Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Fix Committed Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Committed Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Fix Committed Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Fix Committed Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Changed in: linux (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Committed Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Fix Committed Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Fix Committed Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Changed in: linux (Ubuntu Xenial) Status: Triaged => Fix Committed ** Changed in: linux (Ubuntu Bionic) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Fix Committed Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Fix Committed Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
I tested on two systems, one clean xenial and one clean bionic, both running the current stable LXD snap with latest ArchLinux and Debian containers. On both of them, upgrading to the kernels provided by John fixed the file_lock denials and made the containers boot again. So as far as I'm concerned, we're good to start pushing this to Ubuntu kernels. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
Can confirm that the patch seems to work on 4.15. No "denied" "file_lock" log-spam when starting ArchLinux containers anymore, and they seem to be behaving as expected again. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
v4.15 kernel works for me, as proposed. Would a similar thing be needed in the v4.17 kernel that is in cosmic- proposed? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Tags added: patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
I have placed ubuntu test kernels for xenial and bionic in http://people.canonical.com/~jj/lp1780227/ the patch is attached ** Patch added: "0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+attachment/5168755/+files/0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
On Fri, Jul 27, 2018, 21:21 Stéphane Graber wrote: > Ok, thanks for the update. I've now updated the bug once again to move > all the tasks over to the kernel. Can you attach the kernel patch here > when you can, I'm sure some of the subscribers may want to test this > ahead of the Ubuntu kernel fixes :) > Might make sense to cc Lennart as he has a stake in this too. :) > ** Changed in: linux (Ubuntu) >Importance: Undecided => Critical > > ** Changed in: linux (Ubuntu Xenial) >Importance: Undecided => Critical > > ** Changed in: linux (Ubuntu Bionic) >Importance: Undecided => Critical > > ** Changed in: linux (Ubuntu) >Status: Invalid => Triaged > > ** Changed in: linux (Ubuntu Xenial) >Status: Invalid => Triaged > > ** Changed in: linux (Ubuntu Bionic) >Status: Invalid => Triaged > > ** Changed in: apparmor (Ubuntu) >Status: Triaged => Invalid > > ** Changed in: apparmor (Ubuntu Xenial) >Status: Triaged => Invalid > > ** Changed in: apparmor (Ubuntu Bionic) >Status: Triaged => Invalid > > ** Changed in: apparmor (Ubuntu) > Assignee: John Johansen (jjohansen) => (unassigned) > > ** Changed in: apparmor (Ubuntu Xenial) > Assignee: John Johansen (jjohansen) => (unassigned) > > ** Changed in: apparmor (Ubuntu Bionic) > Assignee: John Johansen (jjohansen) => (unassigned) > > ** Changed in: linux (Ubuntu) > Assignee: (unassigned) => John Johansen (jjohansen) > > ** Changed in: linux (Ubuntu Xenial) > Assignee: (unassigned) => John Johansen (jjohansen) > > ** Changed in: linux (Ubuntu Bionic) > Assignee: (unassigned) => John Johansen (jjohansen) > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1780227 > > Title: > locking sockets broken due to missing AppArmor socket mediation > patches > > Status in apparmor package in Ubuntu: > Invalid > Status in linux package in Ubuntu: > Triaged > Status in apparmor source package in Xenial: > Invalid > Status in linux source package in Xenial: > Triaged > Status in apparmor source package in Bionic: > Invalid > Status in linux source package in Bionic: > Triaged > > Bug description: > Hey, > > Newer systemd makes use of locks placed on AF_UNIX sockets created > with the socketpair() syscall to synchronize various bits and pieces > when isolating services. On kernels prior to 4.18 that do not have > backported the AppArmor socket mediation patchset this will cause the > locks to be denied with EACCESS. This causes systemd to be broken in > LXC and LXD containers that do not run unconfined which is a pretty > big deal. We have seen various bug reports related to this. See for > example [1] and [2]. > > If feasible it would be excellent if we could backport the socket > mediation patchset to all LTS kernels. Afaict, this should be 4.4 and > 4.15. This will unbreak a whole range of use-cases. > > The socket mediation patchset is available here: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 > > > [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 > [2]: https://github.com/systemd/systemd/issues/9493 > > Thanks! > Christian > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions > ** Bug watch added: github.com/systemd/systemd/issues #9493 https://github.com/systemd/systemd/issues/9493 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here:
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
Ok, thanks for the update. I've now updated the bug once again to move all the tasks over to the kernel. Can you attach the kernel patch here when you can, I'm sure some of the subscribers may want to test this ahead of the Ubuntu kernel fixes :) ** Changed in: linux (Ubuntu) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Xenial) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => Critical ** Changed in: linux (Ubuntu) Status: Invalid => Triaged ** Changed in: linux (Ubuntu Xenial) Status: Invalid => Triaged ** Changed in: linux (Ubuntu Bionic) Status: Invalid => Triaged ** Changed in: apparmor (Ubuntu) Status: Triaged => Invalid ** Changed in: apparmor (Ubuntu Xenial) Status: Triaged => Invalid ** Changed in: apparmor (Ubuntu Bionic) Status: Triaged => Invalid ** Changed in: apparmor (Ubuntu) Assignee: John Johansen (jjohansen) => (unassigned) ** Changed in: apparmor (Ubuntu Xenial) Assignee: John Johansen (jjohansen) => (unassigned) ** Changed in: apparmor (Ubuntu Bionic) Assignee: John Johansen (jjohansen) => (unassigned) ** Changed in: linux (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: linux (Ubuntu Xenial) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: linux (Ubuntu Bionic) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
Sadly we ran into two separate issues. 1. the kernel mapping of the permission won't allow the lock perm to be carried through on all kernels. I have a patch for it now, but pita 2. the release process needed some updating to uhm work with the move to git and gitlab as hosting. So with the above issues I have come up with an alternative kernel patch that just ignores the lock perm for now. I don't like it but it will get the fix out faster, and the original reasoning to do a userspace fix is faulty so going with only a kernel fix is better. I am going to split off the userspace lock perm and the needed kernel mapping fix to a separate bug and we will keep this one for the kernel solution that ignores lock permission requests on none fs based unix socakets. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Invalid Status in apparmor source package in Xenial: Triaged Status in linux source package in Xenial: Invalid Status in apparmor source package in Bionic: Triaged Status in linux source package in Bionic: Invalid Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
@John any update on the point releases? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Invalid Status in apparmor source package in Xenial: Triaged Status in linux source package in Xenial: Invalid Status in apparmor source package in Bionic: Triaged Status in linux source package in Bionic: Invalid Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
I will try to get the point releases out today. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Invalid Status in apparmor source package in Xenial: Triaged Status in linux source package in Xenial: Invalid Status in apparmor source package in Bionic: Triaged Status in linux source package in Bionic: Invalid Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
Blocking launching (in useful ways) Debian testing & sid containers on Ubuntu as well. ** Tags removed: block-proposed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Invalid Status in apparmor source package in Xenial: Triaged Status in linux source package in Xenial: Invalid Status in apparmor source package in Bionic: Triaged Status in linux source package in Bionic: Invalid Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
Per discussion above: - Closing the kernel tasks - Raising priority on apparmor tasks to Critical (to match what kernel had) - Assigning to jjohansen as the AppArmor maintainer As we care about xenial, bionic and cosmic, we need point releases (or cherry-pick) for: - AppArmor 2.10 (2.10.95 in xenial) - AppArmor 2.12 (2.12 in bionic and cosmic) John: Any ETA for those two point releases or pointer to a commit which we could SRU on its own? For now our focus is obviously on getting this resolved in Ubuntu as soon as possible, since it's breaking a number of systemd services that are now (18.04) shipping with more confinement than in the past. The same issue is also currently preventing us from starting newer Fedora and Arch containers on Ubuntu. Our standard response so far has been to tell users to turn off AppArmor for those containers, but it's obviously not an answer we like to give (I'm sure you'll agree). ** Changed in: linux (Ubuntu) Status: Triaged => Invalid ** Changed in: linux (Ubuntu Xenial) Status: Triaged => Invalid ** Changed in: linux (Ubuntu Bionic) Status: Triaged => Invalid ** Changed in: apparmor (Ubuntu) Status: New => Triaged ** Changed in: apparmor (Ubuntu Xenial) Status: New => Triaged ** Changed in: apparmor (Ubuntu Bionic) Status: New => Triaged ** Changed in: apparmor (Ubuntu) Importance: Undecided => Critical ** Changed in: apparmor (Ubuntu Xenial) Importance: Undecided => Critical ** Changed in: apparmor (Ubuntu Bionic) Importance: Undecided => Critical ** Changed in: linux (Ubuntu) Importance: Critical => Undecided ** Changed in: linux (Ubuntu Xenial) Importance: High => Undecided ** Changed in: linux (Ubuntu Bionic) Importance: High => Undecided ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: apparmor (Ubuntu Xenial) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: apparmor (Ubuntu Bionic) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Invalid Status in apparmor source package in Xenial: Triaged Status in linux source package in Xenial: Invalid Status in apparmor source package in Bionic: Triaged Status in linux source package in Bionic: Invalid Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
In preparation for an SRU, here is a minimal C testcase provided by
Wolfgang Bumiller:
```
/*
# apparmor_parser -r /etc/apparmor.d/bug-profile
# (tested without the flags here as well btw.)
profile bug-profile flags=(attach_disconnected,mediate_deleted) {
network,
file,
unix,
}
# gcc this.c
# ./a.out
lock = 2 (Success)
# aa-exec -p bug-profile ./a.out
lock = 2 (Permission denied)
kernel: audit: type=1400 audit(1530774919.510:93): apparmor="DENIED"
operation="file_lock" profile="bug-profile" pid=21788 comm="a.out"
family="unix" sock_type="dgram" protocol=0 addr=none
*/
#include
#include
#include
#include
#include
#include
int
main(int argc, char **argv)
{
int sp[2];
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sp) != 0) {
perror("socketpair");
exit(1);
}
int rc = flock(sp[0], LOCK_EX);
printf("lock = %i (%m)\n");
close(sp[0]);
close(sp[1]);
return 0;
}
```
Another very easy way to reproduce the issue is to run "hostnamectl
status" inside a container which will hang as the systemd unit (socket
activated) will fail to trigger.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
Status in apparmor package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
Invalid
Status in apparmor source package in Xenial:
Triaged
Status in linux source package in Xenial:
Invalid
Status in apparmor source package in Bionic:
Triaged
Status in linux source package in Bionic:
Invalid
Bug description:
Hey,
Newer systemd makes use of locks placed on AF_UNIX sockets created
with the socketpair() syscall to synchronize various bits and pieces
when isolating services. On kernels prior to 4.18 that do not have
backported the AppArmor socket mediation patchset this will cause the
locks to be denied with EACCESS. This causes systemd to be broken in
LXC and LXD containers that do not run unconfined which is a pretty
big deal. We have seen various bug reports related to this. See for
example [1] and [2].
If feasible it would be excellent if we could backport the socket
mediation patchset to all LTS kernels. Afaict, this should be 4.4 and
4.15. This will unbreak a whole range of use-cases.
The socket mediation patchset is available here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4
[1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779
[2]: https://github.com/systemd/systemd/issues/9493
Thanks!
Christian
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Tags added: block-proposed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: New Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: New Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
Ah, I need 2.12.1 apparmor as well, which is not in the archive yet. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: New Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: New Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
I still observe this bug in Cosmic with v4.17.0-5 kernel from cosmic- proposed. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: New Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: New Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Changed in: linux (Ubuntu) Importance: High => Critical ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: New Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: New Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
You are correct that the kernel reports a supported abi, and currently the abi does not export that it is supporting link mediation for sockets. However the kernel is currently enforcing link mediation on sockets and there are reasons to want to continue to do so. The plan would be to let the parser know that existing kernel abis have a quirk where they are not correctly advertising the abi. The parser would then correctly generate policy for both old and new kernels. The patch would be rolled out in upstream apparmor point releases 2.10.4, 2.11.2, 2.12.1, and 2.13.1, as well as being dropped into supported ubuntu releases. Suse and Debian will pickup the bug fixes from upstream, they are fairly good about picking up point release bug fixes. Updating the userspace probably provides us the widest roll out of the fix possible. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
I suppose that would that be an ubuntu-specific patch for apparmor userspace? I'm assuming the ABI tells userspace which features are supported, unless this particular feature can be tested for some other way? Would the patched userspace know not to use these features under this ABI in a future 4.18+ kernel or a non-Ubuntu pre-4.17 kernel? I'm just a bit worried about the upgrade path here. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
Okay, so lets split this between upstream and ubuntu kernels previous upstream kernels did not have socket mediation and could NOT have generated the denial message being seen. Jul 04 15:11:11 host audit[28404]: AVC apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=28404 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none 4.17 has socket mediation code but there is no released userspace that supports it. It requires apparmor 3 dev, so in all existing userspaces the 4.17 socket mediation is not being enforced. The ubuntu kernels Xenial and Bionic carry a variant of the socket mediation patch that is in 4.17 but with a different abi. The ubuntu 4.17 kernel carries a compatibility patch and will have the Bionic and Xenial behavior under current 2.x apparmor userspaces. The correct solution looks to be patching the current 2.x userspace to support locking on abstract and anonymous sockets -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
Re: [Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
On Thu, Jul 05, 2018 at 04:16:20PM -, John Johansen wrote: > The 4.17 patch set did not have any changes that should affect this. I > will have to investigate what is going on further. At this time DO NOT > backport the 4.17 patchset. Thanks John. Sorry for jumping the gun then. What is weird though is that this bug is present in prior kernels and gone with 4.17 and there's a bunch of socket related codepaths that would explain the changed behavior. In any case, thanks for helping! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
The 4.17 patch set did not have any changes that should affect this. I will have to investigate what is going on further. At this time DO NOT backport the 4.17 patchset. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Changed in: linux (Ubuntu) Status: Confirmed => Triaged ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Triaged ** Changed in: linux (Ubuntu Bionic) Status: New => Triaged ** Changed in: linux (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => High ** Tags added: bionic kernel-da-key xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed ** Changed in: linux (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in linux package in Ubuntu: Confirmed Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
