Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696360
Title:
linux-snapdragon:
Looks good
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696362
Title:
linux-aws: 4.4.0-1019.28 -proposed tracker
To manage notifications about this bug go to:
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696362
Title:
linux-aws: 4.4.0-1019.28
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696359
Title:
linux-raspi2: 4.4.0-1058.65
looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696358
Title:
linux-lts-xenial:
Loooks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696357
Title:
linux: 4.4.0-80.101
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696352
Title:
linux: 3.13.0-120.167
CVE-2017-1000364
** Also affects: linux (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: linux-ti-omap4 (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: linux-raspi2 (Ubuntu Artful)
Importance: Undecided
Status: New
** Also
*** This bug is a security vulnerability ***
Public security bug reported:
An issue was discovered in the size of the stack guard page on Linux,
specifically a 4k stack guard page is not sufficiently large and can be
jumped over
Break-Fix: 320b2b8de12698082609ebbc1a17165727f4c893 -
** Affects:
This is caused do a change made upstream in the 4.11 kernel, which
forbids writing the buffer size parameter after boot. The change to boot
time preallocated work buffers made this parameter useless, but 4.11
only partially merged that work, making writing the buffer size an
attack vector on the
@Simmon,
You are right, that will require extending what is supported in the
mediation, beyond even landing support for #2. It will take a bit of
work, but we can definitely do it. My preferred solution is more work
than the quickest/easiest solution, as it requires landing a few things
that
I think performance, and flexibility wise, the best solution would be to
move mediation entirely to userspace.
Use the key/value store to provide flexibility on what match ordering to
use, userspace policy caching so we don't have to round trip the kernel
except when the policy is invalidated by
There are actually a couple of ways to add it, and still keep userspace
compatibility. Kernel side we are actually often checking partial
matches, and due is a permission but AA_CONTINUE to indicate that if
permissions aren't satisfied to continue the match.
This could be emulated in userspace a
The message type certain could be added. However it is not the only way
this separation can be achieved.
The label in particular should be able to be used without tying it to a
specific service. Admittedly this is somewhat limited atm.
1. the label name on a service does not have to match its
So the first kernel tried may have had the flock mediation patch. It was in
4.4.0-67.88
Reverted in
4.4.0-70.91
which would help explain the switch in denial from
file_mmap rm
to
file_mprotect r
I am unsure why the request for mprotect is showing up. At this point we
need to start
Okay, this kernel does NOT contain the caching fix. So it is not the
cause of the issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655982
Title:
cups-browsed fails to start in containers after
@Jamie may be right in his guesses but there is not enough information
here to be sure. The stacking work exists in the Xenial, Yakkety, and
Zesty kernels. But the patch Jamie is referring to only exists in the
Zesty kernel (it did exist in Xenial and Yakkety until reverted).
Please attach the
Note, if we are running the right kernel, there is no reason that we
couldn't have a trusty containers load profiles.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686612
Title:
Stacked profiles
There is a bug in the /etc/apparmor.d/abstractions/libvirt-qemu file on
line 183
/sys/devices/system/cpu/cpu*/online r
is missing the the trailing ,
it should be
/sys/devices/system/cpu/cpu*/online r,
this prevents libvirt from loading the vm profile. Unfortunately it does
not report the
Thanks Stéphane,
@Christian, it looks like adding a rule
/dev/pts/ptmx rw,
to the profile is necessary for now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Title:
KVM guest execution
Hey Christian,
thanks for the profiles, I haven't had a chance to dig into them yet,
but after a quick first pass they look as expected.
so very interesting. First up apparmor has always done mediation post
symlink resolution, this is not new with stacking. What is new with
stacking is we are
Its true there are a few issues with apparmor profiles being loaded as
part of a stack when namespacing is involved. However this does not
appear to be one of them.
However the application may be behaving slightly differently resulting
in the profile needed to be extended. Can you please attach
Every release that supports prlimit is at least partially affected.
However the xenial, yakkety, zesty releases that have support stacking
code compound the issue.
I'll look into the ppc64el build, I'm sure its possible it just one that
I have never done a test kernel for so I will have to learn
I have placed amd64 test kernels at
http://people.canonical.com/~jj/lp1679704/
It fixes the complain issue, which should let you proceed without
removing the profile and I am working on a regression test to add to the
test suite.
--
You received this bug notification because you are a member of
The capable request comes from chrome after it has setup a user
namespace. However apparmor can not currently detect the difference
between the system namespace and the user namespace.
Unfortunately the only solution at this time it to allow
capable sys_admin,
in the
please update your kernel, you are running the 4.4.0-21.37
This issue was fixed in Ubuntu 4.4.0-37.56 kernel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1678291
Title:
kernel panic while
This is because boot params are processed before apparmor is fully
initialized and policy_view_capable() will oops because the rootns is
not setup.
We should by-pass policy_view_capable() for params being set at boot.
