[Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads

How reliable/repeatable is this for you? I have been hammering a machine for multiple days and not been able to trip this once. I have been using the 4.8 ubuntu kernel the ubuntu-lxc/daily and the ubuntu-lxc/stable ppas. Any more info you can provide? -- You received this bug notification

[Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads

** Changed in: linux (Ubuntu Xenial) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: linux (Ubuntu Yakkety) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: linux (Ubuntu Zesty) Assignee: (unassigned) => John Johansen (jjohansen) *

[Bug 1634753] Re: srcname from mount rule corrupted under load

I have done some light testing on this, trying to develop a none snap based test to verify it. The test is no where near as reliable as the snappy test. I haven't been able to trigger the bug on the new kernel yet, with the caveat that it could just be the test. I am inclined to declare this

[Bug 1611078] Re: Support snaps inside of lxd containers

note: that for xenial there are several pieces that must land as different SRUs. Just using the xenial SRU kernel is not sufficient. There is an apparmor userspace SRU that is required, and squashfuse sru ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1637437] Re: linux 3.13.0-101.148 ADT test failure with linux 3.13.0-101.148

This appears to be a problem with the test ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification

[Bug 1637440] Re: linux 4.4.0-46.67 ADT test failure with linux 4.4.0-46.67

This appears to be an issue with the test. ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification

[Bug 1639660] Re: apparmor-parse cannot parse profile with stacking //

Alright I have replicated and there is indeed a problem here. It will work if the first profile starts with a / but fails when it doesn't ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => John Johansen (jjo

[Bug 1639660] Re: apparmor-parse cannot parse profile with stacking //

Yuqiong Sun, the parser is sensitive to white space. If your profile has white space in the name you will need to use quotes around it /root/test/read px -> "readtest1 //& readtest2", otherwise you will need to remove the white space and specify it as /root/test/read px -> readtest1//,

[Bug 1638996] Re: apparmor's raw_data file in securityfs is sometimes truncated

I need more information about what else is going on, on the system when the this triggers is there profile replacement happening, what kind of load, ... so far I have been unable to trigger this, and the code looks good ** Changed in: linux (Ubuntu) Status: In Progress => Incomplete --

[Bug 1638996] Re: apparmor's raw_data file in securityfs is sometimes truncated

** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed ** Changed in: linux (Ubuntu) Status: Confirmed => In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are

[Bug 1634753] Re: srcname from mount rule corrupted under load

** Changed in: linux (Ubuntu Yakkety) Status: Triaged => Invalid ** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Trusty) Status: New => Triaged ** Also affects: linux (Ubuntu Precise) Importance: Undecided

[Bug 1611078] Re: Support snaps inside of lxd containers

** Also affects: apparmor (Ubuntu Yakkety) Importance: Critical Assignee: Tyler Hicks (tyhicks) Status: Fix Released ** Also affects: linux (Ubuntu Yakkety) Importance: Critical Assignee: John Johansen (jjohansen) Status: Fix Released ** Also affects: lxd (Ubuntu

[Bug 1630069] Re: Regression tests can not detect binfmt_elf mmpa semantic change

** Changed in: apparmor Status: New => Fix Committed ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1630069

[Bug 1630354] Re: can not switch workspaces using keyboard short cuts

I'm not sure what messed up the settings, but there isn't enough of a trail to say if it was the unity update, compiz update or some other random change. So moving to invalid ** Changed in: unity (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a

[Bug 1630354] Re: can not switch workspaces using keyboard short cuts

Got it. It required that I install ccsm and toggle the Desktop Wall setting -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1630354 Title: can not switch workspaces using keyboard short cuts To

[Bug 1630354] [NEW] can not switch workspaces using keyboard short cuts

Public bug reported: 16.04 - fully updated keyboard short cuts to switch workspaces used to work. After last reboot they don't. Checked in system settings, keyboard short cuts are set. Tried resetting them, no go. Tried alternate keys short cuts, no go. Tried rebooting they still don't work.

