Toby,
what distro, release and kernel are you using?
And would you be willing to try a custom test kernel?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1428490
Title:
AppArmor vs
Kernels with version 3 of the fix can be found at
http://people.canonical.com/~jj/lp1446906/
please test and leave feedback as to whether this fixes the issue
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1527374
Title:
privilege escalation on attach through ptrace
To
Please try the test kernels at
http://people.canonical.com/~jj/lp1446906/
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906
Title:
lxc container with postfix, permission denied
Making this bug NOT a duplicate of Bug 1390223, which will be for just
the bad unix_fs macro fix that has already been committed. This one will
track the deleted entry/socket shutdown revalidation issue.
** This bug is no longer a duplicate of bug 1390223
Apparmor related regression on access
*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223
Alright, so this is not the disconnected path issue I thought it was, I
am looking into it more.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed
*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223
Alright, this is failing the way it is because it is a race on the
socket being shutdown. If the mediate_deleted flag was removed from the
profile, an additional info flag would show up in the DENIED
*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223
yes, sorry I'm not sure why I missed adding the leading /
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
*** This bug is a duplicate of bug 1390223 ***
https://bugs.launchpad.net/bugs/1390223
The issue is that the path is disconnected from the namespace. Currently
the only way to deal with this is by using the attach_disconnect flag in
the profile, and then place rules for the attached files
yes,
UBUNTU: SAUCE: (no-up) apparmor: fix mount not handling disconnected
paths
is causing the regression. However reverting this fix will cause issues
for Bug 1496430, which was blocking a fix for a CVE.
The correct solution is to update the profile.
--
You received this bug
To be specific I added the rule
mount options=(rw,bind) /dev/pts/ptmx -> /dev/ptmx,
to the lxc-start profile
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1504781
Title:
The Immunix openssh patch for subdomain (apparmor before it was
apparmor)
** Patch added: "openssh-3.8p1-subdomain-privsep-v3.patch"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1501966/+attachment/4481853/+files/openssh-3.8p1-subdomain-privsep-v3.patch
--
You received this bug
It never was, and I don't think the patch ever made it into Novell/Suse
openssh either. I think the only place it landed was in Immunix 7.3 on
openssh 3.8 (this is pre-apparmor being know as subdomain at the time)
The patch would have to be reworked to work with apparmor, and that
isn't even
This is likely caused by one of the files in local/usr.sbin.mysqld that is
included by the line
#include
the includes in the context of a profile body can not contain variable
definitions at this time
grep those files for
tunables/home
and
unables/global
to find out which file is
Can you please attach the output of
apparmor_parser -p /etc/apparmor.d/usr.bin.lxc-start
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1401148
Title:
Re/starting an lxc container
I have uploaded a kernel with the potential fix to
http://people.canonical.com/~jj/lp1357103/
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1357103
Title:
apparmor denied a golang
This looks like it might be caused by bug in path lookups and bind mount
handling that I have a test patch for. I will build a test kernel for
trusty (14.04). Please let me know if there are any other kernels you
would like to test on.
--
You received this bug notification because you are a
Ondergetekende, can you provide further details to why you believe Bug
#1326367 is causing this? Would you be willing to test a
3.11.0-24-generic kernel (reported stable) + the futex fix, or a chosen
stable version of the 3.13 or 3.15 kernel with just the futex fix. To
verify that the futex fix is
The syntax allows for spaces or commas to separate items, because people
kept using them. However list of items must be inside of parenthesis.
mount options in (rw, slave),
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in
Francesco,
The mediate_deleted flag should fix the rejection shown in comment #12
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/969299
Title:
apparmor prevents dpkg-divert and
Serge,
see comments on bug 970647, there is some progress but I have not found
a specific bug affecting logging of this case. The larger fix which is
the extended labeling, is in progress and will enter into the apparmor-
dev ppa soon for testing.
--
You received this bug notification because
** Package changed: lxc (Ubuntu) = apparmor (Ubuntu)
** Changed in: apparmor (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1061537
Title:
thankyou for reporting this,
I can suggest a work around while you wait for a fix to logprof
edit the /etc/apparmor.d/abstractions/lxc/container-base file and comment out
the line that has
capability,
by changing it to
# capability,
do this to any line containing a mount rule too.
mount
I have a test kernel at
http://people.canonical.com/~jj/linux-
image-3.2.0-23-generic_3.2.0-23.36~aa_amd64.deb
and believe this to be the same as Bug #978038
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
** Changed in: linux (Ubuntu)
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/925024
Title:
apparmor makes it impossible to install
I have uploaded some test kernels with a fix
http://people.canonical.com/~jj/linux-image-3.2.0-12-generic_3.2.0-12.21~aadentry_amd64.deb
http://people.canonical.com/~jj/linux-headers-3.2.0-12-generic_3.2.0-12.21~aadentry_amd64.deb
--
You received this bug notification because you are a member
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0055
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/915941
Title:
overlayfs does not honor lxc-related
Well I won't agree the guest shouldn't have its own policy (it depends
on your use case), but I do agree the host should be able to set a
domain to protect it self from the guest, but until AppArmor supports
policy stacking the solution is either or.
The solution depends on what confinement is
1. If the guest is to have its own policy, then the host needs to create
a new policy namespace, and then it needs to transition the guest to the
new namespace. Guest policy will then be loaded into the new namespace,
and will not generally* conflict with system policy.
That's great - can
I went back and retested this and it has already been fixed and released
(commit fcbc05a1be0a7600153e78207dcb8b62fe753a4a), it was just not
properly closed.
mapl,
If you are running an updated hardy guest running the 2.6.24-29 kernel this bug
should not be a problem. Can you please provide
So I have experimented with this a bit and so far I haven't gotten an
instance to boot without the patch. It should work, so I just need to
tinker with it more.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in ubuntu.
** Changed in: linux (Ubuntu Maverick)
Assignee: (unassigned) = John Johansen (jjohansen)
--
pad block corrupted error when trying to register an image with 2.6.34 kernel
https://bugs.launchpad.net/bugs/588861
You received this bug notification because you are a member of Ubuntu
Server Team
** Changed in: linux (Ubuntu)
Status: Triaged = In Progress
** Changed in: linux (Ubuntu Karmic)
Status: Triaged = In Progress
--
apparmor complains about write access to a readonly file
https://bugs.launchpad.net/bugs/453335
You received this bug notification because you are a
I have placed a test kernel at
http://kernel.ubuntu.com/~jj/linux-image-2.6.31-14-generic_2.6.31-14.48~jj_amd64.deb
--
apparmor complains about write access to a readonly file
https://bugs.launchpad.net/bugs/453335
You received this bug notification because you are a member of Ubuntu
Server
I haven't, though it is possible I just haven't spent enough time
testing it in karmic yet.
--
Frequent random KVM host kernel OOPS
https://bugs.launchpad.net/bugs/361819
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kvm in ubuntu.
--
No I haven't been able to confirm it is a kernel issue yet, though I am
planning on devoting some good time to this bug over the next couple
days.
--
Frequent random KVM host kernel OOPS
https://bugs.launchpad.net/bugs/361819
You received this bug notification because you are a member of Ubuntu
This turns out to be a regression in Jaunty, that is now fixed and
behaving properly in Karmic
** Changed in: linux (Ubuntu Karmic)
Status: Confirmed = Invalid
--
dhclient-script fails with apparmor
https://bugs.launchpad.net/bugs/400349
You received this bug notification because you are
practice.
** Changed in: linux (Ubuntu Jaunty)
Status: New = Confirmed
** Changed in: linux (Ubuntu Jaunty)
Assignee: (unassigned) = John Johansen (jjohansen)
--
dhclient-script fails with apparmor
https://bugs.launchpad.net/bugs/400349
You received this bug notification because you
I took a look at this and it is behaving correctly, though I haven't
established whether it is due to a deviation in AppArmor's behavior, the
scripts or both. The executable /sbin/dhclient3 does a Px transition
(as specified in its profile) to /sbin/dhclient-script.
/sbin/dhclient-script
39 matches
Mail list logo
