** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
** No longer affects: apparmor (Ubuntu Xenial)
** No longer affects: apparmor (Ubuntu Yakkety)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
This bug was fixed in the package linux - 4.8.0-49.52
---
linux (4.8.0-49.52) yakkety; urgency=low
* linux: 4.8.0-49.52 -proposed tracker (LP: #1684427)
* [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
(LP: #1682561)
- Drivers: hv: util: move
This bug was fixed in the package linux - 4.4.0-75.96
---
linux (4.4.0-75.96) xenial; urgency=low
* linux: 4.4.0-75.96 -proposed tracker (LP: #1684441)
* [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
(LP: #1682561)
- Drivers: hv: util: move
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1648143
Title:
tor in lxd: apparmor="DENIED"
The entire apparmor patch series was reverted regardless of whether the
patch had any link to a regression, or security fix.
The majority of the patches will be reapplied and go through the SRU
cycle again.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
00:27 smb: is
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/comments/26
correct? Wrong bug?
00:28 yeah, looked odd to me to, I don't see the link between that
security fix and this bug
00:29 Let's reopen for now. If it's wrong, smb can re-close it
perhaps?
** Changed in:
This bug was fixed in the package linux - 4.8.0-45.48
---
linux (4.8.0-45.48) yakkety; urgency=low
* CVE-2017-7184
- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
-- Stefan Bader
Not fixed because we had to revert the commits due to various
regressions.
** Changed in: linux (Ubuntu Xenial)
Status: Fix Released => Triaged
** Changed in: linux (Ubuntu Yakkety)
Status: Fix Released => Triaged
--
You received this bug notification because you are a member of
This bug was fixed in the package linux - 4.8.0-42.45
---
linux (4.8.0-42.45) yakkety; urgency=low
* linux: 4.8.0-42.45 -proposed tracker (LP: #1671176)
* Regression in 4.4.0-65-generic causes very frequent system crashes
(LP: #1669611)
- Revert "UBUNTU: SAUCE: apparmor:
I filed bug 1670408 to track the further issues in tor's AppArmor
profile that stop it from starting on Zesty.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1648143
So this particular bug is Invalid for the tor package in Ubuntu, since
the bug was in the kernel and we've verified that with fixes in
proposed. tor still doesn't work on Zesty, but I'll file a separate bug
for that.
** Changed in: tor (Ubuntu)
Status: New => Invalid
** Changed in: tor
Please describe the failure, including the logs so I can analyze. Just
because the container fails to start does not mean that the fix is bad.
There can be other issues that result in the failure.
Specifically this bug is for the denial message seen in comment #5 and
not the denied messages
I tried running tor in a Zesty container on a Zesty VM.
With the current 4.10.0.8.10 it fails as described (tor@default fails to
start). AFAICT, the bug still exists on Zesty.
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
** Changed in: linux (Ubuntu Yakkety)
I tried running tor in a Zesty container on a Yakkety VM.
With 4.8.0.39.50 it fails as described (tor@default fails to start).
With 4.8.0.40.51 (following a reboot) it *still* fails as described.
AFAICT, 4.8.0.40.51 does not fix the problem on Yakkety.
** Tags removed:
I tried running tor in a Zesty container on a Xenial VM.
With 4.4.0.64.68 it fails as described (tor@default fails to start).
With 4.4.0.65.69 (following a reboot) it works correctly.
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug
This bug was fixed in the package linux - 4.4.0-65.86
---
linux (4.4.0-65.86) xenial; urgency=low
* linux: 4.4.0-65.86 -proposed tracker (LP: #1667052)
[ Stefan Bader ]
* Upgrade Redpine RS9113 driver to support AP mode (LP: #1665211)
- SAUCE: Redpine driver to support
This bug was fixed in the package linux - 4.8.0-40.43
---
linux (4.8.0-40.43) yakkety; urgency=low
* linux: 4.8.0-40.43 -proposed tracker (LP: #1667066)
[ Andy Whitcroft ]
* NFS client : permission denied when trying to access subshare, since kernel
4.4.0-31 (LP: #1649292)
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
yakkety' to 'verification-done-yakkety'. If the problem still exists,
change the tag
** Also affects: tor (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: tor (Ubuntu Xenial)
** Changed in: linux (Ubuntu Yakkety)
Status: New => Fix Committed
** Changed in: linux (Ubuntu Xenial)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
** No longer affects: tor (Ubuntu)
** Also affects: tor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1648143
Title:
Okay, that looks like the kernel is working for you and you are now past
the original
[103975.623545] audit: type=1400 audit(1481284511.494:2807):
apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1
namespace="root//lxd-tor_" profile="unconfined"
name="system_tor" pid=18593
My /etc/apparmor.d/system_tor:
# Last Modified: Sun Jan 1 21:47:33 2017
#include
# vim:syntax=apparmor
profile system_tor flags=(attach_disconnected) {
#include
/run/systemd/journal/stdout rw,
/usr/bin/tor mr,
owner /var/lib/tor/ r,
owner /var/lib/tor/** wk,
/var/lib/tor/** r,
No problem, it is the holiday season.
I get the following errors on 16.04:
[0.511712] audit: initializing netlink subsys (disabled)
[0.511802] audit: type=2000 audit(1483302109.500:1): initialized
[7.355509] audit: type=1400 audit(1483302117.275:2): apparmor="STATUS"
sorry this took longer than expected. I have placed amd64 test kernels at
http://people.canonical.com/~jj/lp1648143/
please let me know if this works for you
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
Let me know if I you need somebody else to test your kernel.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1648143
Title:
tor in lxd: apparmor="DENIED"
This occurs in a stacked policy situation, where there is a system
policy is being applied but within the container namespace, the policy
is unconfined.
The special casing for unconfined with no-new-privs is not properly
detecting this case. I will have a test kernel with a fix for this issue
I have exactly the same issue on 16.04:
[172512.094995] audit: type=1400 audit(1482614869.625:1439):
apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1
namespace="root//lxd-torelay_" profile="unconfined"
name="system_tor" pid=128522 comm="(tor)" target="system_tor"
--
You
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: tor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
To clarify the container is missing the minimum requirements of the
apparmor_parser and the apparmor init service.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1648143
using
lxc launch images:ubuntu/yakkety torcontainer
to create the container
the installing tor into the container and starting it I can replicate
the error. However this is due to the container not having apparmor
installed. The container is not booting with apparmor or loading the tor
profile.
33 matches
Mail list logo
