Since I haven't reproduced this error yet I would like to get a better
handle on what people are seeing here. Is it file system corruption
(errors that show up in fsck), or file corruption where fsck does not
report any errors. Also for files that are corrupted do they have the
correct size and i
I have placed a test kernel with the above patch at
http://kernel.ubuntu.com/~jj/linux-
image-2.6.31-14-generic_2.6.31-14.48~ext4test1_amd64.deb
It would be good to know if this clears up the corruption problems,
and/or if the warning and stack trace shows up in the logs whether or
not the corrup
well I have not been able to reproduce. I have been using X forwarding
extensively for the last few days, and no problems with input.
--
Xorg not responding to input using forwarded X window
https://bugs.launchpad.net/bugs/412860
You received this bug notification because you are a member of Ubu
** Attachment added: "regdump of good screen before rotation"
http://launchpadlibrarian.net/30917188/regdump_good.txt
--
[i965GM] Screen goes blank after rotation
https://bugs.launchpad.net/bugs/410309
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
** Attachment added: "regdump of black screen after rotation back to normal"
http://launchpadlibrarian.net/30917196/regdump_bad.txt
--
[i965GM] Screen goes blank after rotation
https://bugs.launchpad.net/bugs/410309
You received this bug notification because you are a member of Ubuntu
Bugs, w
This issue still exists with the latest updates. I have spent some more
time playing with this some more and, it only occurs when rotating back
to normal orientation. I can rotate between left,right and inverted
freely the screen is only going blank when rotating back to normal.
Also in todays t
fix confirmed
--
[i965GM] Mouse cursor fails to rotate
https://bugs.launchpad.net/bugs/410255
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/list
Link was this a clean Karmic 64 bit install that is failing?
Also what happens if you add apparmor=0 to the grub command line?
--
Fresh Install of Karmic, Boot ends with Kernel Panic
https://bugs.launchpad.net/bugs/477050
You received this bug notification because you are a member of Ubuntu
Bug
No that shouldn't have caused this oops. If the trace is good, it would
either be the security context missing, or the profile having a null
value. My guess is the latter as we have had a couple bugs with that
after replacement/removal (though I thought all of those had been
fixed).
--
apparmor
This may have already been fixed in proposed by commit
df0c3fa26fb5214c30f8f40753f99ef40b475451
--
apparmor crashing apache when removing/changing hats
https://bugs.launchpad.net/bugs/502442
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
On my system using the Sun JRE, AppArmor is causing the the following 2
rejects:
type=APPARMOR_DENIED msg=audit(1263353292.755:25): operation="mkdir" pid=2014
parent=1 profile="/usr/lib/firefox-3.5*/firefox{,*[^s][^h]}"
requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000
name="/usr/sha
Note, in my above testing I was using a Lucid kernel
--
apparmor-profiles freezes Firefox when using Java applets (Sun JRE)
https://bugs.launchpad.net/bugs/484148
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing li
Matt,
Actually I assumed Ubuntu was the host and that the crash was happening
when the virtual box VM crashed/faulted in some form when grabbing input
from X. I have seen loss of input devices (mouse and/or keyboard) like
this under both virtual box and VMWare.
--
BUG: unable to handle kernel N
Mike,
can you clarify when/how you saw this bug? Where you getting it before
installing the dependencies or after? Do you still experience the bug if you
run epsxe directly instead of through doing sudo upx -d epsxe?
thanks
--
BUG: unable to handle kernel NULL pointer dereference at 00
John,
Indeed I suspect this is linked with UPX packed executables, but that
still shouldn't be able to oops the kernel. Just to verify what you
did, you downloaded the linux binary distribution from
http://www.epsxe.com/download.php, unpacked it and the then just tried
to run .epsxe, correct?
Public bug reported:
The Karmic Beta1 live image takes a very long time to boot from a usb
key. This appears to be due to probing of the dvd drive.
