On Fri, Jul 27, 2018, 21:21 Stéphane Graber <stgra...@stgraber.org> wrote:
> Ok, thanks for the update. I've now updated the bug once again to move > all the tasks over to the kernel. Can you attach the kernel patch here > when you can, I'm sure some of the subscribers may want to test this > ahead of the Ubuntu kernel fixes :) > Might make sense to cc Lennart as he has a stake in this too. :) > ** Changed in: linux (Ubuntu) > Importance: Undecided => Critical > > ** Changed in: linux (Ubuntu Xenial) > Importance: Undecided => Critical > > ** Changed in: linux (Ubuntu Bionic) > Importance: Undecided => Critical > > ** Changed in: linux (Ubuntu) > Status: Invalid => Triaged > > ** Changed in: linux (Ubuntu Xenial) > Status: Invalid => Triaged > > ** Changed in: linux (Ubuntu Bionic) > Status: Invalid => Triaged > > ** Changed in: apparmor (Ubuntu) > Status: Triaged => Invalid > > ** Changed in: apparmor (Ubuntu Xenial) > Status: Triaged => Invalid > > ** Changed in: apparmor (Ubuntu Bionic) > Status: Triaged => Invalid > > ** Changed in: apparmor (Ubuntu) > Assignee: John Johansen (jjohansen) => (unassigned) > > ** Changed in: apparmor (Ubuntu Xenial) > Assignee: John Johansen (jjohansen) => (unassigned) > > ** Changed in: apparmor (Ubuntu Bionic) > Assignee: John Johansen (jjohansen) => (unassigned) > > ** Changed in: linux (Ubuntu) > Assignee: (unassigned) => John Johansen (jjohansen) > > ** Changed in: linux (Ubuntu Xenial) > Assignee: (unassigned) => John Johansen (jjohansen) > > ** Changed in: linux (Ubuntu Bionic) > Assignee: (unassigned) => John Johansen (jjohansen) > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1780227 > > Title: > locking sockets broken due to missing AppArmor socket mediation > patches > > Status in apparmor package in Ubuntu: > Invalid > Status in linux package in Ubuntu: > Triaged > Status in apparmor source package in Xenial: > Invalid > Status in linux source package in Xenial: > Triaged > Status in apparmor source package in Bionic: > Invalid > Status in linux source package in Bionic: > Triaged > > Bug description: > Hey, > > Newer systemd makes use of locks placed on AF_UNIX sockets created > with the socketpair() syscall to synchronize various bits and pieces > when isolating services. On kernels prior to 4.18 that do not have > backported the AppArmor socket mediation patchset this will cause the > locks to be denied with EACCESS. This causes systemd to be broken in > LXC and LXD containers that do not run unconfined which is a pretty > big deal. We have seen various bug reports related to this. See for > example [1] and [2]. > > If feasible it would be excellent if we could backport the socket > mediation patchset to all LTS kernels. Afaict, this should be 4.4 and > 4.15. This will unbreak a whole range of use-cases. > > The socket mediation patchset is available here: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 > > > [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 > [2]: https://github.com/systemd/systemd/issues/9493 > > Thanks! > Christian > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions > ** Bug watch added: github.com/systemd/systemd/issues #9493 https://github.com/systemd/systemd/issues/9493 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in apparmor package in Ubuntu: Invalid Status in linux package in Ubuntu: Triaged Status in apparmor source package in Xenial: Invalid Status in linux source package in Xenial: Triaged Status in apparmor source package in Bionic: Invalid Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp