[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

[Christian Boltz]

** Tags added: aa-kernel

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615890

Title:
  stacking to unconfined in a child namespace confuses mediation

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615890/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.8.0-11.12

---
linux (4.8.0-11.12) yakkety; urgency=low

  * change_hat is logging failures during expected hat probing (LP: #1615893)
- SAUCE: apparmor: Fix auditing behavior for change_hat probing

  * deleted files outside of the namespace are not being treated as
disconnected
(LP: #1615892)
- SAUCE: apparmor: deleted dentries can be disconnected

  * stacking to unconfined in a child namespace confuses mediation
(LP: #1615890)
- SAUCE: apparmor: special case unconfined when determining the mode

  * apparmor module parameters can be changed after the policy is locked
(LP: #1615895)
- SAUCE: apparmor: fix: parameters can be changed after policy is locked

  * AppArmor profile reloading causes an intermittent kernel BUG (LP:
#1579135)
- SAUCE: apparmor: fix vec_unique for vectors larger than 8

  * label vec reductions can result in reference labels instead of direct
access
to labels (LP: #1615889)
- SAUCE: apparmor: reduction of vec to single entry is just that entry

  * profiles from different namespaces can block other namespaces from being
able to load a profile (LP: #1615887)
- SAUCE: apparmor: profiles in one ns can affect mediation in another ns

  * The label build for onexec when stacking is wrong (LP: #1615881)
- SAUCE: apparmor: Fix label build for onexec stacking.

  * The inherit check for new to old label comparison for domain transitions
is
wrong (LP: #1615880)
- SAUCE: apparmor: Fix new to old label comparison for domain transitions

  * warning stack trace while playing with apparmor namespaces (LP: #1593874)
- SAUCE: apparmor: fix stack trace when removing namespace with profiles

  * __label_update proxy comparison test is wrong (LP: #1615878)
- SAUCE: apparmor: Fix __label_update proxy comparison test

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
(LP: #1560583)
- SAUCE: apparmor: Allow ns_root processes to open profiles file
- SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * policy namespace stacking (LP: #1379535)
- SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
- SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Miscellaneous Ubuntu changes
- [Debian] Dynamically determine linux udebs package name
- [Debian] d-i -- fix dtb handling in new kernel-wedge form
- SAUCE: apparmor: Fix FTBFS due to bad include path
- SAUCE: apparmor: add data query support
- [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y

  * Miscellaneous upstream changes
- fixup backout policy view capable for forward port
- apparmor: fix: Rework the iter loop for label_update
- apparmor: add more assertions for updates/merges to help catch errors
- apparmor: Make pivot root transitions work with stacking
- apparmor: convert delegating deleted files to mediate deleted files
- apparmor: add missing parens. not a bug fix but highly recommended
- apparmor: add a stack_version file to allow detection of bug fixes
- apparmor: push path lookup into mediation loop
- apparmor: default to allowing unprivileged userns policy
- apparmor: fix: permissions test to view and manage policy
- apparmor: Add Basic ns cross check condition for ipc

 -- Leann Ogasawara   Sat, 17 Sep 2016
10:03:16 -0700

** Changed in: linux (Ubuntu Yakkety)
   Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615890

Title:
  stacking to unconfined in a child namespace confuses mediation

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615890/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.4.0-38.57

---
linux (4.4.0-38.57) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1620658

  * CIFS client: access problems after updating to kernel 4.4.0-29-generic
(LP: #1612135)
- Revert "UBUNTU: SAUCE: (namespace) Bypass sget() capability check for nfs"
- fs: Call d_automount with the filesystems creds

  * apt-key add fails in overlayfs (LP: #1618572)
- SAUCE: overlayfs: fix regression in whiteout detection

linux (4.4.0-37.56) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1618040

  * [Feature] Instruction decoder support for new SKX instructions- AVX512
(LP: #1591655)
- x86/insn: perf tools: Fix vcvtph2ps instruction decoding
- x86/insn: Add AVX-512 support to the instruction decoder
- perf tools: Add AVX-512 support to the instruction decoder used by Intel 
PT
- perf tools: Add AVX-512 instructions to the new instructions test

  * [Ubuntu 16.04] FCoE Lun not visible in OS with inbox driver - Issue with
ioremap() call on 32bit kernel (LP: #1608652)
- lpfc: Correct issue with ioremap() call on 32bit kernel