--
You received this bug notification because you are a member of Ubuntu
Public bug reported:
When an apparmor parameter is set on the grub kernel line it results in
an oops and failure to boot.
eg. setting
apparmor.audit=noquiet
will cause the kernel to fail to boot.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux
Public bug reported:
The apparmor query interface does not make available information about
what is currently supported. Add the base set of information for label
queries through the apparmorfs features subtree.
Note: this will be needed to support user space permission caching used
by trusted
Public bug reported:
User space trusted helpers have no way to detect when policy changes
have been loaded into the kernel. This prevents the applications from
being able to cache permission queries. Currently trusted helpers have
not done caching (wish list feature), however the gsetting proxy
Public bug reported:
gsettings mediation needs to be able to determine if apparmor supports
label data queries. A label data query can be done to test for support
but its failure is indistinguishable from other failures, making it an
unreliable indicator.
Fix by making support of label data
Public bug reported:
When a compound label is used as part of a target namespace the change
profile will result in a bad change
a task confined by profile lxd doing
change_profile(&:ns://foo//)
results in a change_profile to
:ns://foo
and
unconfined
causing the local system profile to
Note: this bug affects more than just lock mediation permissions. It at
a minimum can also affect the mmap executable (m) permission.
Further work is required to resubmit this fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
For now yes, but I think going forward we are going to want to split the
systemd bits in a subabstraction.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1670408
Title:
Missing apparmor rules cause
The entire apparmor patch series was reverted regardless of whether the
patch had any link to a regression, or security fix.
The majority of the patches will be reapplied and go through the SRU
cycle again.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Looking through the logs in comment 8 for any indications of restarts,
unloads, I came up with this interesting discrepancy. Basically the
failure is recorded as happening 37s before the profile is loaded.
The load message for the container's profile
Feb 18 14:06:11 elkhart kernel: [ 494.893832]
Note: I did find messages being lost so disabling printk rate limiting
is really important
eg
Feb 18 14:06:56 elkhart kernel: [ 539.725207] audit_printk_skb: 15 callbacks
suppressed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
it would also be good to get the output of the apparmor profiles file,
before and after a failed run
cat /sys/kernel/security/apparmor/profiles
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1667444
>From what I can see in the logs this does not appear to be the issues
Tyler and Stephane have mentioned, however I can't entirely rule that
issue out yet.
The logs in comment 1 do not match up with the error reported in the bug
description, but appear to be the same as from comment 8, however
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1638996
Title:
** Tags removed: verification-needed-yakkety
** Tags added: verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660832
Title:
unix domain socket cross permission check failing
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660833
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660834
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660836
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660840
Title:
Please describe the failure, including the logs so I can analyze. Just
because the container fails to start does not mean that the fix is bad.
There can be other issues that result in the failure.
Specifically this bug is for the denial message seen in comment #5 and
not the denied messages
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660849
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1656121
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1664912
Title:
The issue appears to be refcount related, I am still chasing this one
down but for this release we should revert
UBUNTU: SAUCE: apparmor: fix lock ordering for mkdir
UBUNTU: SAUCE: apparmor: fix leak on securityfs pin count
UBUNTU: SAUCE: apparmor: fix reference count leak when
You can try the set of kernel in
http://people.canonical.com/~jj/linux+jj/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666748
Title:
Apparmor problem inside a lxd container
To manage
The peer="---" is likely due to bug 1660832, which has been fixed in the
latest set of kernels that should be rolling out this week.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666748
Title:
A patch has been submitted to the kernel-t...@lists.ubuntu.com mail list
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete =>
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux-lts-xenial (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Zesty)
There is a 3rd level of check that can be applied if those sha1sums
don't match.
sys/kernel/security/apparmor/policy/profiles/usr.sbin.libvirtd.*/raw_hash
should be the same as the sha1sum for raw_data
i.e
$ cat sys/kernel/security/apparmor/policy/profiles/usr.sbin.libvirtd.*/raw_hash
James, I can give you access to a custom kernel and library that
provides a fix for the apparmor end if you would like. The issue is that
these are not in the distro yet, and have not been backported to earlier
releases (yet).
--
You received this bug notification because you are a member of
These kernels are working for me
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1661030
Title:
regession tests failing after stackprofile test is run
To manage notifications about this bug go to:
Alright, so I broke complain mode for execs with
UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using
stacked namespaces
I have a fix and the test kernels are building and will be available in
http://people.canonical.com/~jj/linux+jj/
--
You received this bug
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Zesty)
Importance: Undecided
Status: Incomplete
** Also affects: linux (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Zesty)
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a
I have sent pull requests to the kt mailing list with that include the
current ref count leak fixes.
This set however does not fix all the leaks and I am still working on
nailing them down when I can.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a
Public bug reported:
When doing profile removal, the parent ns of the profiles is taken, but
the reference isn't being put, resulting in the ns never being freed
even after it is removed.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu
Public bug reported:
apparmor is leaking the parent ns ref count, by directly returning the
error
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Yakkety)
Public bug reported:
apparmor is leaking pinfs refcoutn when inode setup fails.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Yakkety)
Importance:
Public bug reported:
The error condition of security_pin_fs() was not being checked which
will result can result in an oops or use after free, due to the fs pin
count not being incremented.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu
** Changed in: apparmor
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction doesn't allow communication with
** Changed in: apparmor
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634753
Title:
srcname from mount rule corrupted under load
To manage notifications
Public bug reported:
Bind mounts can oops when devname lookup fails because the devname is
unintialized and used in auditing the denial.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of
Public bug reported:
When an fd is disallowed from being inherited during exec, instead of
closed it is duped to a special apparmor/.null file. This prevents the
fd from being reused by another file in case the application expects
the original file on a give fd
Public bug reported:
When using nested namespaces policy within the nested namespace is trying
to cross validate with policy outside of the namespace that is not
visible to it. This results the access being denied and with no way to
add a rule to policy that would
Public bug reported:
@new does not have a reference taken locally and should not have its
reference put locally either.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
**
Public bug reported:
When a new label is created, it is created with a proxy in a circular
ref count that is broken by replacement. However if the label is not
used it will never be replaced and the circular ref count will never
be broken resulting in a leak.
Unless we can get more debug info I am marking this won't fix
** Changed in: lxc (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1428490
Title:
AppArmor vs
No, the chromium and firefox profiles can be fixed. However the current
fixes are not ideal. Basically apparmor currently needs to allow
capability sys_admin and a few other dangerous privileges in the base
profile.
This is not do to the complexity of the sandbox model but because the
linux
We need to make it so it can scan ahead and use summary mode if the
outstanding number of messages is larger than the threshold when it goes
to display the next message.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: apparmor
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658943
Title:
aa-notify blocks desktop with garbage notifications
To manage notifications
There are definitely, several ref count leaks that can lead to memory
leaking during policy replacement. I haven't been able to trace down
every leak yet, but the kernel in
http://people.canonical.com/~jj/lp1656121/
contains several fixes that should help. I need to finish cleaning up
the series
** Changed in: vidalia (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1290107
Title:
Vidalia does not start. AppArmor prevents
To manage notifications
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
** Changed in: apparmor
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Xenial)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Changed in: apparmor
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592547
Title:
vmalloc failure leads to null ptr dereference in aa_dfa_next
To manage
sudo snap refresh
should refresh the kernel snap. However the suspected fix will not be in
any snap kernel, nor can I atm build you a kernel snap to test with.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Okay, that looks like the kernel is working for you and you are now past
the original
[103975.623545] audit: type=1400 audit(1481284511.494:2807):
apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1
namespace="root//lxd-tor_" profile="unconfined"
name="system_tor" pid=18593
Ignore the request to test the upstream kernel, for the moment.
In this case the apparmor code that is in the trace does not exist upstream.
Instead could you test the kernel in
http://people.canonical.com/~jj/lp1648143/
While listed as being for bug 1648143, it contains several fixes
sorry this took longer than expected. I have placed amd64 test kernels at
http://people.canonical.com/~jj/lp1648143/
please let me know if this works for you
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The denial messages like
target=B00280F4B00280F
are caused by a kernel bug, in reporting the the profile name of the
target of the ptrace.
In general ptrace operations are controlled by both capability and
ptrace rules. This is because within the kernel ptrace calls in to the
capability code,
This occurs in a stacked policy situation, where there is a system
policy is being applied but within the container namespace, the policy
is unconfined.
The special casing for unconfined with no-new-privs is not properly
detecting this case. I will have a test kernel with a fix for this issue
To clarify the container is missing the minimum requirements of the
apparmor_parser and the apparmor init service.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1648143
Title:
tor in lxd:
using
lxc launch images:ubuntu/yakkety torcontainer
to create the container
the installing tor into the container and starting it I can replicate
the error. However this is due to the container not having apparmor
installed. The container is not booting with apparmor or loading the tor
profile.
Christian,
could you please try against my test kernel? It has fixed the issue with
my local reproducer
The packages are in
http://people.canonical.com/~jj/linux+jj/
you can probably get away with just installing linux-
image-4.8.0-30-generic_4.8.0-30.32+lp1645037_amd64.deb but the other
I have fully replicated this with just the apparmor_parser, and bash. It
requires using both the fs based namespace mkdir/rmdir namespace
interface and regular profile replacement/removal at the same time.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
This should be fixed by add the rule
dbus rw peer=(name=/run/dbus/system_bus_socket),
the /usr/sbin/ntpd profile
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647586
Title:
apparmor errors
I think I may have replicated, in that I got log entries with task
blocked for more than 120 seconds, very similar to the above logs. And
the apparmor_parser could running ps on the system did show several
apparmor_parsers waiting. However it did not crash nor did the
apparmor_parser instances
No, I haven't. I have been using the instructions you provided with no
success. I have started some tests doing lower level direct calls of
replace and reload so that I can have even more concurrency.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
301 - 400 of 8095 matches
Mail list logo