[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
This bug was fixed in the package linux - 4.15.0-19.20 --- linux (4.15.0-19.20) bionic; urgency=medium * linux: 4.15.0-19.20 -proposed tracker (LP: #1766021) * Kernel 4.15.0-15 breaks Dell PowerEdge 12th Gen servers (LP: #1765232) - Revert "blk-mq: simplify queue mapping & schedule with each possisble CPU" - Revert "genirq/affinity: assign vectors to all possible CPUs" linux (4.15.0-18.19) bionic; urgency=medium * linux: 4.15.0-18.19 -proposed tracker (LP: #1765490) * [regression] Ubuntu 18.04:[4.15.0-17-generic #18] KVM Guest Kernel: meltdown: rfi/fallback displacement flush not enabled bydefault (kvm) (LP: #1765429) - powerpc/pseries: Fix clearing of security feature flags * signing: only install a signed kernel (LP: #1764794) - [Packaging] update to Debian like control scripts - [Packaging] switch to triggers for postinst.d postrm.d handling - [Packaging] signing -- switch to raw-signing tarballs - [Packaging] signing -- switch to linux-image as signed when available - [Config] signing -- enable Opal signing for ppc64el - [Packaging] printenv -- add signing options * [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154) - [Packaging] signing -- add support for signing Opal kernel binaries * Please cherrypick s390 unwind fix (LP: #1765083) - s390/compat: fix setup_frame32 * Ubuntu 18.04 installer does not detect any IPR based HDD/RAID array [S822L] [ipr] (LP: #1751813) - d-i: move ipr to storage-core-modules on ppc64el * drivers/gpu/drm/bridge/adv7511/adv7511.ko missing (LP: #1764816) - SAUCE: (no-up) rename the adv7511 drm driver to adv7511_drm * Miscellaneous Ubuntu changes - [Packaging] Add linux-oem to rebuild test blacklist. linux (4.15.0-17.18) bionic; urgency=medium * linux: 4.15.0-17.18 -proposed tracker (LP: #1764498) * Eventual OOM with profile reloads (LP: #1750594) - SAUCE: apparmor: fix memory leak when duplicate profile load linux (4.15.0-16.17) bionic; urgency=medium * linux: 4.15.0-16.17 -proposed tracker (LP: #1763785) * [18.04] [bug] CFL-S(CNP)/CNL GPIO testing failed (LP: #1757346) - [Config]: Set CONFIG_PINCTRL_CANNONLAKE=y * [Ubuntu 18.04] USB Type-C test failed on GLK (LP: #1758797) - SAUCE: usb: typec: ucsi: Increase command completion timeout value * Fix trying to "push" an already active pool VP (LP: #1763386) - SAUCE: powerpc/xive: Fix trying to "push" an already active pool VP * hisi_sas: Revert and replace SAUCE patches w/ upstream (LP: #1762824) - Revert "UBUNTU: SAUCE: scsi: hisi_sas: export device table of v3 hw to userspace" - Revert "UBUNTU: SAUCE: scsi: hisi_sas: config for hip08 ES" - scsi: hisi_sas: modify some register config for hip08 - scsi: hisi_sas: add v3 hw MODULE_DEVICE_TABLE() * Realtek card reader - RTS5243 [VEN_10EC&DEV_5260] (LP: #1737673) - misc: rtsx: Move Realtek Card Reader Driver to misc - updateconfigs for Realtek Card Reader Driver - misc: rtsx: Add support for RTS5260 - misc: rtsx: Fix symbol clashes * Mellanox [mlx5] [bionic] UBSAN: Undefined behaviour in ./include/linux/net_dim.h (LP: #1763269) - net/mlx5e: Fix int overflow * apparmor bug fixes for bionic (LP: #1763427) - apparmor: fix logging of the existence test for signals - apparmor: make signal label match work when matching stacked labels - apparmor: audit unknown signal numbers - apparmor: fix memory leak on buffer on error exit path - apparmor: fix mediation of prlimit * dangling symlinks to loaded apparmor policy (LP: #1755563) // apparmor bug fixes for bionic (LP: #1763427) - apparmor: fix dangling symlinks to policy rawdata after replacement * [OPAL] Assert fail: core/mem_region.c:447:lock_held_by_me(®ion->free_list_lock) (LP: #1762913) - powerpc/watchdog: remove arch_trigger_cpumask_backtrace * [LTC Test] Ubuntu 18.04: tm_trap_test failed on P8 compat mode guest (LP: #1762928) - powerpc/tm: Fix endianness flip on trap * Add support for RT5660 codec based sound cards on Baytrail (LP: #1657674) - SAUCE: (no-up) ASoC: Intel: Support machine driver for RT5660 on Baytrail - SAUCE: (no-up) ASoC: rt5660: Add ACPI support - SAUCE: (no-up): ASoC: Intel: bytcr-rt5660: Add MCLK, quirks - [Config] CONFIG_SND_SOC_INTEL_BYTCR_RT5660_MACH=m, CONFIG_SND_SOC_RT5660=m * /dev/ipmi enumeration flaky on Cavium Sabre nodes (LP: #1762812) - i2c: xlp9xx: return ENXIO on slave address NACK - i2c: xlp9xx: Handle transactions with I2C_M_RECV_LEN properly - i2c: xlp9xx: Check for Bus state before every transfer - i2c: xlp9xx: Handle NACK on DATA properly * [18.04 FEAT] Add kvm_stat from kernel tree (LP: #1734130) - tools/kvm_stat: simplify the sortkey function - tools/kvm_stat: use a namedtuple for storing the values - tools/kvm_stat: use a more pythonic way to iterate over dictionaries - tools/kv
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