[Bug 1630069] [NEW] Regression tests can not detect binfmt_elf mmpa semantic change

but it results in the test breaking for everyone using upstream releases against pre 4.8 kernels. ** Affects: apparmor Importance: Undecided Assignee: John Johansen (jjohansen) Status: New ** Affects: linux (Ubuntu) Importance: Undecided Assignee: John Johansen (jjohansen

[Bug 1611078] Re: Support snaps inside of lxd containers

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Importance: Undecided => Critical ** Changed in: linux (Ubuntu) Status: New => In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => John Johansen (

[Bug 1628285] Re: apparmor should be allowed to start in containers

slight revision /sys/kernel/security/apparmor/features/domain/ns_stacked contains yes/no if stacked across policy namespace /sys/kernel/security/apparmor/features/domain/ns_name contains the name of the namespace as long as lxc sets up a detectable namespace ns_name can be used to

[Bug 1626984] Re: kernel BUG at /build/linux-lts-xenial-_hWfOZ/linux-lts-xenial-4.4.0/security/apparmor/include/context.h:69!

In testing I have not been able to reproduce. But from the oops it looks either like potentially like memory corruption, or corruption of the cred. The oops reports invalid opcode: [#1] SMP however the piece of code triggering this is used all the time, so the more likely scenario is

[Bug 1615881] Re: The label build for onexec when stacking is wrong

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615881 Title: The label build for onexec when stacking is wrong

[Bug 1615882] Re: dfa is missing a bounds check which can cause an oops

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615882 Title: dfa is missing a bounds check which can cause an

[Bug 1593874] Re: warning stack trace while playing with apparmor namespaces

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1593874 Title: warning stack trace while playing with apparmor

[Bug 1615878] Re: __label_update proxy comparison test is wrong

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615878 Title: __label_update proxy comparison test is wrong To

[Bug 1615880] Re: The inherit check for new to old label comparison for domain transitions is wrong

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615880 Title: The inherit check for new to old label comparison

[Bug 1615889] Re: label vec reductions can result in reference labels instead of direct access to labels

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615889 Title: label vec reductions can result in reference labels

[Bug 1615892] Re: deleted files outside of the namespace are not being treated as disconnected

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615892 Title: deleted files outside of the namespace are not being

[Bug 1615895] Re: apparmor module parameters can be changed after the policy is locked

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615895 Title: apparmor module parameters can be changed after the

[Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615887 Title: profiles from different namespaces can block other

[Bug 1615893] Re: change_hat is logging failures during expected hat probing

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615893 Title: change_hat is logging failures during expected hat

[Bug 1579135] Re: AppArmor profile reloading causes an intermittent kernel BUG

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: AppArmor profile reloading causes an intermittent

[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615890 Title: stacking to unconfined in a child namespace confuses

[Bug 1615895] Re: apparmor module parameters can be changed after the policy is locked

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1609885] Re: exec transitions to profiles with '.' in name don't work

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615889] Re: label vec reductions can result in reference labels instead of direct access to labels

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615892] Re: deleted files outside of the namespace are not being treated as disconnected

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615893] Re: change_hat is logging failures during expected hat probing

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615878] Re: __label_update proxy comparison test is wrong

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615882] Re: dfa is missing a bounds check which can cause an oops

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615880] Re: The inherit check for new to old label comparison for domain transitions is wrong

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615881] Re: The label build for onexec when stacking is wrong

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1579135] Re: AppArmor profile reloading causes an intermittent kernel BUG

) Importance: Critical Assignee: John Johansen (jjohansen) Status: Incomplete ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed ** Changed in: linux (Ubuntu Yakkety) Status:

[Bug 1579135] Re: AppArmor profile reloading causes an intermittent kernel BUG

I believe I have finally tracked this one down. It only occurs when an fd is shared between 9 or more separate profile domains and one of those profiles is removed. The removal part can happen during the apparmor reload phase, if a profile was renamed which is more likely on touch and snappy.

