On Mon, 2023-09-04 at 01:00 -0700, John Johansen wrote: > I took a quick look through v6.1..v6.3.1 > > there is a patch that I think is the likely fix, it first landed in v6.2 > > 1cf26c3d2c4c apparmor: fix apparmor mediating locking non-fs unix sockets
Thanks for the pointer John -- I think that is the fix we've been looking for! Commit 1cf26c3d2c4c doesn't apply cleanly to the v6.1 tree due to the other commits from the patchset of Oct 3, 2022 that modified a bunch of the apparmor code. Because I couldn't quickly cherry-pick all the changes without amassing a large diff, I made the small proof-of- concept patch at the end of this message and applied it to the 6.1.38- 4 kernel from bookworm. Booting with the patched kernel allows services to start up in containers without any issues. :) So, I think the next step should be to get that commit properly backported to the v6.1 longterm tree and included in an upstream release. Hopefully that would be able to happen in enough time so that it is bundled with the kernel updates for bookworm's point release next month. If not, we should be sure to get it into Debian's packaging so at least there's a proper fix available. I'm happy to help test any proposed patch for this fix on my end. Mathias ----- > --- a/security/apparmor/lib.c 2023-09-04 16:08:28.818066140 +0000 > +++ b/security/apparmor/lib.c 2023-09-04 16:09:17.566222261 +0000 > @@ -355,6 +355,9 @@ > perms->allow |= map_other(dfa_other_allow(dfa, state)); > perms->audit |= map_other(dfa_other_audit(dfa, state)); > perms->quiet |= map_other(dfa_other_quiet(dfa, state)); > + > + // For testing only! > + perms->allow |= AA_MAY_LOCK; > } > > /**
signature.asc
Description: This is a digitally signed message part