** Changed in: linux (Ubuntu Bionic) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755563 Title: dangling symlinks to loaded apparmor policy Status in linux package in Ubuntu: Fix Committed Status in linux source package in Artful: Confirmed Status in linux source package in Bionic: Fix Committed Bug description: On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles. Sample of profiles that had dangling symlinks: /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1 The following command can be used to find such files: find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print The issue was observed on xenial (4.4 kernel), artful (4.13) and bionic (4.15). I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen. zyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing zyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists It is likely that this problem occurs when snapd generates profiles for refreshed snaps or removes profiles for removed snaps but I was not able to determine that yet. I updated my bionic system and noticed non-snap-related dangling symlink when the libreoffice package was updated: /sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: linux-image-4.13.0-36-generic 4.13.0-36.40 ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13 Uname: Linux 4.13.0-36-generic x86_64 NonfreeKernelModules: zfs zunicode zavl zcommon znvpair ApportVersion: 2.20.7-0ubuntu3.7 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zyga 2431 F pulseaudio CurrentDesktop: ubuntu:GNOME Date: Tue Mar 13 19:04:50 2018 InstallationDate: Installed on 2018-02-02 (39 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1) MachineType: VMware, Inc. VMware Virtual Platform ProcFB: 0 svgadrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.169.3 RfKill: 0: hci0: Bluetooth Soft blocked: no Hard blocked: no SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/19/2017 dmi.bios.vendor: Phoenix Technologies LTD dmi.bios.version: 6.00 dmi.board.name: 440BX Desktop Reference Platform dmi.board.vendor: Intel Corporation dmi.board.version: None dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 1 dmi.chassis.vendor: No Enclosure dmi.chassis.version: N/A dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A: dmi.product.name: VMware Virtual Platform dmi.product.version: None dmi.sys.vendor: VMware, Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755563/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
I've been testing the patch from jj and I cannot see the issue after 24 hours of intense apparmor activity. +1 from me. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755563 Title: dangling symlinks to loaded apparmor policy Status in linux package in Ubuntu: Confirmed Status in linux source package in Artful: Confirmed Status in linux source package in Bionic: Confirmed Bug description: On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles. Sample of profiles that had dangling symlinks: /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1 The following command can be used to find such files: find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print The issue was observed on xenial (4.4 kernel), artful (4.13) and bionic (4.15). I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen. zyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing zyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists It is likely that this problem occurs when snapd generates profiles for refreshed snaps or removes profiles for removed snaps but I was not able to determine that yet. I updated my bionic system and noticed non-snap-related dangling symlink when the libreoffice package was updated: /sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: linux-image-4.13.0-36-generic 4.13.0-36.40 ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13 Uname: Linux 4.13.0-36-generic x86_64 NonfreeKernelModules: zfs zunicode zavl zcommon znvpair ApportVersion: 2.20.7-0ubuntu3.7 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zyga 2431 F pulseaudio CurrentDesktop: ubuntu:GNOME Date: Tue Mar 13 19:04:50 2018 InstallationDate: Installed on 2018-02-02 (39 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1) MachineType: VMware, Inc. VMware Virtual Platform ProcFB: 0 svgadrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.169.3 RfKill: 0: hci0: Bluetooth Soft blocked: no Hard blocked: no SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/19/2017 dmi.bios.vendor: Phoenix Technologies LTD dmi.bios.version: 6.00 dmi.board.name: 440BX Desktop Reference Platform dmi.board.vendor: Intel Corporation dmi.board.version: None dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 1 dmi.chassis.vendor: No Enclosure dmi.chassis.version: N/A dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A: dmi.product.name: VMware Virtual Platform dmi.product.version: None dmi.sys.vendor: VMware, Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755563/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
** Description changed: On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles. Sample of profiles that had dangling symlinks: /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1 The following command can be used to find such files: find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print - It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is - affected though I didn't perform an extensive investigation. - - EDIT: This is inaccurate, bionic is affected as well. See below. + The issue was observed on xenial (4.4 kernel), artful (4.13) and bionic + (4.15). I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen. zyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing zyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists It is likely that this problem occurs when snapd generates profiles for refreshed snaps or removes profiles for removed snaps but I was not able to determine that yet. I updated my bionic system and noticed non-snap-related dangling symlink when the libreoffice package was updated: /sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data - ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: linux-image-4.13.0-36-generic 4.13.0-36.40 ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13 Uname: Linux 4.13.0-36-generic x86_64 NonfreeKernelModules: zfs zunicode zavl zcommon znvpair ApportVersion: 2.20.7-0ubuntu3.7 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zyga 2431 F pulseaudio CurrentDesktop: ubuntu:GNOME Date: Tue Mar 13 19:04:50 2018 InstallationDate: Installed on 2018-02-02 (39 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1) MachineType: VMware, Inc. VMware Virtual Platform ProcFB: 0 svgadrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.169.3 RfKill: 0: hci0: Bluetooth Soft blocked: no Hard blocked: no SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/19/2017 dmi.bios.vendor: Phoenix Technologies LTD dmi.bios.version: 6.00 dmi.board.name: 440BX Desktop Reference Platform dmi.board.vendor: Intel Corporation dmi.board.version: None dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 1 dmi.chassis.vendor: No Enclosure dmi.chassis.version: N/A dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A: dmi.product.name: VMware Virtual Platform dmi.product.version: None dmi.sys.vendor: VMware, Inc. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755563 Title: dangling symlinks to loaded apparmor policy Status in linux package in Ubuntu: Confirmed Status in linux source package in Artful: Confirmed Status in linux source package in Bionic: Confirmed Bug description: On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles. Sample of profiles that had dangling symlinks: /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1 The following command can be used to find such files: find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print The issue was observed on xenial (4.4 kernel), artful (4.13) and bionic (4.15). I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen. zyga-ubuntu: no, there should
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
** Tags added: kernel-da-key ** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Also affects: linux (Ubuntu Bionic) Importance: Medium Status: Confirmed ** Also affects: linux (Ubuntu Artful) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Artful) Status: New => Confirmed ** Changed in: linux (Ubuntu Artful) Importance: Undecided => Medium -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755563 Title: dangling symlinks to loaded apparmor policy Status in linux package in Ubuntu: Confirmed Status in linux source package in Artful: Confirmed Status in linux source package in Bionic: Confirmed Bug description: On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles. Sample of profiles that had dangling symlinks: /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1 The following command can be used to find such files: find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is affected though I didn't perform an extensive investigation. EDIT: This is inaccurate, bionic is affected as well. See below. I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen. zyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing zyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists It is likely that this problem occurs when snapd generates profiles for refreshed snaps or removes profiles for removed snaps but I was not able to determine that yet. I updated my bionic system and noticed non-snap-related dangling symlink when the libreoffice package was updated: /sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: linux-image-4.13.0-36-generic 4.13.0-36.40 ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13 Uname: Linux 4.13.0-36-generic x86_64 NonfreeKernelModules: zfs zunicode zavl zcommon znvpair ApportVersion: 2.20.7-0ubuntu3.7 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: zyga 2431 F pulseaudio CurrentDesktop: ubuntu:GNOME Date: Tue Mar 13 19:04:50 2018 InstallationDate: Installed on 2018-02-02 (39 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1) MachineType: VMware, Inc. VMware Virtual Platform ProcFB: 0 svgadrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.169.3 RfKill: 0: hci0: Bluetooth Soft blocked: no Hard blocked: no SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/19/2017 dmi.bios.vendor: Phoenix Technologies LTD dmi.bios.version: 6.00 dmi.board.name: 440BX Desktop Reference Platform dmi.board.vendor: Intel Corporation dmi.board.version: None dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 1 dmi.chassis.vendor: No Enclosure dmi.chassis.version: N/A dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A: dmi.product.name: VMware Virtual Platform dmi.product.version: None dmi.sys.vendor: VMware, Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755563/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755563] Re: dangling symlinks to loaded apparmor policy
** Description changed: On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles. Sample of profiles that had dangling symlinks: /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1 The following command can be used to find such files: find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is affected though I didn't perform an extensive investigation. + EDIT: This is inaccurate, bionic is affected as well. See below. + I'm reporting this because according to the apaprmor developer it seems "racy" and should not happen. zyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing zyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists It is likely that this problem occurs when snapd generates profiles for refreshed snaps or removes profiles for removed snaps but I was not able to determine that yet. + I updated my bionic system and noticed non-snap-related dangling symlink when the libreoffice package was updated: + /sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data + + ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: linux-image-4.13.0-36-generic 4.13.0-36.40 ProcVersionSignature: Ubuntu 4.13.0-36.40-generic 4.13.13 Uname: Linux 4.13.0-36-generic x86_64 NonfreeKernelModules: zfs zunicode zavl zcommon znvpair ApportVersion: 2.20.7-0ubuntu3.7 Architecture: amd64 AudioDevicesInUse: - USERPID ACCESS COMMAND - /dev/snd/controlC0: zyga 2431 F pulseaudio + USERPID ACCESS COMMAND + /dev/snd/controlC0: zyga 2431 F pulseaudio CurrentDesktop: ubuntu:GNOME Date: Tue Mar 13 19:04:50 2018 InstallationDate: Installed on 2018-02-02 (39 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1) MachineType: VMware, Inc. VMware Virtual Platform ProcFB: 0 svgadrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=7e995ac2-1858-40bd-8f15-1f291f0c365e ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet RelatedPackageVersions: - linux-restricted-modules-4.13.0-36-generic N/A - linux-backports-modules-4.13.0-36-generic N/A - linux-firmware 1.169.3 + linux-restricted-modules-4.13.0-36-generic N/A + linux-backports-modules-4.13.0-36-generic N/A + linux-firmware 1.169.3 RfKill: - 0: hci0: Bluetooth - Soft blocked: no - Hard blocked: no + 0: hci0: Bluetooth + Soft blocked: no + Hard blocked: no SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/19/2017 dmi.bios.vendor: Phoenix Technologies LTD dmi.bios.version: 6.00 dmi.board.name: 440BX Desktop Reference Platform dmi.board.vendor: Intel Corporation dmi.board.version: None dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 1 dmi.chassis.vendor: No Enclosure dmi.chassis.version: N/A dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd05/19/2017:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A: dmi.product.name: VMware Virtual Platform dmi.product.version: None dmi.sys.vendor: VMware, Inc. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755563 Title: dangling symlinks to loaded apparmor policy Status in linux package in Ubuntu: Confirmed Bug description: On my artful system running 4.13.0-36-generic I noticed that there are dangling symlinks for "raw_data", "raw_sha1" and "raw_abi" files in the sysfs path containing loaded apparmor profiles. Sample of profiles that had dangling symlinks: /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_data /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_abi /sys/kernel/security/apparmor/policy/profiles/snap.core.hook.configure.35/raw_sha1 The following command can be used to find such files: find /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print It seems that neither xenial (4.4 kernel) nor bionic (4.15 kernel) is affected though I didn't