This bug was fixed in the package linux - 4.12.0-13.14
---------------
linux (4.12.0-13.14) artful; urgency=low
* linux: 4.12.0-13.14 -proposed tracker (LP: #1714687)
* vhost guest network randomly drops under stress (kvm) (LP: #1711251)
- Revert "vhost: cache used event for better performance"
* EDAC sbridge: Failed to register device with error -22. (LP: #1714112)
- [Config] CONFIG_EDAC_GHES=n
* Artful update to v4.12.10 stable release (LP: #1714525)
- sparc64: remove unnecessary log message
- bonding: require speed/duplex only for 802.3ad, alb and tlb
- bonding: ratelimit failed speed/duplex update warning
- af_key: do not use GFP_KERNEL in atomic contexts
- dccp: purge write queue in dccp_destroy_sock()
- dccp: defer ccid_hc_tx_delete() at dismantle time
- ipv4: fix NULL dereference in free_fib_info_rcu()
- net_sched/sfq: update hierarchical backlog when drop packet
- net_sched: remove warning from qdisc_hash_add
- bpf: fix bpf_trace_printk on 32 bit archs
- net: igmp: Use ingress interface rather than vrf device
- openvswitch: fix skb_panic due to the incorrect actions attrlen
- ptr_ring: use kmalloc_array()
- ipv4: better IP_MAX_MTU enforcement
- nfp: fix infinite loop on umapping cleanup
- tun: handle register_netdevice() failures properly
- sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
- tipc: fix use-after-free
- ipv6: reset fn->rr_ptr when replacing route
- ipv6: repair fib6 tree in failure case
- tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
- net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
- irda: do not leak initialized list.dev to userspace
- net: sched: fix NULL pointer dereference when action calls some targets
- net_sched: fix order of queue length updates in qdisc_replace()
- bpf, verifier: add additional patterns to evaluate_reg_imm_alu
- bpf: fix mixed signed/unsigned derived min/max value bounds
- bpf/verifier: fix min/max handling in BPF_SUB
- Input: trackpoint - add new trackpoint firmware ID
- Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
- Input: ALPS - fix two-finger scroll breakage in right side on ALPS
touchpad
- KVM: s390: sthyi: fix sthyi inline assembly
- KVM: s390: sthyi: fix specification exception detection
- KVM: x86: simplify handling of PKRU
- KVM, pkeys: do not use PKRU value in vcpu->arch.guest_fpu.state
- KVM: x86: block guest protection keys unless the host has them enabled
- ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets
- ALSA: core: Fix unexpected error at replacing user TLV
- ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
- ALSA: firewire: fix NULL pointer dereference when releasing uninitialized
data of iso-resource
- ALSA: firewire-motu: destroy stream data surely at failure of card
initialization
- ARCv2: SLC: Make sure busy bit is set properly for region ops
- ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses
- ARCv2: PAE40: set MSB even if !CONFIG_ARC_HAS_PAE40 but PAE exists in SoC
- PM/hibernate: touch NMI watchdog when creating snapshot
- mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled
- dax: fix deadlock due to misaligned PMD faults
- i2c: designware: Fix system suspend
- mm/madvise.c: fix freeing of locked page with MADV_FREE
- fork: fix incorrect fput of ->exe_file causing use-after-free
- mm/memblock.c: reversed logic in memblock_discard()
- arm64: fpsimd: Prevent registers leaking across exec
- drm: Fix framebuffer leak
- drm: Release driver tracking before making the object available again
- drm/sun4i: Implement drm_driver lastclose to restore fbdev console
- drm/atomic: Handle -EDEADLK with out-fences correctly
- drm/atomic: If the atomic check fails, return its value first
- drm/i915/vbt: ignore extraneous child devices for a port
- drm/i915/gvt: Fix the kernel null pointer error
- Revert "drm/amdgpu: fix vblank_time when displays are off"
- ACPI: device property: Fix node lookup in
acpi_graph_get_child_prop_value()
- tracing: Call clear_boot_tracer() at lateinit_sync
- tracing: Missing error code in tracer_alloc_buffers()
- tracing: Fix kmemleak in tracing_map_array_free()
- tracing: Fix freeing of filter in create_filter() when set_str is false
- RDMA/uverbs: Initialize cq_context appropriately
- kbuild: linker script do not match C names unless
LD_DEAD_CODE_DATA_ELIMINATION is configured
- cifs: Fix df output for users with quota limits
- cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
- nfsd: Limit end of page list when decoding NFSv4 WRITE
- ring-buffer: Have ring_buffer_alloc_read_page() return error on offline
CPU
- virtio_pci: fix cpu affinity support
- ftrace: Check for null ret_stack on profile function graph entry function
- perf/core: Fix group {cpu,task} validation
- timers: Fix excessive granularity of new timers after a nohz idle
- x86/mm: Fix use-after-free of ldt_struct
- net: sunrpc: svcsock: fix NULL-pointer exception
- netfilter: expect: fix crash when putting uninited expectation
- netfilter: nat: fix src map lookup
- netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv
- Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
- Bluetooth: cmtp: fix possible might sleep error in cmtp_session
- Bluetooth: bnep: fix possible might sleep error in bnep_session
- Revert "android: binder: Sanity check at binder ioctl"
- binder: use group leader instead of open thread
- binder: Use wake up hint for synchronous transactions.
