[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
** Changed in: snappy/15.04 Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy: Fix Released Status in Snappy 15.04 series: Fix Released Status in apparmor package in Ubuntu: Fix Released Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
** Changed in: snappy/15.04 Status: Fix Released = Fix Committed ** Changed in: snappy/15.04 Milestone: 15.04.1 = 15.04.2 ** Changed in: snappy Status: Fix Committed = Fix Released ** Changed in: apparmor (Ubuntu) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: Fix Released Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: Fix Released Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
** Branch linked: lp:ubuntu/wily-proposed/ubuntu-core-config -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: Fix Committed Status in Snappy 15.04 series: Fix Released Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
** Changed in: snappy Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: Fix Committed Status in Snappy 15.04 series: Fix Released Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
Tentative backport of patch for 2.9 (note it only needs a single patch) ** Patch added: foo.diff https://bugs.launchpad.net/snappy/+bug/1460152/+attachment/4415266/+files/foo.diff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Released Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
sorry, yes. I have been poking at what is the best/minimum backport of this -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Released Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
I looked into backporting this, but it seems to be not entirely straightforward as the code layout changed and the changed file are not available in 2.9 it seems. So this needs some work beyond just applying the patch. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Released Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
I'm in favour of (1) too but lets wait until the snappy point release is done. I add a trello card so that its not forgotten. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
** Changed in: snappy/15.04 Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Released Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
Let's land on wily, test and then make push to our PPA (so we can also test it there, and also revert the workaround), we can include this at our next stable release :-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Released Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
This is fine for wily. We'll want to backport this to other releases, but we'll need to be careful wrt 15.04 because touch is about to release their 15.04-based OTA and if we push this to vivid-updates, then it will trigger a policy recompile on touch. As such, I think for now we should either: 1. update the snappy image build ppa with this fix, or 2. push this as SRU to 15.04 and update the stable-phone-updates ppa to have the current apparmor so it doesn't get updated Since only snappy is known to need this right now, I think the former is the way to go unless we get reports that the distro needs this SRU'd to 15.04, at which point we should do '2'. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
Michael, I have a patch (well two actually), and they just need further review and testing. I also have a partial hashing patch that if needed could be finished in a few hours, and add native hashing (if we go this route we could make the hash selectable, so something fast like lookup3 could be selected for a given platform). ** Patch added: 0001-Use-mtime-instead-of-ctime-for-cache-file.patch https://bugs.launchpad.net/snappy/+bug/1460152/+attachment/4411426/+files/0001-Use-mtime-instead-of-ctime-for-cache-file.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
@all I just verified that a 15.04/stable - 15.04/edge upgrade works and that the caches are regenerated. So the workaround works. @John I started with the mtime approach in my proof of concept patch. So if you guys are too busy I can try to expand it to cover the includes as well (it does not right now). Great to hear that we are close to nice and clean solution :) @Jamie Thanks for your feedback! I haven't considered the #includes, thats a gap in the patch indeed. ** Changed in: snappy/15.04 Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
second patch ** Patch added: 0002-Set-cache-file-tstamp-to-the-mtime-of-most-recent-po.patch https://bugs.launchpad.net/snappy/+bug/1460152/+attachment/4411427/+files/0002-Set-cache-file-tstamp-to-the-mtime-of-most-recent-po.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
@John Yay! The patches look great, thanks a lot! I leave the decision on hashing vs mtime to you/the security team. For me the mtime approach is good enough (unless I miss some failure case that is relatively easy to trigger, it seems it covers all but the most pathological cases) and it will solve this bug in a nice and clean way. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
@John Yay! The patches look great, thanks a lot! I leave the decision on hashing vs mtime to you/the security team. For me the mtime approach is good enough (unless I miss some failure case that is relatively easy to trigger, it seems it covers all but the most pathological cases) and it will solve this bug in a nice and clean way. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
I added a different approach that adds hashes next to the cached files so that we can compare if hash(profile) == hash(cache) and if not re- generate. ** Branch linked: lp:~mvo/ubuntu/vivid/ubuntu-core- config/lp1460152-workaround -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: In Progress Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
FYI, the hash approach is slow for the normal case since we always have to perform an sum. Furthermore it doesn't take into account #include'd files that might also change (eg, apparmor is updated and has a different base abstraction). For the workaround, I guess it is ok since the slowdown will only be for a couple of profiles but I would have rather seen us unconditionally invalidating the cache when switching from a to b or vice versa. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: In Progress Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
Yes the apparmor_parser should set the mtime of the cache file to be the most recent mtime timestamp of the set of policy files that resulted in the cache files creation. This is something we have been meaning to do for a long time but just never gotten around to it because there always something more important. I will come up with a patch today -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: In Progress Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
** Branch linked: lp:~mvo/snappy/snappy-lp1460152-workaround -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: In Progress Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
This should be fixed with image r76, the cache files are generated on the server now just like touch is doing it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: In Progress Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
** Changed in: snappy/15.04 Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
I looked into this some more as I was confused why this works on the distro. And it turns out that the dh_apparmor cache re-generates the cache on install time. I would really prefer if apparmor could handle this differently, I attach a (ugly) proof of concept patch with what I have in mind. My idea is to sync the mtime of cache and profile to ensure its always re- generated when they are out-of-sync. Ideally this would be part of the apparmor cache header I think. ** Patch added: proof of concept patch for apparmor parser https://bugs.launchpad.net/snappy/+bug/1460152/+attachment/4409034/+files/lp1460152-apparmor.diff ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Description changed: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - - make apparmor_parser use mtime of the source file used to generate the cache + - make apparmor_parser store mtime of the source file in the header + - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: In Progress Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
Ricardo pointed out that we need to consider the features file (just like touch). ** Changed in: snappy/15.04 Status: Fix Committed = In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: In Progress Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates)
** Changed in: snappy Assignee: (unassigned) = Michael Vogt (mvo) ** Changed in: snappy/15.04 Assignee: (unassigned) = Michael Vogt (mvo) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1460152 Title: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable - 15.04/edge updates) Status in Snappy Ubuntu: In Progress Status in Snappy 15.04 series: In Progress Status in apparmor package in Ubuntu: New Bug description: The apparmor cache gets confused easily on upgrade. Here is what happens: - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older) - cache does is *not* re-generate Possible solution: - clear cache on upgrade - make apparmor_parser store mtime of the source file in the header - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync Original description: -- Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error: apparmor=DENIED operation=mkdir profile=/usr/bin/ubuntu-core-launcher name=/tmp/snap.0_pastebinit.mvo_em33Zz/ pid=1092 comm=ubuntu-core-lau requested_mask=c denied_mask=c fsuid=0 ouid=0 Running: $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher fixes it. This strongly indicates that the cache has the old content and did not get re-generated on upgrade or image build. I also managed to reproduce this via: 15.04/stable-15.04/edge The image is here: https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1kauthuser=0 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
