subject:"\[Kernel\-packages\] \[Bug 1615887\] Re\: profiles from different namespaces can block other namespaces from being able to load a profile"

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

2016-10-13 Thread Christian Boltz

** Tags added: aa-kernel

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1615887

Title:
  profiles from different namespaces can block other namespaces from
  being able to load a profile

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Yakkety:
  Fix Released

Bug description:
  If ns1 has a profile A in it. It can cause loading a profile with the
  name A into ns2, and if it does succeed can result in compound labels
  crossing namespaces resulting in mediation not from one ns being
  applied to another.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615887/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

2016-09-20 Thread Launchpad Bug Tracker

This bug was fixed in the package linux - 4.8.0-11.12

---
linux (4.8.0-11.12) yakkety; urgency=low

  * change_hat is logging failures during expected hat probing (LP: #1615893)
- SAUCE: apparmor: Fix auditing behavior for change_hat probing

  * deleted files outside of the namespace are not being treated as
disconnected
(LP: #1615892)
- SAUCE: apparmor: deleted dentries can be disconnected

  * stacking to unconfined in a child namespace confuses mediation
(LP: #1615890)
- SAUCE: apparmor: special case unconfined when determining the mode

  * apparmor module parameters can be changed after the policy is locked
(LP: #1615895)
- SAUCE: apparmor: fix: parameters can be changed after policy is locked

  * AppArmor profile reloading causes an intermittent kernel BUG (LP:
#1579135)
- SAUCE: apparmor: fix vec_unique for vectors larger than 8

  * label vec reductions can result in reference labels instead of direct
access
to labels (LP: #1615889)
- SAUCE: apparmor: reduction of vec to single entry is just that entry

  * profiles from different namespaces can block other namespaces from being
able to load a profile (LP: #1615887)
- SAUCE: apparmor: profiles in one ns can affect mediation in another ns

  * The label build for onexec when stacking is wrong (LP: #1615881)
- SAUCE: apparmor: Fix label build for onexec stacking.

  * The inherit check for new to old label comparison for domain transitions
is
wrong (LP: #1615880)
- SAUCE: apparmor: Fix new to old label comparison for domain transitions

  * warning stack trace while playing with apparmor namespaces (LP: #1593874)
- SAUCE: apparmor: fix stack trace when removing namespace with profiles

  * __label_update proxy comparison test is wrong (LP: #1615878)
- SAUCE: apparmor: Fix __label_update proxy comparison test

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
(LP: #1560583)
- SAUCE: apparmor: Allow ns_root processes to open profiles file
- SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * policy namespace stacking (LP: #1379535)
- SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
- SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Miscellaneous Ubuntu changes
- [Debian] Dynamically determine linux udebs package name
- [Debian] d-i -- fix dtb handling in new kernel-wedge form
- SAUCE: apparmor: Fix FTBFS due to bad include path
- SAUCE: apparmor: add data query support
- [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y

  * Miscellaneous upstream changes
- fixup backout policy view capable for forward port
- apparmor: fix: Rework the iter loop for label_update
- apparmor: add more assertions for updates/merges to help catch errors
- apparmor: Make pivot root transitions work with stacking
- apparmor: convert delegating deleted files to mediate deleted files
- apparmor: add missing parens. not a bug fix but highly recommended
- apparmor: add a stack_version file to allow detection of bug fixes
- apparmor: push path lookup into mediation loop
- apparmor: default to allowing unprivileged userns policy
- apparmor: fix: permissions test to view and manage policy
- apparmor: Add Basic ns cross check condition for ipc

 -- Leann Ogasawara   Sat, 17 Sep 2016
10:03:16 -0700

** Changed in: linux (Ubuntu Yakkety)
   Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1615887

Title:
  profiles from different namespaces can block other namespaces from
  being able to load a profile

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Yakkety:
  Fix Released

Bug description:
  If ns1 has a profile A in it. It can cause loading a profile with the
  name A into ns2, and if it does succeed can result in compound labels
  crossing namespaces resulting in mediation not from one ns being
  applied to another.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615887/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

2016-09-19 Thread Launchpad Bug Tracker

This bug was fixed in the package linux - 4.4.0-38.57

---
linux (4.4.0-38.57) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1620658

  * CIFS client: access problems after updating to kernel 4.4.0-29-generic
(LP: #1612135)
- Revert "UBUNTU: SAUCE: (namespace) Bypass sget() capability check for nfs"
- fs: Call d_automount with the filesystems creds

  * apt-key add fails in overlayfs (LP: #1618572)
- SAUCE: overlayfs: fix regression in whiteout detection

linux (4.4.0-37.56) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1618040

  * [Feature] Instruction decoder support for new SKX instructions- AVX512
(LP: #1591655)
- x86/insn: perf tools: Fix vcvtph2ps instruction decoding
- x86/insn: Add AVX-512 support to the instruction decoder
- perf tools: Add AVX-512 support to the instruction decoder used by Intel 
PT
- perf tools: Add AVX-512 instructions to the new instructions test

  * [Ubuntu 16.04] FCoE Lun not visible in OS with inbox driver - Issue with
ioremap() call on 32bit kernel (LP: #1608652)
- lpfc: Correct issue with ioremap() call on 32bit kernel