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

*** This bug is a duplicate of bug 1579135 *** https://bugs.launchpad.net/bugs/1579135 Note: there is a new test kernel using +jj61 at http://people.canonical.com/~jj/linux+jj/ This should be the final fix for this issue -- You received this bug notification because you are a member of

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

could you try reproducing with the kernel in http://people.canonical.com/~jj/linux+jj/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: kernel BUG on snap disconnect from within a snap

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

can you try the kernel in http://people.canonical.com/~jj/linux+jj/ yes it is a xenial kernel but it should still work on trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581990 Title:

[Bug 1594202] Re: apparmor messages everywhere

The apparmor profile is tailored for the default dovecot install if you have a custom build or have tweaked the configuration the apparmor profile may need to be modified. Can you tell how/where your dovecot came from, apt/snap/custom build Can you please attach your dovecot configs so we can

[Bug 1373070] Re: full fix for disconnected path (paths)

possibly. There isn't actually enough information in that bug to be sure if it is an actual namespacing issue or it is a separate bug to do with unix domain sockets. Unfortunately the workaround of attach_disconnect is still required to deal with these issues. -- You received this bug

[Bug 1378123] Re: unix_socket_abstract.sh triggers an AppArmor WARN

This should be fixed in Xenial, there is a large patchset (30 or so patches) that can be SRUed to vivids 3.16 kernel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1378123 Title:

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

Is the snap removed and then reinstalled? Has this been triggered just by running the snap? When was the kernel rebooted since the snap was installed? Since the snap was removed? ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

I have been unable to trigger the first bug reported. Can you attach a flattened versions of your profile set? apparmor_parser -p your_profile > flattened_profile -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

I have been unable to trigger this bug can you please provide more information? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: kernel BUG on snap disconnect from within a snap To

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

I have updated the debug kernel at http://people.canonical.com/~jj/lp1581990/ it adds more debug and fixes the 2nd issue you encountered. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581990

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

That sadly was not very helpful, it died in a completely different place and didn't trip any of the additional debug. Would it be possible to try it again? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

I have uploaded a debug kernels to http://people.canonical.com/~jj/lp1581990/ If you could install that and test, hopefully it has enough debug to track this issue down -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

Are the oops warnings reliable for you? It appears to be a ref count bug or race and I have not been able to track it down yet. If it is some what reliable would you be willing to try a debug kernel to help track the issue down? -- You received this bug notification because you are a member of

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

No, which means its a race of some kind -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: kernel BUG on snap disconnect from within a snap To manage notifications about this bug go to:

[Bug 1446794] Re: parser error with 'deny change_profile'

The deny modifier has been fixed in the 2.11 parser. However, the audit modifier is not properly supported by the backend permission format and will result in equality.sh failing With the above patch to equality.sh, the failures all involve audit which is being silently dropped in permission

[Bug 1581202] Re: CVE-2016-0758

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581202 Title: CVE-2016-0758 To manage notifications about this bug go to:

[Bug 1581201] Re: CVE-2016-3713

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581201 Title: CVE-2016-3713 To manage notifications about this bug go to:

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

are these custom/modified dovecot profiles? what other profiles are loaded? can you provide the output of aa-status? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581990 Title: Profile reload

[Bug 1581202] [NEW] CVE-2016-0758

*** This bug is a security vulnerability *** Private security bug reported: Placeholder ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux-raspi2 (Ubuntu) Importance: Undecided Status: New ** Affects: linux-ti-omap4 (Ubuntu)

[Bug 1581201] [NEW] CVE-2016-3713

*** This bug is a security vulnerability *** Private security bug reported: Placeholder ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux-raspi2 (Ubuntu) Importance: Undecided Status: New ** Affects: linux-ti-omap4 (Ubuntu)

Re: [Bug 1580463] Re: Snap blocks access to system input methods (ibus, fctix, ...)