  * [Feature] turbostat support for Skylake-SP server (LP: #1591802)
- tools/power turbostat: decode more CPUID fields
- tools/power turbostat: CPUID(0x16) leaf shows base, max, and bus frequency
- tools/power turbostat: decode HWP registers
- tools/power turbostat: Decode MSR_MISC_PWR_MGMT
- tools/power turbostat: allow sub-sec intervals
- tools/power turbostat: Intel Xeon x200: fix erroneous bclk value
- tools/power turbostat: Intel Xeon x200: fix turbo-ratio decoding
- tools/power turbostat: re-name "%Busy" field to "Busy%"
- tools/power turbostat: add --out option for saving output in a file
- tools/power turbostat: fix compiler warnings
- tools/power turbostat: make fewer systems calls
- tools/power turbostat: show IRQs per CPU
- tools/power turbostat: show GFXMHz
- tools/power turbostat: show GFX%rc6
- tools/power turbostat: detect and work around syscall jitter
- tools/power turbostat: indicate SMX and SGX support
- tools/power turbostat: call __cpuid() instead of __get_cpuid()
- tools/power turbostat: correct output for MSR_NHM_SNB_PKG_CST_CFG_CTL dump
- tools/power turbostat: bugfix: TDP MSRs print bits fixing
- tools/power turbostat: SGX state should print only if --debug
- tools/power turbostat: print IRTL MSRs
- tools/power turbostat: initial BXT support
- tools/power turbostat: decode BXT TSC frequency via CPUID
- tools/power turbostat: initial SKX support

  * [BYT] display hotplug doesn't work on console (LP: #1616894)
- drm/i915/vlv: Make intel_crt_reset() per-encoder
- drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init()
- drm/i915/vlv: Disable HPD in valleyview_crt_detect_hotplug()
- drm/i915: Enable polling when we don't have hpd

  * [Feature]intel_idle enabling on Broxton-P (LP: #1520446)
- intel_idle: add BXT support

  * [Feature] EDAC: Update driver for SKX-SP (LP: #1591815)
- [Config] CONFIG_EDAC_SKX=m
- EDAC, skx_edac: Add EDAC driver for Skylake

  * [Feature] KBL: Sandy Peak(3168) WiFi/BT support (LP: #1591648)
- Bluetooth: Add support for Intel Bluetooth device 3168 [8087:0aa7]

  * MacBookPro11,4 fails to poweroff or suspend (LP: #1587714)
- SAUCE: PCI: Workaround to enable poweroff on Mac Pro 11

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
- SAUCE: Bluetooth: Support for LED on Edge Gateways
- SAUCE: Bluetooth: Use host bridge subsystem IDs to identify Edge Gateways

  * Please add support for alps touchpad. (LP: #1616813)
- [Config] CONFIG_HID_ALPS=m
- HID: add Alps I2C HID Touchpad-Stick support
- HID: alps: struct u1_dev *priv is internal to the driver
- HID: alps: pass correct sizes to hid_hw_raw_request()
- HID: alps: match alps devices in core
- HID: alps: a few cleanups

  * DINO2M - System hangs with a black screen during s4 stress test
(LP: #1616781)
- x86/power/64: Fix kernel text mapping corruption during image restoration

  * Xenial update to v4.4.17 stable release (LP: #1611833)
- USB: OHCI: Don't mark EDs as ED_OPER if scheduling fails
- x86/quirks: Apply nvidia_bugs quirk only on root bus
- x86/quirks: Reintroduce scanning of secondary buses
- x86/quirks: Add early quirk to reset Apple AirPort card
- dmaengine: at_xdmac: align descriptors on 64 bits
- dmaengine: at_xdmac: fix residue corruption
- dmaengine: at_xdmac: double FIFO flush needed to compute residue
- mm, sl[au]b: add __GFP_ATOMIC to the GFP reclaim mask
- mm, compaction: abort free scanner if split fails
- fs/nilfs2: fix potential underflow in call to crc32_le
- mm, compaction: prevent VM_BUG_ON when terminating freeing scanner
- mm, meminit: always return a valid node from early_pfn_to_nid

[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

[John Johansen]

** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615890

Title:
  stacking to unconfined in a child namespace confuses mediation

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615890/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

[Tim Gardner]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615890

Title:
  stacking to unconfined in a child namespace confuses mediation

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615890/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

[John Johansen]

** Also affects: linux (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu Xenial)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615890

Title:
  stacking to unconfined in a child namespace confuses mediation

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1615890/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs