On Fri, Jul 27, 2018, 21:21 Stéphane Graber <stgra...@stgraber.org> wrote:
> Ok, thanks for the update. I've now updated the bug once again to move > all the tasks over to the kernel. Can you attach the kernel patch here > when you can, I'm sure some of the subscribers may want to test this > ahead of the Ubuntu kernel fixes :) > Might make sense to cc Lennart as he has a stake in this too. :) > ** Changed in: linux (Ubuntu) > Importance: Undecided => Critical > > ** Changed in: linux (Ubuntu Xenial) > Importance: Undecided => Critical > > ** Changed in: linux (Ubuntu Bionic) > Importance: Undecided => Critical > > ** Changed in: linux (Ubuntu) > Status: Invalid => Triaged > > ** Changed in: linux (Ubuntu Xenial) > Status: Invalid => Triaged > > ** Changed in: linux (Ubuntu Bionic) > Status: Invalid => Triaged > > ** Changed in: apparmor (Ubuntu) > Status: Triaged => Invalid > > ** Changed in: apparmor (Ubuntu Xenial) > Status: Triaged => Invalid > > ** Changed in: apparmor (Ubuntu Bionic) > Status: Triaged => Invalid > > ** Changed in: apparmor (Ubuntu) > Assignee: John Johansen (jjohansen) => (unassigned) > > ** Changed in: apparmor (Ubuntu Xenial) > Assignee: John Johansen (jjohansen) => (unassigned) > > ** Changed in: apparmor (Ubuntu Bionic) > Assignee: John Johansen (jjohansen) => (unassigned) > > ** Changed in: linux (Ubuntu) > Assignee: (unassigned) => John Johansen (jjohansen) > > ** Changed in: linux (Ubuntu Xenial) > Assignee: (unassigned) => John Johansen (jjohansen) > > ** Changed in: linux (Ubuntu Bionic) > Assignee: (unassigned) => John Johansen (jjohansen) > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1780227 > > Title: > locking sockets broken due to missing AppArmor socket mediation > patches > > Status in apparmor package in Ubuntu: > Invalid > Status in linux package in Ubuntu: > Triaged > Status in apparmor source package in Xenial: > Invalid > Status in linux source package in Xenial: > Triaged > Status in apparmor source package in Bionic: > Invalid > Status in linux source package in Bionic: > Triaged > > Bug description: > Hey, > > Newer systemd makes use of locks placed on AF_UNIX sockets created > with the socketpair() syscall to synchronize various bits and pieces > when isolating services. On kernels prior to 4.18 that do not have > backported the AppArmor socket mediation patchset this will cause the > locks to be denied with EACCESS. This causes systemd to be broken in > LXC and LXD containers that do not run unconfined which is a pretty > big deal. We have seen various bug reports related to this. See for > example [1] and [2]. > > If feasible it would be excellent if we could backport the socket > mediation patchset to all LTS kernels. Afaict, this should be 4.4 and > 4.15. This will unbreak a whole range of use-cases. > > The socket mediation patchset is available here: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 > > > [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 > [2]: https://github.com/systemd/systemd/issues/9493 > > Thanks! > Christian > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions > ** Bug watch added: github.com/systemd/systemd/issues #9493 https://github.com/systemd/systemd/issues/9493 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs