It is fixed to the degree it can be fixed until upstream agrees on
changes in the LSM layer.
The apparmor devs certainly can do the work of proposing new hooks, etc
that are necessary but it hasn't been the highest priority item. I will
note that this is a high priority item, just that others
There was an attempt to revive this Dec. 6, 2017
https://lists.ubuntu.com/archives/apparmor/2017-December/011370.html
upstream there is belief in using a generic audit message types. The
problem is that apparmor, selinux and smack messages differ, so they
aren't so common.
This is going to have
Marked this public security for now so it is on the security team radar
and it can be reviewed by them.
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in
In 4.20 we landed some of the infrastructure to support this.
Specifically secmark support was landed which provides the
infrastructure needed for apparmor labels to interact with iptables and
iptables to interact with apparmor.
This isn't something generally available for use yet as it
No disagreement that this is a high priority item. There is some work
around fine grained mediation happening but I am unsure when it will
land.
The problem is that this is not the only high priority item that needs
to be addressed. Changing priority of these items can certainly be
discussed
Its being caused by the gnome system-monitor snap. Its author is missing
some permissions required to use it properly on your system. It looks
like the system monitor is running and it keeps polling the file causing
this denial.
The apparmor rule to fix this is
/run/mount/utab r,
You
Sadly yes. AppArmor currently doesn't do audit message deduping, leaving
it entirely to the audit infrastructure. Which means denial messages can
fill the logs.
There is current work to fix this by providing a dedup cache that will
hopefully land in 4.20
** Changed in: apparmor (Ubuntu)
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
I have placed ubuntu test kernels for xenial and bionic in
http://people.canonical.com/~jj/lp1780227/
the patch is attached
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch"
Sadly we ran into two separate issues.
1. the kernel mapping of the permission won't allow the lock perm to be
carried through on all kernels.
I have a patch for it now, but pita
2. the release process needed some updating to uhm work with the move to
git and gitlab as hosting.
So with the
I will try to get the point releases out today.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket
can you please test with a kernel that is Ubuntu-4.4.0-37.56 or later
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1615144
Title:
BUG: unable to handle kernel NULL
Profile state should never crash apparmor.
The userspace no matter it state should never be able to crash the
kernel. Profiles go through a verification process before the kernel
will make them available.
The "half" configured state may mean that not all apparmor profiles are
loaded, or that
So I have been looking at this again, and have found a couple issues.
1. Where prlimit is concerned. AppArmor adds an addition restriction on
when cap sys_resource is required. The CAP_SYS_RESOURCE capability is
required if the target processes label does not match that of the
caller.
Hence why
Public bug reported:
LXD containers on an artful or bionic host with aa namespaces, should be
able to load the lxc policies. However /lib/apparmor/profile-load skips
that part when running in a container.
aa-status shows 0 policies
/lib/apparmor/profile-load is failing due to
Yes, the split parser has been a issue for a long time. There has been a
plan to make the flex/yacc/C parser code available as a lib for the
other tools but its one of those things that never gets resources
allocated.
The short term fix for this is probably a backport of a newer version of
the
Yes, that stings but wasn't unexpected. It will take awhile to get
features going back up stream but in the long term this will actually
benefit apparmor, as it is forcing the development of fine grained
policy version which has been needed for year but never a top priority.
--
You received this
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Xenial)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Zesty)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Artful)
Status: Confirmed => Invalid
Okay thankyou everyone for your feedback.
The kernel patch causing the issue has been reverted. So 4.14-rc7 should
work as pre 4.14-rc2
This bug has become a dumping ground for multiple issues so I am going
to create new bugs to track the issues individually and close this bug
down. Please see
Public bug reported:
Currently allows pinning a single feature abi or running in a developer
mode where the full abi available of the current kernel is enforced.
However this can result in breaking applications in undesirable ways.
If an application is shipped with its own policy, that policy
Public bug reported:
When a feature abi that does not support network rules is loaded into a
kernel that does, the policy is incorrectly enforced resulting in
network denials.
The kernel should be correctly enforcing the feature abi by not applying
the network mediation that is explicitly not
Public bug reported:
The Ubuntu version of apparmor is missing the fix for rule down grades
that exist in the current upstream maintenance releases.
This fix is needed to properly handle policy for different kernel abis.
The fix can be obtained either through SRUing the appropriate
maintenance
@Doug,
can you attach your breakage?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
@Paul,
sorry no. At least not unless you are doing some very specific pinning
of the kernel features abi as I suggested as a solution in #19.
You will need the userspace fix in the ppa until ubuntu can land an SRU
of either patch r3700 or a full SRU of the current maintenance releases.
With the
Several people have asked for the patch
** Patch added: "Fix regression in network mediation"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4990797/+files/0001-apparmor-fix-regression-in-network-mediation-when-us.patch
--
You received this bug notification
On 10/24/2017 02:32 AM, Paul Menzel wrote:
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
>
commit 8baea25455c08173713fdbceac99309192518ffb
Author: John Johansen <john.johan...@canonical.com>
Date: Mon Oct 23 08:51:24 2017 -0700
apparmor:
Alright userspace packages with the parser fix are available in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel
zesty is still building.
So to recap which solutions are needed where.
ubuntu kernel + apparmor 2.11.X - no patches needed
upstream 4.14-rc6 or earlier - policy
Rocko: thanks for the patch, just so people know this is a work around
patch which adjusts policy instead of fixing the bug in the parser.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
@Doug,
thanks for testing, I've managed to track down a bug in the kernel, I'll
try to get a fix merged before 4.14 final,
also I have apparmor userspace fixes building in the apparmor ppa and
will post those up for further test once they are done
--
You received this bug notification because
** Changed in: apparmor
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.10
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1661766
Title:
aa-genprof crashes on start due to
** Changed in: apparmor/master
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.11
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.10
Status: Fix Committed => Fix
** Changed in: apparmor/master
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.11
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.10
Status: Fix Committed => Fix
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1628286
Title:
[utils] DBus rules
** Changed in: apparmor
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.10
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch
** Changed in: apparmor/2.10
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.11
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Yes. Ideally we would grab the upstream maintenance releases with the
patches in them. But upstream hasn't had time to release them yet. It
should happen this week
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
This bug is annoying in that there isn't a single switch to toggle to
work around it. You can pin the feature file but getting the feature
file you want requires some editing, or booting into a 4.13 upstream
kernel (at which point you loose the other features landed in 4.14).
To pin the features
Ubuntu's parser is missing upstream commit r3700, resulting in this
failure.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED"
*** This bug is a duplicate of bug 1721278 ***
https://bugs.launchpad.net/bugs/1721278
** This bug has been marked a duplicate of bug 1721278
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/
4.14-rc2 and later
--
You received this bug notification because you are
Could someone who is having this issue also attach a profile cache file
for the profile that is failing? So I can verify what your local
compiles are doing.
you can grab the binary cache file out of
/etc/apparmor.d/cache/sbin.dhclient
or compile it with
apparmor_parser -o output_file
@Doug,
I forgot to mention this in my above explanation the reason you see this
with 4.14-rc2 and not 4.14-rc1 is because there was a problem with the
security tree merge and Linus ended up pulling the security changes in
between rc1 and rc2.
--
You received this bug notification because you
err make that 4.14 not 4.13 in my above explanation
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create"
@Doug,
not a kernel regression and not an incompatible kernel change either.
The kernel does support the older abi, however the compiled policy being
sent to the kernel is for the new abi that the kernel is now advertising
as being supported.
The kernel advertises its supported feature set and
As of 4.13 the upstream kernel does support basic socket mediation which
does include unix sockets. This denial is not due to fine grained unix
socket mediation.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
I have not had time to chase this one enough to answer it, yet. It is
high on the priority list but it seems that list is growing faster than
I can service it lately.
In general I can say ubuntu does have both rules as there are some in
the includes. And their is of course the unconfined
signal is actually in 4.13 as well
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1719471
Title:
ptrace doesnt't trigger/work as expected
Status in apparmor package in
On 09/25/2017 12:16 PM, Vincas Dargis wrote:
> I can provide merge request, and I would like to suggest simplifying
> that ever-growing expression.
>
> Couldn't it be just [0-9]*? Are there possibility that `/proc` will have
well it could but, its not as tight as I would like, ideally we could
This is caused by an anonymous socket communication channel between
dovecot and anvil. If this problem is not happening in 16.04 (unless you
are using the release kernel) then it will be because o a change to
dovecot, newer versions of apparmor have been SRUed back to 16.04
--
You received this
Its an anonymous socket. The best you can do is
to /usr/sbin/dovecot/anvil add
unix (send, receive) peer=(label=/usr/sbin/dovecot),
to /usr/sbin/dovecot add
unix (send, receive) peer=(label=/usr/sbin/dovecot/anvil),
--
You received this bug notification because you are a member of Ubuntu
@Bjoern can you set a couple of apparmor flags and report back what is
reported in the logs?
Specifically as root can you do
echo -n "noquiet" > /sys/module/apparmor/parameters/audit
echo 1 > /sys/module/apparmor/parameters/debug
echo 0 > /proc/sys/kernel/printk_ratelimit
and then restart
There is a xenial test kernel at
http://people.canonical.com/~jj/lp1701297/
I have not had a chance to try it yet. I'll try to get to it in a few
hours after some sleep.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
Well that explains it. So we would have seen this issues from release
except for the cloud-init bug.
Now we need to isolate the fix and backport it to the ga kernel.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor
>From an apparmor pov those 2 kernels are almost identical, with the 4.4
kernel picking up a couple of backport patches, that just do some simple
remapping and should not affect behavior.
There are however some external changes that could affect apparmor mediation
binfmt_elf change
On 06/30/2017 07:52 PM, Seth Arnold wrote:
> Hello intrigeri, this one is a bit involved.
>
> As it is systemd's support for AppArmor is to issue a change_profile
> call before executing a unit's executable. This requires the profile to
> already be loaded, which currently means a pre-task that
Andres,
can you be more specific about the kernel version of the hwe kernel you
are seeing this on?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1701297
Title:
NTP
parameter in
artful/4.11
Status in apparmor package in Ubuntu:
New
Bug description:
The longpath regression tests tries to write to
/sys/module/apparmor/parameters/path_max, but this is read-only in
artful/4.11:
commit cdc8e09e16bb7eb7d23fcbdbe416aa91770fb4d6
Author: John Johansen
in
artful/4.11
Status in apparmor package in Ubuntu:
New
Bug description:
The longpath regression tests tries to write to
/sys/module/apparmor/parameters/path_max, but this is read-only in
artful/4.11:
commit cdc8e09e16bb7eb7d23fcbdbe416aa91770fb4d6
Author: John Johansen <john.jo
@Simmon,
You are right, that will require extending what is supported in the
mediation, beyond even landing support for #2. It will take a bit of
work, but we can definitely do it. My preferred solution is more work
than the quickest/easiest solution, as it requires landing a few things
that
I think performance, and flexibility wise, the best solution would be to
move mediation entirely to userspace.
Use the key/value store to provide flexibility on what match ordering to
use, userspace policy caching so we don't have to round trip the kernel
except when the policy is invalidated by
There are actually a couple of ways to add it, and still keep userspace
compatibility. Kernel side we are actually often checking partial
matches, and due is a permission but AA_CONTINUE to indicate that if
permissions aren't satisfied to continue the match.
This could be emulated in userspace a
The message type certain could be added. However it is not the only way
this separation can be achieved.
The label in particular should be able to be used without tying it to a
specific service. Admittedly this is somewhat limited atm.
1. the label name on a service does not have to match its
So the first kernel tried may have had the flock mediation patch. It was in
4.4.0-67.88
Reverted in
4.4.0-70.91
which would help explain the switch in denial from
file_mmap rm
to
file_mprotect r
I am unsure why the request for mprotect is showing up. At this point we
need to start
Okay, this kernel does NOT contain the caching fix. So it is not the
cause of the issue.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1655982
Title:
cups-browsed fails
@Jamie may be right in his guesses but there is not enough information
here to be sure. The stacking work exists in the Xenial, Yakkety, and
Zesty kernels. But the patch Jamie is referring to only exists in the
Zesty kernel (it did exist in Xenial and Yakkety until reverted).
Please attach the
Note, if we are running the right kernel, there is no reason that we
couldn't have a trusty containers load profiles.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1686612
There is a bug in the /etc/apparmor.d/abstractions/libvirt-qemu file on
line 183
/sys/devices/system/cpu/cpu*/online r
is missing the the trailing ,
it should be
/sys/devices/system/cpu/cpu*/online r,
this prevents libvirt from loading the vm profile. Unfortunately it does
not report the
Thanks Stéphane,
@Christian, it looks like adding a rule
/dev/pts/ptmx rw,
to the profile is necessary for now.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Hey Christian,
thanks for the profiles, I haven't had a chance to dig into them yet,
but after a quick first pass they look as expected.
so very interesting. First up apparmor has always done mediation post
symlink resolution, this is not new with stacking. What is new with
stacking is we are
Its true there are a few issues with apparmor profiles being loaded as
part of a stack when namespacing is involved. However this does not
appear to be one of them.
However the application may be behaving slightly differently resulting
in the profile needed to be extended. Can you please attach
Every release that supports prlimit is at least partially affected.
However the xenial, yakkety, zesty releases that have support stacking
code compound the issue.
I'll look into the ppc64el build, I'm sure its possible it just one that
I have never done a test kernel for so I will have to learn
I have placed amd64 test kernels at
http://people.canonical.com/~jj/lp1679704/
It fixes the complain issue, which should let you proceed without
removing the profile and I am working on a regression test to add to the
test suite.
--
You received this bug notification because you are a member of
The capable request comes from chrome after it has setup a user
namespace. However apparmor can not currently detect the difference
between the system namespace and the user namespace.
Unfortunately the only solution at this time it to allow
capable sys_admin,
in the
please update your kernel, you are running the 4.4.0-21.37
This issue was fixed in Ubuntu 4.4.0-37.56 kernel
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1678291
Title:
For now yes, but I think going forward we are going to want to split the
systemd bits in a subabstraction.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408
Title:
The entire apparmor patch series was reverted regardless of whether the
patch had any link to a regression, or security fix.
The majority of the patches will be reapplied and go through the SRU
cycle again.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
** Tags removed: verification-needed-yakkety
** Tags added: verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1660832
Title:
unix domain socket
Please describe the failure, including the logs so I can analyze. Just
because the container fails to start does not mean that the fix is bad.
There can be other issues that result in the failure.
Specifically this bug is for the denial message seen in comment #5 and
not the denied messages
You can try the set of kernel in
http://people.canonical.com/~jj/linux+jj/
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1666748
Title:
Apparmor problem inside a lxd
The peer="---" is likely due to bug 1660832, which has been fixed in the
latest set of kernels that should be rolling out this week.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
There is a 3rd level of check that can be applied if those sha1sums
don't match.
sys/kernel/security/apparmor/policy/profiles/usr.sbin.libvirtd.*/raw_hash
should be the same as the sha1sum for raw_data
i.e
$ cat sys/kernel/security/apparmor/policy/profiles/usr.sbin.libvirtd.*/raw_hash
James, I can give you access to a custom kernel and library that
provides a fix for the apparmor end if you would like. The issue is that
these are not in the distro yet, and have not been backported to earlier
releases (yet).
--
You received this bug notification because you are a member of
These kernels are working for me
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1661030
Title:
regession tests failing after stackprofile test is run
Status in apparmor
Alright, so I broke complain mode for execs with
UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using
stacked namespaces
I have a fix and the test kernels are building and will be available in
http://people.canonical.com/~jj/linux+jj/
--
You received this bug
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a
** Changed in: apparmor
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction doesn't
Public bug reported:
When using nested namespaces policy within the nested namespace is trying
to cross validate with policy outside of the namespace that is not
visible to it. This results the access being denied and with no way to
add a rule to policy that would
Unless we can get more debug info I am marking this won't fix
** Changed in: lxc (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
No, the chromium and firefox profiles can be fixed. However the current
fixes are not ideal. Basically apparmor currently needs to allow
capability sys_admin and a few other dangerous privileges in the base
profile.
This is not do to the complexity of the sandbox model but because the
linux
We need to make it so it can scan ahead and use summary mode if the
outstanding number of messages is larger than the threshold when it goes
to display the next message.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
** Changed in: apparmor
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1658943
Title:
aa-notify blocks desktop with garbage notifications
** Changed in: vidalia (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1290107
Title:
Vidalia does not start. AppArmor
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
** Changed in: apparmor
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Xenial)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
sudo snap refresh
should refresh the kernel snap. However the suspected fix will not be in
any snap kernel, nor can I atm build you a kernel snap to test with.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
Okay, that looks like the kernel is working for you and you are now past
the original
[103975.623545] audit: type=1400 audit(1481284511.494:2807):
apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1
namespace="root//lxd-tor_" profile="unconfined"
name="system_tor" pid=18593
Ignore the request to test the upstream kernel, for the moment.
In this case the apparmor code that is in the trace does not exist upstream.
Instead could you test the kernel in
http://people.canonical.com/~jj/lp1648143/
While listed as being for bug 1648143, it contains several fixes
sorry this took longer than expected. I have placed amd64 test kernels at
http://people.canonical.com/~jj/lp1648143/
please let me know if this works for you
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
The denial messages like
target=B00280F4B00280F
are caused by a kernel bug, in reporting the the profile name of the
target of the ptrace.
In general ptrace operations are controlled by both capability and
ptrace rules. This is because within the kernel ptrace calls in to the
capability code,
This occurs in a stacked policy situation, where there is a system
policy is being applied but within the container namespace, the policy
is unconfined.
The special casing for unconfined with no-new-privs is not properly
detecting this case. I will have a test kernel with a fix for this issue
201 - 300 of 430 matches
Mail list logo