On 01/06/2018 07:50 AM, intrigeri wrote: > Hi John, > > John Johansen: >> Attached is the patch for the kernel that is currently in testing > >> From 1aa96ec6d0fce613e06fa4d073c8cf3e183989da Mon Sep 17 00:00:00 2001 >> From: John Johansen <john.johan...@canonical.com> >> Date: Thu, 7 Dec 2017 00:28:27 -0800 >> Subject: [PATCH] apparmor: fix regression in mount mediation when feature set >> is pinned >> MIME-Version: 1.0 >> Content-Type: text/plain; charset=UTF-8 >> Content-Transfer-Encoding: 8bit > >> When the mount code was refactored for Labels it was not correctly >> updated to check whether policy supported mediation of the mount >> class. This causes a regression when the kernel feature set is >> reported as supporting mount and policy is pinned to a feature set >> that does not support mount mediation. > > What's the status of this patch? > it is in 4.15-rc7, and has started working its way into the 4.14 stable tree, I expect it will be in the 4.14.13 stable release.
> Context & meta: I'd like to pin the feature set to 4.9's in Debian > Stretch (and Tails) ASAP but if I do this now, I'll break "mount" > operations for all confined software. I appreciate the work you're > putting into the longer term, nicer solution (policy versioning); I'm > confident it will make things better for future stable releases of our > distros; but sadly it won't fix the problems we currently have in the > already released LTS distros that won't backport big kernel patch sets > to their stable kernel, so on the short term what we need, at least in > Debian and Tails, is bugfixes in the feature set pinning facility. >