This is a regression from the Jaunty livecd image which boots without
problems. Also note that a Karmic image upgraded from a Jaunty install
boots
** Attachment added: "AlsaDevices.txt"
http://launchpadlibrarian.net/33869667/AlsaDevices.txt
** Attachment added: "AplayDevices.txt"
http://launchpadlibrarian.net/33869668/AplayDevices.txt
** Attachment added: "ArecordDevices.txt"
http://launchpadlibrarian.net/33869669/ArecordDevices.t
Public bug reported:
Binary package hint: usplash
The Karmic Beta1 livedcd image fails to finish booting if the --splash
option is used. It will display the logo, and then drops to a console
and freezes.
The attached logs should contain two boots, the first with --splash the
second without.
Pr
** Attachment added: "BootDmesg.txt"
http://launchpadlibrarian.net/33870132/BootDmesg.txt
** Attachment added: "CurrentDmesg.txt"
http://launchpadlibrarian.net/33870133/CurrentDmesg.txt
** Attachment added: "Dependencies.txt"
http://launchpadlibrarian.net/33870134/Dependencies.txt
** A
Kelvinelk, thanks for the information. I haven't been able to chase
this down yet so I have some more questions.
Have you encountered this bug again?
If so
Do have a reliable way to reproduce?
Have you seen it on a more recent kernel?
--
BUG: unable to handle kernel paging request at 40f710
This is the config patch that the test kernels from comment #4 where
built from and that is resulting in the cpu lockup seen in comment #7.
This config is based off of the virtual config.
** Attachment added: "config.patch"
http://launchpadlibrarian.net/33975057/config.patch
--
ec2 kernel ne
This is a minimal small config patch that enables only ext4, sound dummy
(for VOIP), and block loop.
The test kernels for this patch are:
x86-64: kernel aki-13dc3f7a ramdisk ari-15dc3f7c
i386: kernel aki-1ddc3f74 ramdisk ari-1fdc3f76
these kernels don't appear to be having the same issues, but
** Changed in: linux (Ubuntu)
Status: Triaged => In Progress
** Changed in: linux (Ubuntu Karmic)
Status: Triaged => In Progress
--
apparmor complains about write access to a readonly file
https://bugs.launchpad.net/bugs/453335
You received this bug notification because you are a m
John,
thanks for the test unfortunately I haven't managed to get epsxe to run on my
test machine.
could you run it again and do an
apport-collect -p linux 446164
thanks
--
BUG: unable to handle kernel NULL pointer dereference at 0040
apparmor_bprm_set_creds
https://bugs.launchpad.n
@norm-audrey as I read it the proposed fix does not contain a '''
character. It is the single line
@{PROC}/sys/net/ipv4/ip_local_port_range r,
do you perhaps also copy the following line?
'lsb_release -rd':
That would indeed result in the reported error. I am not sure how the
profile in co
It is changing a section (the file /var/lib/snapd/apparmor/snap-
confine/lp1849753) used by the snap apparmor profiles and then reloading
apparmor profiles into the kernel. This does a live replacement of
policy, so processes that are already confined will gain the new
permissions as well as new pr
(Ubuntu)
Importance: Undecided => Wishlist
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932342
Ti
While not rate limiting there is a solution to make the DENIAL messages
go away. Adding an explicit denial rule to the profile will tell
apparmor this is a known DENIAL that doesn't need to be audited.
deny ptrace read,
--
You received this bug notification because you are a member of Ubuntu
B
Where/what file are you adding net_admin caps too? I would not expect
modifying the cups profile to affect the default media player.
Can you look for apparmor="DENIED" messages in your log?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubun
The cisecurity guide is wrong. While there is info that could be
leveraged, but on a modern system the really sensitive information is
split out into /etc/shadow (which very much should be only readable by
root). The reality is that on a modern system /etc/passwd needs to be
world readable (it is t
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898280
Title:
Please unrevert the apparmor audit rule filtering feature
To ma
On 10/25/20 5:15 AM, baptx wrote:
> I got it working by adding the 2 lines at the end of the
> /etc/apparmor.d/usr.bin.firefox just before the closing brack "}".
> Without these lines, I had to use another workaround by disabling
> Apparmor completely on Firefox with a command like "sudo aa-complai
Marked this public security for now so it is on the security team radar
and it can be reviewed by them.
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad
There was an attempt to revive this Dec. 6, 2017
https://lists.ubuntu.com/archives/apparmor/2017-December/011370.html
upstream there is belief in using a generic audit message types. The
problem is that apparmor, selinux and smack messages differ, so they
aren't so common.
This is going to have
No disagreement that this is a high priority item. There is some work
around fine grained mediation happening but I am unsure when it will
land.
The problem is that this is not the only high priority item that needs
to be addressed. Changing priority of these items can certainly be
discussed again
In 4.20 we landed some of the infrastructure to support this.
Specifically secmark support was landed which provides the
infrastructure needed for apparmor labels to interact with iptables and
iptables to interact with apparmor.
This isn't something generally available for use yet as it
infrastruc
Perhaps because of bug 1823379, which broke some code's dynamic
detection of apparmor being enabled via
/sys/module/apparmor/parameters/enabled?
The fix is working its way through the queue and is currently in
proposed.
--
You received this bug notification because you are a member of Ubuntu
Bug
Sorry, no. Ignore comment #10
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1824812
Title:
apparmor no more starting in Disco LXD containers
To manage notifications about this bug go to:
https://bu
How is content hub looking up the confinement (label) of the task. Are
you using pids, looking through /proc//, using aa_gettaskcon?
This will help with creating an interface wrapper for query_label so we
can pass the needed information to the kernel.
--
You received this bug notification becaus
Alfred,
which version of apparmor userspace is Ubuntu touch using? You can use
apparmor_parser -V
to find out
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_l
/etc/apparmor.d/cache was chosen a long time ago (pre FHS 1.0) as the
default cache locations, and at the time, given the constraints it was
the best available location.
Upstream apparmor has moved to defaulting the location to
/var/cache/apparmor. But Ubuntu has yet to make this move.
AppArmor 2
@Jamie, my appologies I missed that. Indeed I even missed it is fixed
released.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849554
Title:
Please move cache files to a different location
To manag
In response to Jamie's question in #12 the no answer is no. Delegation
works because it allows a subject with explicit access to an object to
delegate that access to another. An important part of delegation is that
it is not just delegating the object but inheritance and passing of the
object is co
I should note that this only requires object delegation in apparmor,
which is a subset of the full delegation work and will land first.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849753
Title:
A
This is a debdiff for focal applicable to apparmor_2.13.3-7ubuntu2
It is picked from upstream, and has been through upstream build and
checks.
** Patch added: "apparmor-mdns-fix.patch"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629/+attachment/5344188/+files/apparmor-mdns-fix
Not quite, I pulled Rich's patch from here and pushed it through
upstream first so we could have an official commit.
That way debian can pick it up as well.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bu
aa-status needs a major update. It doesn't support several things
- profile stacks
- newer profile modes
- additional profile info available in kernel (revision etc)
- it doesn't deal with namespaces
- can't identify when userspace and kernel policy are out of sync
- doesn't take advan
AppArmor does not currently cache denials except an extremely limited
dedup for capabilities. Currently apparmor is relying on the audit
subsystems rate limiting for it logging which you have rightly noted is
insufficient.
AppArmor will continue to report a denial for the error until the
profile i
I can not speak to specifics but there are a lot of potential reason's a
packager (not firefox specific) might not be updating the profile.
- They don't use the profile / or maybe apparmor. (package
maintainership evolves and not everyone who might even be aware of it
without digging in)
- The au
This should be fixed in Xenial, there is a large patchset (30 or so
patches) that can be SRUed to vivids 3.16 kernel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1378123
Title:
unix_socket_abstract
Andres,
can you be more specific about the kernel version of the hwe kernel you
are seeing this on?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701297
Title:
NTP reload failure (unable to read l
On 06/30/2017 07:52 PM, Seth Arnold wrote:
> Hello intrigeri, this one is a bit involved.
>
> As it is systemd's support for AppArmor is to issue a change_profile
> call before executing a unit's executable. This requires the profile to
> already be loaded, which currently means a pre-task that ca
The Ubuntu mainline kernel build unfortunately currently does not have
apparmor set as the default LSM. This is due to some config changes done
when adding the LSM stacking patches (Ubuntu tries to keep the configs
as close as possible). Addressing this is wip and should land with the
next revision
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1758471
Title:
apparmor: fix bad __initdata tagging on, apparmor_ini
So I have been looking at this again, and have found a couple issues.
