** Tags added: cscc
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
To manage notifications about this bug go
Thanks John for having that already fixed.
I wanted to let everybody subscribed here know that as of today Cosmic has the
new systemd 239.
That said people (like me) who reboot rarely and still have a kernel before
that will from now on see this when booting a cosmic container:
# systemctl
This bug was fixed in the package linux - 4.4.0-134.160
---
linux (4.4.0-134.160) xenial; urgency=medium
* linux: 4.4.0-134.160 -proposed tracker (LP: #1787177)
* locking sockets broken due to missing AppArmor socket mediation patches
(LP: #1780227)
- UBUNTU SAUCE:
This bug was fixed in the package linux - 4.15.0-33.36
---
linux (4.15.0-33.36) bionic; urgency=medium
* linux: 4.15.0-33.36 -proposed tracker (LP: #1787149)
* RTNL assertion failure on ipvlan (LP: #1776927)
- ipvlan: drop ipv6 dependency
- ipvlan: use per device
This bug was fixed in the package linux - 4.17.0-7.8
---
linux (4.17.0-7.8) cosmic; urgency=medium
* linux: 4.17.0-7.8 -proposed tracker (LP: #1785242)
* Cosmic update to 4.17.12 stable release (LP: #1785211)
- spi: spi-s3c64xx: Fix system resume support
- Input:
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
To manage
** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
bionic' to 'verification-done-bionic'. If the problem still exists,
change the tag
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag
** Changed in: linux (Ubuntu)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => Fix Committed
** Changed in: linux (Ubuntu Bionic)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I tested on two systems, one clean xenial and one clean bionic, both
running the current stable LXD snap with latest ArchLinux and Debian
containers. On both of them, upgrading to the kernels provided by John
fixed the file_lock denials and made the containers boot again.
So as far as I'm
Can confirm that the patch seems to work on 4.15. No "denied"
"file_lock" log-spam when starting ArchLinux containers anymore, and
they seem to be behaving as expected again.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
v4.15 kernel works for me, as proposed.
Would a similar thing be needed in the v4.17 kernel that is in cosmic-
proposed?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
To manage notifications about this bug
I have placed ubuntu test kernels for xenial and bionic in
http://people.canonical.com/~jj/lp1780227/
the patch is attached
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch"
On Fri, Jul 27, 2018, 21:21 Stéphane Graber
wrote:
> Ok, thanks for the update. I've now updated the bug once again to move
> all the tasks over to the kernel. Can you attach the kernel patch here
> when you can, I'm sure some of the subscribers may want to test this
> ahead of the Ubuntu kernel
Ok, thanks for the update. I've now updated the bug once again to move
all the tasks over to the kernel. Can you attach the kernel patch here
when you can, I'm sure some of the subscribers may want to test this
ahead of the Ubuntu kernel fixes :)
** Changed in: linux (Ubuntu)
Importance:
Sadly we ran into two separate issues.
1. the kernel mapping of the permission won't allow the lock perm to be
carried through on all kernels.
I have a patch for it now, but pita
2. the release process needed some updating to uhm work with the move to
git and gitlab as hosting.
So with the
@John any update on the point releases?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
To manage
I will try to get the point releases out today.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
To manage
Blocking launching (in useful ways) Debian testing & sid containers on
Ubuntu as well.
** Tags removed: block-proposed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets
In preparation for an SRU, here is a minimal C testcase provided by
Wolfgang Bumiller:
```
/*
# apparmor_parser -r /etc/apparmor.d/bug-profile
# (tested without the flags here as well btw.)
profile bug-profile flags=(attach_disconnected,mediate_deleted) {
network,
file,
unix,
}
# gcc
Per discussion above:
- Closing the kernel tasks
- Raising priority on apparmor tasks to Critical (to match what kernel had)
- Assigning to jjohansen as the AppArmor maintainer
As we care about xenial, bionic and cosmic, we need point releases (or
cherry-pick) for:
- AppArmor 2.10 (2.10.95
** Tags added: block-proposed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
To manage notifications about
Ah, I need 2.12.1 apparmor as well, which is not in the archive yet.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
I still observe this bug in Cosmic with v4.17.0-5 kernel from cosmic-
proposed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket
** Changed in: linux (Ubuntu)
Importance: High => Critical
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
You are correct that the kernel reports a supported abi, and currently
the abi does not export that it is supporting link mediation for
sockets. However the kernel is currently enforcing link mediation on
sockets and there are reasons to want to continue to do so.
The plan would be to let the
I suppose that would that be an ubuntu-specific patch for apparmor
userspace? I'm assuming the ABI tells userspace which features are
supported, unless this particular feature can be tested for some other
way? Would the patched userspace know not to use these features under
this ABI in a future
Okay, so lets split this between upstream and ubuntu kernels
previous upstream kernels did not have socket mediation and could NOT
have generated the denial message being seen.
Jul 04 15:11:11 host audit[28404]: AVC apparmor="DENIED" operation="file_lock"
profile="lxc-container-default-cgns"
On Thu, Jul 05, 2018 at 04:16:20PM -, John Johansen wrote:
> The 4.17 patch set did not have any changes that should affect this. I
> will have to investigate what is going on further. At this time DO NOT
> backport the 4.17 patchset.
Thanks John. Sorry for jumping the gun then.
What is weird
The 4.17 patch set did not have any changes that should affect this. I
will have to investigate what is going on further. At this time DO NOT
backport the 4.17 patchset.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: linux (Ubuntu)
Status: Confirmed => Triaged
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Status: New =>
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
** Changed in: linux (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
35 matches
Mail list logo
