You are correct that the kernel reports a supported abi, and currently the abi does not export that it is supporting link mediation for sockets. However the kernel is currently enforcing link mediation on sockets and there are reasons to want to continue to do so.
The plan would be to let the parser know that existing kernel abis have a quirk where they are not correctly advertising the abi. The parser would then correctly generate policy for both old and new kernels. The patch would be rolled out in upstream apparmor point releases 2.10.4, 2.11.2, 2.12.1, and 2.13.1, as well as being dropped into supported ubuntu releases. Suse and Debian will pickup the bug fixes from upstream, they are fairly good about picking up point release bug fixes. Updating the userspace probably provides us the widest roll out of the fix possible. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