On 05/11/2016 11:46 AM, Tyler Hicks wrote: > On 05/11/2016 10:22 AM, Jamie Strandboge wrote: > ... >> >> We then have dbus-session-strict: >> unix (connect, receive, send) >>type=stream >>peer=(addr="@/tmp/dbus-*"), >> >> There is a problem with this policy though; that access is

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

What kernel (full version) did this occur on? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: kernel BUG on snap disconnect from within a snap To manage notifications about this bug

[Bug 1575392] Re: Use force-complain symlinks instead of hard-coded "complain" flags

To be clear we are not talking about removing support for flags=(complain) from the parser or the language. Just defaulting to using the symlink for aa-complain because of broken packaging systems :P -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1575392] Re: Use force-complain symlinks instead of hard-coded "complain" flags

Hrmmm, I thought this was fixed in the parser. Maybe its only part 1 or a 2 part fix that was done, we will have to check but the cached policy know stores a flag in the header that it was built with complain mode making it possible to detect this condition without having to parse the whole cache

[Bug 1525119] Re: Cannot permit some operations for sssd

** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd To manage

[Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1528139 Title: serialize_profile_from_old_profile() crash if file contains

[Bug 1534405] Re: Regression in parser compiling/loading a directory

** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1534405 Title: Regression in parser compiling/loading a directory To manage

[Bug 1324608] Re: when aa-logprof processed file access rules with mask of "c" the resulting profile doesn't work

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1324608 Title: when aa-logprof processed file access rules with mask of "c" the

[Bug 1540562] Re: aa-genprof crashes in logparser NoneType has no "replace"

** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1540562 Title: aa-genprof crashes in logparser NoneType has no "replace" To

[Bug 1568485] Re: kernel: audit: type=1400 audit(1460259033.648:34): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13

It needs to be set in the profile file /etc/apparmor.d/sbin.dhclient apply the following change --- a/sbin.dhclient 2016-02-25 06:32:17.0 -0800 +++ b/sbin.dhclient 2016-04-10 12:41:41.826906424 -0700 @@ -3,7 +3,7 @@ # Author: Jamie Strandboge #include

[Bug 1561330] Re: ps security data column includes AppArmor confinement mode in 16.04

For the record it is this commit that made the change https://gitlab.com/procps- ng/procps/commit/5da390422d2b58902731655ddd12439126a051da it was previously terminating the string when it hit the space before the mode. Now it is using isprint(outbuf[len]) and space is a printable character. --

[Bug 1561330] Re: ps security data column includes AppArmor confinement mode in 16.04

The apparmor /proc/ interface has always included the mode info, so the change must be in how ps handles the security label -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1561330 Title: ps security

[Bug 1350598] Re: AppArmor policy compile improvements

@Jamie, I had assumed we would be using --skip-kernel-load. I was just bringing up that policy versioning is not just about having different versions of policy for different kernels but also about dealing with failure cases. -- You received this bug notification because you are a member of

[Bug 1350598] Re: AppArmor policy compile improvements

Versioned policy is needed on touch if the compile is going to be done before reboot. You do not want to blow away currently enforcing policy and install the new version and then run into a situation where you fail, or don't reboot. So at the very least for the failure case we need to support

[Bug 1373070] Re: full fix for disconnected path (paths)

Correct. There are actually several ways to get disconnected paths and this specific one is being caused by the new file ns. The proper fix for this is delegating access to the object that would not normally be accessible, however delegation is not available in the current releases of apparmor

[Bug 1458014] Re: audit_printk_skb slowing down boot

Alessio, so from the boot chart I am not able to say what is causing the delay. What I do see is a large gap in activity for both the cpu and i/o. That gap lines up roughly with the start of pulse audio, but that doesn't necessarily make it the culprit. We then get a large gap of little to no

[Bug 1560583] Re: reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN

Please note, this will require future backport kernels to be patched to maintain this semantic for the LTS release. Upstream kernels and future ubuntu kernels will not retain the broken semantic. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed

[Bug 1560583] Re: reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN

To clarify "necessary to open up". 1. the old behavior was wrong. It allowed introspection of policy in situation that it should not have. 2. In order to open up the profiles file so that more than the system root could introspect it, DAC restrictions needed to be removed and the permission

