On 9/4/23 12:32, Michael Biebl wrote:
Am 04.09.23 um 20:23 schrieb Mathias Gibbens:
On Mon, 2023-09-04 at 01:00 -0700, John Johansen wrote:
I took a quick look through v6.1..v6.3.1
there is a patch that I think is the likely fix, it first landed in v6.2
1cf26c3d2c4c apparmor: fix apparmor mediating locking non-fs unix sockets
Thanks for the pointer John -- I think that is the fix we've been
looking for!
Commit 1cf26c3d2c4c doesn't apply cleanly to the v6.1 tree due to the
other commits from the patchset of Oct 3, 2022 that modified a bunch of
the apparmor code. Because I couldn't quickly cherry-pick all the
changes without amassing a large diff, I made the small proof-of-
concept patch at the end of this message and applied it to the 6.1.38-
4 kernel from bookworm. Booting with the patched kernel allows services
to start up in containers without any issues. :)
So, I think the next step should be to get that commit properly
backported to the v6.1 longterm tree and included in an upstream
release. Hopefully that would be able to happen in enough time so that
it is bundled with the kernel updates for bookworm's point release next
month. If not, we should be sure to get it into Debian's packaging so
at least there's a proper fix available.
Thanks for the update Mathias, this looks very promising.
A stable update of the Linux 6.1.x kernel would obviously be the ideal solution.
John, could you help with getting this fix into 6.1.x?
yes, I am working on a patch.