1. Where prlimit is concerned. AppArmor adds an addition restriction on
when cap sys_resource is required. The CAP_SYS_RESOURCE capability is
required if the target processes label does not match that of the
caller.
Hence why l
Status: Incomplete
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: Confirmed
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member
This only affect Xenial.
** Changed in: linux (Ubuntu Xenial)
Status: New => Confirmed
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscri
No logs needed as its a build warning
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1758471
Title:
apparmor: fix bad __initdata
Can you please attach the features file you are setting in
/etc/apparmor/apparmor.conf
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842459
Title:
apparmor abi-feature pinning not working with Disc
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842459
Title:
apparmor abi-feature pinning not working w
This might be in the compiler
The feature file you are inning supports v8 socket mediation. The user
space however does not. The ubuntu kernel supports v7 and v8 socket
mediation, but the user space only supports v7. I need to dig into this
more but it looks like the user space compiler is generat
Let me slightly revise what legovini wrote (and appologies to legovini
who was just passing on my less than adequate explanation).
It is true that giving cap sys_admin is effectively giving a process
root. That doesn't mean we don't do it, but we do it very carefully, and
only after review of the
** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1839037
Title:
Stacked onexec transitions
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1839037
Title:
Stacked onexec transitions fail when under NO NEW PRIVS restrictions
To manage notifications abo
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN kernel stack t
sorry it appears I added the comments about the v2 patch to the wrong
bug
thanks for testing. I will get the request sent out to the kt.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Eoan)
Importance: Undecided
Status: Confirmed
** Also affects: linux (Ubuntu Bionic)
Im
ntu Xenial)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: Confirmed
** Tags: xenial
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen
Fix selected and backported from a larger patch that originally landed
in Zesty and subsequently landed in upstream.
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-audit-failures-when-perfor.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838627/+attachment/5280320/+files/0001-
The patch has been tested against a reproducer and fixes the issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN kernel stack trace
To manage
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658219
Title:
flock not mediated by 'k'
To manage notifications about this bu
Public bug reported:
running the apparmor nnp regression tests results in the following
failure
Error: transition failed. Test 'NNP (stack onexec - NNP)' was expected
to 'pass'. Reason for failure 'FAIL - execv: Operation not permitted'
with a log message of
[ 1169.863302] audit: type=1400 audi
*** This bug is a duplicate of bug 1658219 ***
https://bugs.launchpad.net/bugs/1658219
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
No the warnings won't cause apparmor to fail, however the kernel killing
the apparmor_parser will, and that won't report a parse error.
The Ubuntu apparmor.service calls the apparmor_parser once for each
profile. Which means you are getting a some profiles loaded but not all
of them.
Can you chec
I'm not aware of any way to get the apparmor.service to print out what
profile it is working on without actually modifying the service
however your dmesg does show the reason for the failure, it looks like
the apparmor_parser is being killed by the oom killer
[ 5986.338089] [13520] 0 13520 3
We can get a diff of loaded vs. expected profiles
for a straight list of loaded profiles names, you can do
$ sudo cat /sys/kernel/security/apparmor/profiles
/snap/core/6964/usr/lib/snapd/snap-confine (enforce)
/snap/core/6964/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
(enfo
So yes that does appear to be part of it. I pulled your profile and
tested just a compile
time apparmor_parser -QT -D dfa-stats /tmp/layouts-test-1.txt
Created dfa: states 16780 proto { cache: size=16780 dups=36386 longest=1244
avg=6 }, nnodes { cache: size=16761 dups=36405 longest=1243 avg=5 },
Once you can get a profile to compile apparmor can cache the compile for
you, so ideally the compile only needs to happen once per kernel.
But I completely get even then, with this profile that is a problem.