- ANDROID: binder: fix proc->tsk check.
- iio: imu: adis16480: Fix acceleration scale factor for adis16480
- iio: hid-sensor-trigger: Fix the race with user space powering up sensors
- iio: magnetometer: st_magn: fix status register address for LSM303AGR
- iio: magnetometer: st_magn: remove ihl property for LSM303AGR
- staging: rtl8188eu: add RNX-N150NUB support
- iommu: Fix wrong freeing of iommu_device->dev
- Clarify (and fix) MAX_LFS_FILESIZE macros
- ntb: ntb_test: ensure the link is up before trying to configure the mws
- ntb: transport shouldn't disable link due to bogus values in SPADs
- ACPI: EC: Fix regression related to wrong ECDT initialization order
- powerpc/mm: Ensure cpumask update is ordered
- Linux 4.12.10
* arm64 arch_timer fixes (LP: #1713821)
- clocksource/drivers/arm_arch_timer: Fix mem frame loop initialization
- clocksource/drivers/arm_arch_timer: Avoid infinite recursion when ftrace
is
enabled
* [Bug] Harrisonville: pnd2_edac always fail to load on B1 stepping
Harrisonville SDP (LP: #1709257)
- EDAC, pnd2: Return proper error value from apl_rd_reg()
- EDAC, pnd2: Make function sbi_send() static
- EDAC, pnd2: Fix Apollo Lake DIMM detection
- EDAC, pnd2: Build in a minimal sideband driver for Apollo Lake
- EDAC, pnd2: Mask off the lower four bits of a BAR
- EDAC, pnd2: Conditionally unhide/hide the P2SB PCI device to read BAR
- EDAC, pnd2: Properly toggle hidden state for P2SB PCI device
- SAUCE: i2c: i801: Restore the presence state of P2SB PCI device after
reading BAR
* implement 'complain mode' in seccomp for developer mode with snaps
(LP: #1567597)
- seccomp: Action to log before allowing
* linux 4.12.0-11.12 ADT test failure with linux 4.12.0-11.12 (LP: #1710904)
- SAUCE: selftests/powerpc: Use snprintf to construct DSCR sysfs interface
paths
* Artful update to v4.12.9 stable release (LP: #1713106)
- audit: Fix use after free in audit_remove_watch_rule()
- parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo
- crypto: ixp4xx - Fix error handling path in 'aead_perform()'
- crypto: x86/sha1 - Fix reads beyond the number of blocks passed
- drm/i915: Perform an invalidate prior to executing golden renderstate
- drm/amdgpu: save list length when fence is signaled
- Input: elan_i2c - add ELAN0608 to the ACPI table
- Input: elan_i2c - Add antoher Lenovo ACPI ID for upcoming Lenovo NB
- md: fix test in md_write_start()
- md: always clear ->safemode when md_check_recovery gets the mddev lock.
- MD: not clear ->safemode for external metadata array
- ALSA: seq: 2nd attempt at fixing race creating a queue
- ALSA: usb-audio: Apply sample rate quirk to Sennheiser headset
- ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices
- ALSA: usb-audio: add DSD support for new Amanero PID
- mm: discard memblock data later
- slub: fix per memcg cache leak on css offline
- mm: fix double mmap_sem unlock on MMF_UNSTABLE enforced SIGBUS
- mm/cma_debug.c: fix stack corruption due to sprintf usage
- mm/mempolicy: fix use after free when calling get_mempolicy
- mm/vmalloc.c: don't unconditonally use __GFP_HIGHMEM
- mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes
- xen: fix bio vec merging
- ARM: dts: imx6qdl-nitrogen6_som2: fix PCIe reset
- blk-mq-pci: add a fallback when pci_irq_get_affinity returns NULL
- powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC
- xen-blkfront: use a right index when checking requests
- perf/x86: Fix RDPMC vs. mm_struct tracking
- x86/asm/64: Clear AC on NMI entries
- x86: Fix norandmaps/ADDR_NO_RANDOMIZE
- x86/elf: Remove the unnecessary ADDR_NO_RANDOMIZE checks
- irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup()
- irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup()
- genirq: Restore trigger settings in irq_modify_status()
- genirq/ipi: Fixup checks against nr_cpu_ids
- kernel/watchdog: Prevent false positives with turbo modes
- Sanitize 'move_pages()' permission checks
- pids: make task_tgid_nr_ns() safe
- debug: Fix WARN_ON_ONCE() for modules
- usb: optimize acpi companion search for usb port devices
- usb: qmi_wwan: add D-Link DWM-222 device ID
- Linux 4.12.9
* Touchpad not detected (LP: #1708852)
- Input: elan_i2c - add ELAN0608 to the ACPI table
* HID: multitouch: Support ALPS PTP Stick and Touchpad devices (LP: #1712481)
- HID: multitouch: Support PTP Stick and Touchpad device
- SAUCE: HID: multitouch: Support ALPS PTP stick with pid 0x120A
* sort ABI files with C.UTF-8 locale (LP: #1712345)
- [Packaging] sort ABI files with C.UTF-8 locale
* igb: Support using Broadcom 54616 as PHY (LP: #1712024)
- SAUCE: igb: add support for using Broadcom 54616 as PHY
* RPT related fixes missing in Ubuntu 16.04.3 (LP: #1709220)
- powerpc/mm/radix: Improve _tlbiel_pid to be usable for PWC flushes
- powerpc/mm/radix: Improve TLB/PWC flushes
- powerpc/mm/radix: Avoid flushing the PWC on every flush_tlb_range
* AMD RV platforms with SNPS 3.1 USB controller stop responding (S3 issue)
(LP: #1711098)
- usb: xhci: Issue stop EP command only when the EP state is running
* dma-buf: performance issue when looking up the fence status (LP: #1711096)
- dma-buf: avoid scheduling on fence status query v2
* Linux 4.12 refuses to load self-signed modules under Secure Boot with
properly enrolled keys (LP: #1712168)
- SAUCE: (efi-lockdown) MODSIGN: Fix module signature verification
* [17.10 FEAT] Enable NVMe driver - kernel (LP: #1708432)
- [Config] CONFIG_BLK_DEV_NVME=m for s390
* Miscellaneous Ubuntu changes
- SAUCE: selftests/powerpc: Disable some ptrace selftests
* Miscellaneous upstream changes
- Revert "UBUNTU: SAUCE: seccomp: log actions even when audit is disabled"
- seccomp: Provide matching filter for introspection
- seccomp: Sysctl to display available actions
- seccomp: Operation for checking if an action is available
- seccomp: Sysctl to configure actions that are allowed to be logged
- seccomp: Selftest for detection of filter flag support
- seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
-- Andy Whitcroft <a...@canonical.com> Fri, 25 Aug 2017 18:04:36 +0100
** Changed in: linux (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in seccomp for developer mode with snaps
Status in Snappy:
In Progress
Status in libseccomp package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Fix Released
Bug description:
A requirement for snappy is that a snap may be placed in developer
mode which will put the security sandbox in complain mode such that
violations against policy are logged, but permitted. In this manner
learning tools can be written to parse the logs, etc and make
developing on snappy easier.
Unfortunately with seccomp only SCMP_ACT_KILL logs to dmesg and while
we can set complain mode to permit all calls, they are not logged at
this time. I've discussed this with upstream and we are working
together on the approach. This may require a kernel patch and an
update to libseccomp, to filing this bug for now as a placeholder and
we'll add other tasks as necessary.
UPDATE: ubuntu-core-launcher now supports the '@complain' directive
that is a synonym for '@unrestricted' so people can at least turn on
developer mode and not be blocked by seccomp. Proper complain mode for
seccomp needs to still be implemented (this bug).
To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