[Bug 1560583] Re: reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN

This is not an issue. It is working as designed and is necessary to open up the file for the stacking work. This patch should be reverted immediately as it opens up a policy introspection hole. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to

[Bug 1379535] Re: policy namespace stacking

** Summary changed: - namespace stacking + policy namespace stacking -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1379535 Title: policy namespace stacking To manage notifications about this bug

[Bug 1379535] Re: policy namespace stacking

** Description changed: - Tracking bug for supporting stacked namesapaces (ie, different profiles - on host, container, container in a container, etc) + Tracking bug for supporting stacked policy namesapaces (ie, different + profiles on host, container, container in a container, etc) -- You

[Bug 1554002] Re: linux: apparmor kernel test suite failing on 3.19.0-53.59 and later

** Attachment added: "Log of failure" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1554002/+attachment/4591441/+files/log.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1554002 Title:

[Bug 1554002] Re: linux: apparmor kernel test suite failing on 3.19.0-53.59 and later

This is a failure/regression on ppc64el. A full list of all runs including retries is available at http://autopkgtest.ubuntu.com/packages/l/linux/vivid/ppc64el/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1350598] Re: AppArmor policy compile improvements

Yes kicking off a policy compile as part of an update should be possible. It certainly is for .debs, I am not sure of the exact details for click or snappy. As mentioned above, this compile could even be done as a low priority background task so that the user update wouldn't pick up the cost.

[Bug 1350598] Re: AppArmor policy compile improvements

Sure we want a good user experience. We need to land the 2.11 version of apparmor which provides several performance improvements. Its can be up to about 35% faster. Another potential solution not discussed so far is kicking off a low priority background process. This has its own issues, it

[Bug 1551642] Re: First boot slow after profile change

*** This bug is a duplicate of bug 1350598 *** https://bugs.launchpad.net/bugs/1350598 The duplicate status is not wrong but the information in that bug is dense. Please read it for a more in depth answer 1. a simple change does not necessarily cause all policy to be recompiled. Only policy

[Bug 1547373] Re: dmesg is full of apparmor denied messages for ntpd

*** This bug is a duplicate of bug 1546455 *** https://bugs.launchpad.net/bugs/1546455 ** This bug has been marked a duplicate of bug 1546455 Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram"

[Bug 1428490] Re: AppArmor vs unix socket inside LXC containers

Toby, what distro, release and kernel are you using? And would you be willing to try a custom test kernel? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1428490 Title: AppArmor vs

[Bug 1428490] Re: AppArmor vs unix socket inside LXC containers

Toby, what distro, release and kernel are you using? And would you be willing to try a custom test kernel? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1428490 Title: AppArmor vs unix socket

[Bug 1534405] Re: Regression in parser compiling/loading a directory

** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor/2.10 Status: New => Fix Committed ** Changed in: apparmor/master Status: New => Fix Committed ** Also affects: apparmor (Ubuntu Wily) Importance: Undecided Status: New

[Bug 1446906] Re: lxc container with postfix, permission denied on mailq

Kernels with version 3 of the fix can be found at http://people.canonical.com/~jj/lp1446906/ please test and leave feedback as to whether this fixes the issue -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu.

[Bug 1446906] Re: lxc container with postfix, permission denied on mailq

Kernels with version 3 of the fix can be found at http://people.canonical.com/~jj/lp1446906/ please test and leave feedback as to whether this fixes the issue -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1527374] Re: privilege escalation on attach through ptrace

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1527374 Title: privilege escalation on attach through ptrace To manage

[Bug 1527374] Re: privilege escalation on attach through ptrace

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1527374 Title: privilege escalation on attach through ptrace To

[Bug 1446906] Re: lxc container with postfix, permission denied on mailq

Please try the test kernels at http://people.canonical.com/~jj/lp1446906/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq To

<    1   2   3   4   5   6   7   8   9   10   >