Can I keep the profile, and add it to a test suite, to look into
reducing the compilers m
@Ian - renaming this bug wfm
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1830502
Title:
apparmor fails to start with no parser errors
To manage notifications about this bug go to:
https://bugs.la
@Sergio: your issue is different. It is being killed during a kernel
operation (sys_write) due to a vmalloc failure, where this bug is
occurring during a userspace compile. Please open a new bug
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
This is traditional MAC behavior and is by design. Uncontrolled
inheritance is an information leak/security hole.
The delegation extension that @jdstrand mentioned is an extension that
crosses capability systems with a type enforcement system.
Marking this wishlist as it is feature development th
Yes I did, and @jdstrand did explain the situation in #4
"There is a revalidation that happens when node calls itself since it
invokes snap run, which invokes snap-confine which causes the
revalidation (because it is differently confined)."
So there is a security boundary being crossed.
--
You
I am not familiar enough with the specifics of how snappy is setting
policy to be able to answer your question atm. Whether it is possible
will depend on policy.
AppArmor mediation is post symlink so the policy would have to allow
access to the target binary.
--
You received this bug notificatio
apparmor's library build uses automake and libtool so the static version
of the library is built without -fPIC while the dynamic is built with
-fPIC. It is possible to override this.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
http
zyga well patches are welcome ;-)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1784499
Title:
AppArmor treats regular NFS file access as network op
To manage notifications about this bug go to:
ht
With that said, some networking work is being done this cycle and we
will try to address this.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1784499
Title:
AppArmor treats regular NFS file access as
The LSMs respecting the nnp flag was actually mandated by Linus. So yes
it breaks apparmor.
Kernel 3.5: Tasks that have nnp block apparmor policy transitions except
for unconfined, as transitions in that case always result in reduced
permissions.
Kernel 4.13: Loosened these restrictions around st
I should add that bug 1839037 is a bug in the subset test introduced in
kernel 4.13 (and earlier Ubuntu 4.4 Xenial kernels). Some subsets will
properly transition some won't it all depends on what is in the stack
being transitioned. The patch fixes it so the all transitions
combinations pass correc
In the above regression we have
lxd-ns0_//&:root//lxd-ns0_://unconfined
transitioning to
lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd//&:root//lxd-ns0_:///usr/sbin/nsd
this is not a strict subset of profiles, however the unconfined
exception needs to be taken into account when nnp is set.
There is a bug
I am testing a fix for this that won't require reverting the patch. I
will put up a test kernel if it passes.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivilege
There are some test kernels at
https://people.canonical.com/~jj/lp1844186/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivileges incompatible with Apparmor
To ma
okay, thanks for testing. I'll submit the patch for 4.4 and 4.15 kernels
and look into why the 5.0 kernel is blocking policy loads
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regre
ha, its by mistake. I fetched the new kernel but missed doing the
rebase. I'll get a new 5.0 up asap
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivileges incompa
updated to the 5.0.0-29 kernel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivileges incompatible with Apparmor
To manage notifications about this bug go to:
htt
This is addressed by upstream
https://gitlab.com/apparmor/apparmor/-/merge_requests/649
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1899218
Title:
Incorrect warning from apparmor_parser on force c
Still chasing this down
The apparmor.systemd file is unchanged from focal.
The change is in rc.apparmor.functions which is a dependency of
apparmor.systemd.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
We need to pick the upstream fix
338d0be437ef apparmor: fix ptrace read check
and we should probably pick
1f8266ff5884 (fix-setuid) apparmor: don't try to replace stale label in
ptrace access check
to avoid other problems.
--
You received this bug notification because you are a member of Ubun
We didn't pick this up automatically because its fixes tag is for when
ptrace rules landed upstream. But ubuntu was carrying ptrace rules prior
to this
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/189
To add to Seth's answer. unconfined generally doesn't log, the
exceptions are when an unconfined tasks makes policy changes, and when
there is an internal error on profile attachment.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
htt
Denying
/proc/1095210/task/1095213/comm
prevents the task from introspecting (reading), and changing (write) the
command text associated with the task. In this case it would appear one
thread is attempting to change the comm of another thread in the process
(this is generally allowed), see man 5
201 - 300 of 8093 matches
Mail list logo