  * [Feature] turbostat support for Skylake-SP server (LP: #1591802)
- tools/power turbostat: decode more CPUID fields
- tools/power turbostat: CPUID(0x16) leaf shows base, max, and bus frequency
- tools/power turbostat: decode HWP registers
- tools/power turbostat: Decode MSR_MISC_PWR_MGMT
- tools/power turbostat: allow sub-sec intervals
- tools/power turbostat: Intel Xeon x200: fix erroneous bclk value
- tools/power turbostat: Intel Xeon x200: fix turbo-ratio decoding
- tools/power turbostat: re-name "%Busy" field to "Busy%"
- tools/power turbostat: add --out option for saving output in a file
- tools/power turbostat: fix compiler warnings
- tools/power turbostat: make fewer systems calls
- tools/power turbostat: show IRQs per CPU
- tools/power turbostat: show GFXMHz
- tools/power turbostat: show GFX%rc6
- tools/power turbostat: detect and work around syscall jitter
- tools/power turbostat: indicate SMX and SGX support
- tools/power turbostat: call __cpuid() instead of __get_cpuid()
- tools/power turbostat: correct output for MSR_NHM_SNB_PKG_CST_CFG_CTL dump
- tools/power turbostat: bugfix: TDP MSRs print bits fixing
- tools/power turbostat: SGX state should print only if --debug
- tools/power turbostat: print IRTL MSRs
- tools/power turbostat: initial BXT support
- tools/power turbostat: decode BXT TSC frequency via CPUID
- tools/power turbostat: initial SKX support

  * [BYT] display hotplug doesn't work on console (LP: #1616894)
- drm/i915/vlv: Make intel_crt_reset() per-encoder
- drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init()
- drm/i915/vlv: Disable HPD in valleyview_crt_detect_hotplug()
- drm/i915: Enable polling when we don't have hpd

  * [Feature]intel_idle enabling on Broxton-P (LP: #1520446)
- intel_idle: add BXT support

  * [Feature] EDAC: Update driver for SKX-SP (LP: #1591815)
- [Config] CONFIG_EDAC_SKX=m
- EDAC, skx_edac: Add EDAC driver for Skylake

  * [Feature] KBL: Sandy Peak(3168) WiFi/BT support (LP: #1591648)
- Bluetooth: Add support for Intel Bluetooth device 3168 [8087:0aa7]

  * MacBookPro11,4 fails to poweroff or suspend (LP: #1587714)
- SAUCE: PCI: Workaround to enable poweroff on Mac Pro 11

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
- SAUCE: Bluetooth: Support for LED on Edge Gateways
- SAUCE: Bluetooth: Use host bridge subsystem IDs to identify Edge Gateways

  * Please add support for alps touchpad. (LP: #1616813)
- [Config] CONFIG_HID_ALPS=m
- HID: add Alps I2C HID Touchpad-Stick support
- HID: alps: struct u1_dev *priv is internal to the driver
- HID: alps: pass correct sizes to hid_hw_raw_request()
- HID: alps: match alps devices in core
- HID: alps: a few cleanups

  * DINO2M - System hangs with a black screen during s4 stress test
(LP: #1616781)
- x86/power/64: Fix kernel text mapping corruption during image restoration

  * Xenial update to v4.4.17 stable release (LP: #1611833)
- USB: OHCI: Don't mark EDs as ED_OPER if scheduling fails
- x86/quirks: Apply nvidia_bugs quirk only on root bus
- x86/quirks: Reintroduce scanning of secondary buses
- x86/quirks: Add early quirk to reset Apple AirPort card
- dmaengine: at_xdmac: align descriptors on 64 bits
- dmaengine: at_xdmac: fix residue corruption
- dmaengine: at_xdmac: double FIFO flush needed to compute residue
- mm, sl[au]b: add __GFP_ATOMIC to the GFP reclaim mask
- mm, compaction: abort free scanner if split fails
- fs/nilfs2: fix potential underflow in call to crc32_le
- mm, compaction: prevent VM_BUG_ON when terminating freeing scanner
- mm, meminit: always return a valid node from early_pfn_to_nid

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

2016-09-09 Thread John Johansen

** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1615887

Title:
  profiles from different namespaces can block other namespaces from
  being able to load a profile

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Incomplete
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Yakkety:
  Incomplete

Bug description:
  If ns1 has a profile A in it. It can cause loading a profile with the
  name A into ns2, and if it does succeed can result in compound labels
  crossing namespaces resulting in mediation not from one ns being
  applied to another.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615887/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

2016-09-06 Thread Tim Gardner

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1615887

Title:
  profiles from different namespaces can block other namespaces from
  being able to load a profile

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Incomplete
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Yakkety:
  Incomplete

Bug description:
  If ns1 has a profile A in it. It can cause loading a profile with the
  name A into ns2, and if it does succeed can result in compound labels
  crossing namespaces resulting in mediation not from one ns being
  applied to another.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615887/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

2016-08-23 Thread John Johansen

** Also affects: linux (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu Xenial)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1615887

Title:
  profiles from different namespaces can block other namespaces from
  being able to load a profile

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Incomplete
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Yakkety:
  Incomplete

Bug description:
  If ns1 has a profile A in it. It can cause loading a profile with the
  name A into ns2, and if it does succeed can result in compound labels
  crossing namespaces resulting in mediation not from one ns being
  applied to another.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615887/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

6 matches

Site Navigation

Mail list logo

Footer information