*** This bug is a duplicate of bug 1728120 ***
https://bugs.launchpad.net/bugs/1728120
** This bug has been marked a duplicate of bug 1728120
apparmor_parser is missing fix for rule down grades
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
Yes, that stings but wasn't unexpected. It will take awhile to get
features going back up stream but in the long term this will actually
benefit apparmor, as it is forcing the development of fine grained
policy version which has been needed for year but never a top priority.
--
You received this
> The kernel patch causing the issue has been reverted. So 4.14-rc7
should work as pre 4.14-rc2
Great! (Modulo Linus' commit message…)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Xenial)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Zesty)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Artful)
Status: Confirmed => Invalid
Okay thankyou everyone for your feedback.
The kernel patch causing the issue has been reverted. So 4.14-rc7 should
work as pre 4.14-rc2
This bug has become a dumping ground for multiple issues so I am going
to create new bugs to track the issues individually and close this bug
down. Please see th
@John: O.K., I think this excerpt from kern.log is what you might be
looking for.
** Attachment added: "kern.log.txt"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4995556/+files/kern.log.txt
--
You received this bug notification because you are a member of Ubun
@Doug,
can you attach your breakage?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
Further to my comment #32: That setup then breaks lots of stuff if I
subsequently boot a normal default kernel (i.e. 4.4.0-96-generic). I'm
going back to just booting with apparmor disabled.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is s
I integrated the PPA, but under Ubuntu 16.04.3 LTS no updates are
available. The package *apparmor* 2.10.95-0ubuntu2.7 is installed.
```
$ sudo add-apt-repository ppa:apparmor-dev/apparmor-devel
$ sudo apt-get update
```
--
You received this bug notification because you are a member of Ubuntu
To
@Paul,
sorry no. At least not unless you are doing some very specific pinning
of the kernel features abi as I suggested as a solution in #19.
You will need the userspace fix in the ppa until ubuntu can land an SRU
of either patch r3700 or a full SRU of the current maintenance releases.
With the u
Dear Christian,
Am 24.10.2017 um 19:14 schrieb Christian Boltz:
>> ... apparmor="DENIED" operation="create" ... family="unix"
> sock_type="stream"
>
> With the pinned-down feature set, you probably "lost" support for unix
> rules.
Sorry, I have no clue about the internals. I just use what’s shi
> ... apparmor="DENIED" operation="create" ... family="unix"
sock_type="stream"
With the pinned-down feature set, you probably "lost" support for unix
rules.
In theory, apparmor_parser will downgrade those rules to "network unix,"
- but in practise a bug in apparmor_parser prevented it.This bug w
@John, thank youf or the patch, but maybe I misunderstood it. Applying
that patch to Linus’ master branch, should fix the regression, right? No
user space change needed, correct?
```
$ git log --oneline -2
4a4a4a7 apparmor: fix regression in network mediation when using feature pinning
6cff0a1 Mer
@John: That patch works great, thanks.
On kernel 4.14-rc6 + patch, I re-did the stuff from my comment #22,
which in turn was implementing one of the methods from your comment #19.
This time it worked.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
The attachment "Fix regression in network mediation" seems to be a
patch. If it isn't, please remove the "patch" flag from the attachment,
remove the "patch" tag, and if you are a member of the ~ubuntu-
reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user o
Dear John,
On 10/24/17 12:55, John Johansen wrote:
> On 10/24/2017 02:32 AM, Paul Menzel wrote:
>> I’d really like to try the Linux kernel fix. Can a get it from
>> somewhere?
>>
> commit 8baea25455c08173713fdbceac99309192518ffb
> Author: John Johansen
> Date: Mon Oct 23 08:51:24 2017 -0700
>
Several people have asked for the patch
** Patch added: "Fix regression in network mediation"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4990797/+files/0001-apparmor-fix-regression-in-network-mediation-when-us.patch
--
You received this bug notification becau
On 10/24/2017 02:32 AM, Paul Menzel wrote:
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
>
commit 8baea25455c08173713fdbceac99309192518ffb
Author: John Johansen
Date: Mon Oct 23 08:51:24 2017 -0700
apparmor: fix regression in network mediation when using fea
I’d really like to try the Linux kernel fix. Can a get it from
somewhere?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="creat
Alright userspace packages with the parser fix are available in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel
zesty is still building.
So to recap which solutions are needed where.
ubuntu kernel + apparmor 2.11.X - no patches needed
upstream 4.14-rc6 or earlier - policy p
Rocko: thanks for the patch, just so people know this is a work around
patch which adjusts policy instead of fixing the bug in the parser.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launch
@Doug,
thanks for testing, I've managed to track down a bug in the kernel, I'll
try to get a fix merged before 4.14 final,
also I have apparmor userspace fixes building in the apparmor ppa and
will post those up for further test once they are done
--
You received this bug notification because y
If it helps anyone, I've got 4.14-rc5 and apparmor working. I've posted
a patch at the duplicate bug
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1724450.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
@John:
I tried your suggestion on my main 16.04.3 test server. I edited
/etc/apparmor/parser.conf, keeping an "original copy" first.
And used "the hand edited features 4.14 feature file attached".
It made things worse, as in addition to mysql and libvirt not starting,
now the network doesn't sta
Yes. Ideally we would grab the upstream maintenance releases with the
patches in them. But upstream hasn't had time to release them yet. It
should happen this week
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ub
John,
It sounds like we should backport r3700 to all Ubuntu releases?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create"
This bug is annoying in that there isn't a single switch to toggle to
work around it. You can pin the feature file but getting the feature
file you want requires some editing, or booting into a 4.13 upstream
kernel (at which point you loose the other features landed in 4.14).
To pin the features f
John wrote:
> Ubuntu's parser is missing upstream commit r3700, resulting in this failure.
Is there any boot option that would allow Ubuntu mainline kernels to work?
For my own work, and as mentioned in comment #3, I am compiling with "#
CONFIG_SECURITY_APPARMOR is not set".
--
You received th
Ubuntu's parser is missing upstream commit r3700, resulting in this
failure.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="cr
Here you go. This is from a kernel built on 4.14-rc4 right after boot
where dhclient is failing.
** Attachment added: "sbin.dhclient"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4974238/+files/sbin.dhclient
--
You received this bug notification because you ar
Could someone who is having this issue also attach a profile cache file
for the profile that is failing? So I can verify what your local
compiles are doing.
you can grab the binary cache file out of
/etc/apparmor.d/cache/sbin.dhclient
or compile it with
apparmor_parser -o output_file /etc/app
@Doug,
I forgot to mention this in my above explanation the reason you see this
with 4.14-rc2 and not 4.14-rc1 is because there was a problem with the
security tree merge and Linus ended up pulling the security changes in
between rc1 and rc2.
--
You received this bug notification because you are
err make that 4.14 not 4.13 in my above explanation
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/
@Doug,
not a kernel regression and not an incompatible kernel change either.
The kernel does support the older abi, however the compiled policy being
sent to the kernel is for the new abi that the kernel is now advertising
as being supported.
The kernel advertises its supported feature set and ab
As of 4.13 the upstream kernel does support basic socket mediation which
does include unix sockets. This denial is not due to fine grained unix
socket mediation.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubun
>This isn't really an *Ubuntu* issue per se as we've never claimed to
support apparmor profiles with non-Ubuntu kernels.
So I think the problem is that kernel team maintains a PPA of mainline
kernels and often will ask users to check stuff with mainline kernel
when there are bugs that come up. Th
And FWIW the /sbin/dhclient and /usr/lib/NetworkManager/nm-dhcp-helper
errors are also family="unix" denying create operations.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bug
This isn't really an *Ubuntu* issue per se as we've never claimed to
support apparmor profiles with non-Ubuntu kernels. I do think it is
interesting that there are 'unix' denials on a kernel that isn't
supposed to support unix rules.
John, can you comment on this?
--
You received this bug notifi
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apparmor (Ubuntu Zesty)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.lau
> I've found that it's more than just cups blows up, some networking
> related items (DHCP client, network manager IIRC) also explode.
yes, and libvirtd and mysql.
I was not aware of "teardown". I'll try it when I get a chance.
--
You received this bug notification because you are a member of U
I've personally confirmed this with both artful and xenial userspace with
4.14-rc4.
A temporary solution other than compiling without apparmor is to do
teardown/stop
# /etc/init.d/apparmor teardown
# /etc/init.d/apparmor stop
--
You received this bug notification because you are a member of Ubu
I've found that it's more than just cups blows up, some networking
related items (DHCP client, network manager IIRC) also explode.
** Summary changed:
- apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
+ apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/
Paul wrote:
> I am using Linux 4.14-rc3+.
O.K. that is/was really important information.
While I have been calling this a kernel regression, it might be that a
great number of apparmor profiles need to be updated to accommodate the
new security stuff that was introduced in kernel 4.14-rc2 (it mi
Dear Doug,
Thank you for your reply.
On 10/06/17 21:16, Doug Smythies wrote:
> Which kernel are you using?
I am using Linux 4.14-rc3+.
> On my development 17.10 Desktop, I get the same as you but only for mainline
> kernels 4.14-rc2 and 4.14-rc3. Earlier kernels, including mainline 4.14-rc1 >
Which kernel are you using?
On my development 17.10 Desktop, I get the same as you but only for mainline
kernels 4.14-rc2 and 4.14-rc3. Earlier kernels, including mainline 4.14-rc1,
seem to be fine with respect to this issue.
--
You received this bug notification because you are a member of Ubu
45 matches
Mail list logo