[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
The mqueue patches are present in jammy-linux-gcp-fips: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-gcp-fips ** Tags added: verification-done-jammy-linux-gcp-fips -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Released Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2052662] Re: move_mount mediation does not detect if source is detached
Verification in mantic was successful: georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 7 18:21:00 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~$ cat /sys/kernel/security/apparmor/features/mount/move_mount detached georgia@sec-mantic-amd64:~$ cd apparmor/tests/regression/apparmor/ georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo bash ./mount.sh using mount rules ... not supported by parser - skipping mount options=(nodirsync), ** Tags removed: verification-needed-mantic-linux ** Tags added: verification-done-mantic-linux -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2052662 Title: move_mount mediation does not detect if source is detached Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: Impact: In AppArmor mediation, detached mounts are appearing as / when applying mount mediation, which is incorrect and leads to bad AppArmor policy being generated. In addition, the move_mount mediation is not being advertised to userspace, which denies the applications the possibility to respond accordingly. Fix: Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by preventing move_mont from applying the attach_disconnected flag. Testcase: Check if move_mount file is available in securityfs: $ cat /sys/kernel/security/apparmor/features/mount/move_mount detached Run upstream AppArmor mount tests, which include move_mount mediation. https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2052662/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2038443] Re: mantic:linux: ubuntu_qrt_apparmor: ApparmorTestsuites.test_regression_testsuiteattach_disconnected.
*** This bug is a duplicate of bug 2051932 *** https://bugs.launchpad.net/bugs/2051932 ** This bug has been marked a duplicate of bug 2051932 attach_disconnected test from test_regression_testsuite of ubuntu_qrt_apparmor failed with "Unable to run test sub-executable" on Mantic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2038443 Title: mantic:linux: ubuntu_qrt_apparmor: ApparmorTestsuites.test_regression_testsuiteattach_disconnected. Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in apparmor source package in Mantic: New Status in linux source package in Mantic: Confirmed Bug description: This might be apparmor, the test case, kernel or anything in between: 7720s running attach_disconnected 7720s Fatal Error (unix_fd_server): Unable to run test sub-executable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2038443/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
The mqueue patches are present in jammy-linux-mtk: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-mtk ** Tags added: verification-done-jammy-linux-mtk -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Released Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
The mqueue patches are present in linux-azure-fips: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-azure-fips ** Tags added: verification-done-jammy-linux-azure-fips -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Released Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
The mqueue patches are present in linux-nvidia-tegra: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-nvidia-tegra ** Tags added: verification-done-jammy-linux-nvidia-tegra -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Released Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
I can confirm that the mqueue patches are present in linux-xilinx- zynqmp: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-xilinx-zynqmp ** Tags added: verification-done-jammy-linux-xilinx-zynqmp -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Released Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
I could confirm that the patches are present in linux-bluefield and linux-raspi: 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-done-jammy-linux-azure verification-needed-jammy-linux-bluefield verification-needed-jammy-linux-raspi ** Tags added: verification-done-jammy-linux-bluefield verification-done-jammy-linux-raspi verification-needed-jammy-linux-azure ** Tags removed: verification-needed-jammy-linux-azure ** Tags added: verification-done-jammy-linux-azure -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Released Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2052662] Re: move_mount mediation does not detect if source is detached
** Also affects: linux (Ubuntu Mantic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2052662 Title: move_mount mediation does not detect if source is detached Status in linux package in Ubuntu: New Status in linux source package in Mantic: New Bug description: Impact: In AppArmor mediation, detached mounts are appearing as / when applying mount mediation, which is incorrect and leads to bad AppArmor policy being generated. In addition, the move_mount mediation is not being advertised to userspace, which denies the applications the possibility to respond accordingly. Fix: Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by preventing move_mont from applying the attach_disconnected flag. Testcase: Check if move_mount file is available in securityfs: $ cat /sys/kernel/security/apparmor/features/mount/move_mount detached Run upstream AppArmor mount tests, which include move_mount mediation. https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2052662/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
Ran AppArmor tests from the QA Regression Tests [1] and POSIX mqueue tests from the AppArmor test suite and they all passed as expected. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 5.15.0-1056-azure #64-Ubuntu SMP Tue Feb 6 19:23:34 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1061.185s OK (skipped=2) georgia@sec-jammy-amd64:~$ apt source apparmor georgia@sec-jammy-amd64:~$ cd apparmor-3.0.4/tests/regression/apparmor/ georgia@sec-jammy-amd64:~/apparmor-3.0.4/tests/regression/apparmor$ USE_SYSTEM=1 make georgia@sec-jammy-amd64:~/apparmor-3.0.4/tests/regression/apparmor$ sudo ./posix_mq.sh BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word xpass: POSIX MQUEUE (confined root - mqueue label 1) xpass: POSIX MQUEUE (confined root - mqueue label 1 : mq_notify) xpass: POSIX MQUEUE (confined root - mqueue label 1 : select) xpass: POSIX MQUEUE (confined root - mqueue label 1 : poll) xpass: POSIX MQUEUE (confined root - mqueue label 1 : epoll) xpass: POSIX MQUEUE (confined root - mqueue label 2) xpass: POSIX MQUEUE (confined root - mqueue label 2 : mq_notify) xpass: POSIX MQUEUE (confined root - mqueue label 2 : select) xpass: POSIX MQUEUE (confined root - mqueue label 2 : poll) xpass: POSIX MQUEUE (confined root - mqueue label 2 : epoll) xpass: POSIX MQUEUE (confined 1002 - mqueue label 1) xpass: POSIX MQUEUE (confined 1002 - mqueue label 1 : mq_notify) xpass: POSIX MQUEUE (confined 1002 - mqueue label 1 : select) xpass: POSIX MQUEUE (confined 1002 - mqueue label 1 : poll) xpass: POSIX MQUEUE (confined 1002 - mqueue label 1 : epoll) xpass: POSIX MQUEUE (confined 1002 - mqueue label 2) xpass: POSIX MQUEUE (confined 1002 - mqueue label 2 : mq_notify) xpass: POSIX MQUEUE (confined 1002 - mqueue label 2 : select) xpass: POSIX MQUEUE (confined 1002 - mqueue label 2 : poll) xpass: POSIX MQUEUE (confined 1002 - mqueue label 2 : epoll) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-azure ** Tags added: verification-done-jammy-linux-azure -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Released Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2052662] [NEW] move_mount mediation does not detect if source is detached
Public bug reported: Impact: In AppArmor mediation, detached mounts are appearing as / when applying mount mediation, which is incorrect and leads to bad AppArmor policy being generated. In addition, the move_mount mediation is not being advertised to userspace, which denies the applications the possibility to respond accordingly. Fix: Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by preventing move_mont from applying the attach_disconnected flag. Testcase: Check if move_mount file is available in securityfs: $ cat /sys/kernel/security/apparmor/features/mount/move_mount detached Run upstream AppArmor mount tests, which include move_mount mediation. https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh ** Affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2052662 Title: move_mount mediation does not detect if source is detached Status in linux package in Ubuntu: New Bug description: Impact: In AppArmor mediation, detached mounts are appearing as / when applying mount mediation, which is incorrect and leads to bad AppArmor policy being generated. In addition, the move_mount mediation is not being advertised to userspace, which denies the applications the possibility to respond accordingly. Fix: Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by preventing move_mont from applying the attach_disconnected flag. Testcase: Check if move_mount file is available in securityfs: $ cat /sys/kernel/security/apparmor/features/mount/move_mount detached Run upstream AppArmor mount tests, which include move_mount mediation. https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2052662/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
Ran AppArmor tests from the QA Regression Tests [1] and POSIX mqueue tests from the AppArmor test suite and they all passed as expected. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 5.15.0-1052-ibm-gt-fips #55+fips1-Ubuntu SMP Fri Jan 19 23:25:50 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1120.042s OK (skipped=2) georgia@sec-jammy-amd64:/tmp$ apt source apparmor georgia@sec-jammy-amd64:/tmp$ cd apparmor-3.0.4/tests/regression/apparmor/ georgia@sec-jammy-amd64:/tmp/apparmor-3.0.4/tests/regression/apparmor$ USE_SYSTEM=1 make georgia@sec-jammy-amd64:/tmp/apparmor-3.0.4/tests/regression/apparmor$ sudo ./posix_mq.sh [sudo] password for georgia: BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word xpass: POSIX MQUEUE (confined root - mqueue label 1) xpass: POSIX MQUEUE (confined root - mqueue label 1 : mq_notify) xpass: POSIX MQUEUE (confined root - mqueue label 1 : select) xpass: POSIX MQUEUE (confined root - mqueue label 1 : poll) xpass: POSIX MQUEUE (confined root - mqueue label 1 : epoll) xpass: POSIX MQUEUE (confined root - mqueue label 2) xpass: POSIX MQUEUE (confined root - mqueue label 2 : mq_notify) xpass: POSIX MQUEUE (confined root - mqueue label 2 : select) xpass: POSIX MQUEUE (confined root - mqueue label 2 : poll) xpass: POSIX MQUEUE (confined root - mqueue label 2 : epoll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : mq_notify) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : select) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : poll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : epoll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : mq_notify) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : select) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : poll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : epoll) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-ibm-gt-fips ** Tags added: verification-done-jammy-linux-ibm-gt-fips -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Committed Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
Ran AppArmor tests from the QA Regression Tests [1] and POSIX mqueue tests from the AppArmor test suite and they all passed as expected. georgia@sec-jammy-amd64:/tmp/apparmor-3.0.4/tests/regression/apparmor$ uname -a Linux sec-jammy-amd64 5.15.0-1048-intel-iotg #54-Ubuntu SMP Thu Jan 18 18:39:09 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1246.031s OK (skipped=2) georgia@sec-jammy-amd64:/tmp$ apt source apparmor georgia@sec-jammy-amd64:/tmp$ cd apparmor-3.0.4/tests/regression/apparmor/ georgia@sec-jammy-amd64:/tmp/apparmor-3.0.4/tests/regression/apparmor$ USE_SYSTEM=1 make georgia@sec-jammy-amd64:/tmp/apparmor-3.0.4/tests/regression/apparmor$ sudo ./posix_mq.sh [sudo] password for georgia: BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word xpass: POSIX MQUEUE (confined root - mqueue label 1) xpass: POSIX MQUEUE (confined root - mqueue label 1 : mq_notify) xpass: POSIX MQUEUE (confined root - mqueue label 1 : select) xpass: POSIX MQUEUE (confined root - mqueue label 1 : poll) xpass: POSIX MQUEUE (confined root - mqueue label 1 : epoll) xpass: POSIX MQUEUE (confined root - mqueue label 2) xpass: POSIX MQUEUE (confined root - mqueue label 2 : mq_notify) xpass: POSIX MQUEUE (confined root - mqueue label 2 : select) xpass: POSIX MQUEUE (confined root - mqueue label 2 : poll) xpass: POSIX MQUEUE (confined root - mqueue label 2 : epoll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : mq_notify) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : select) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : poll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : epoll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : mq_notify) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : select) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : poll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : epoll) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-intel-iotg ** Tags added: verification-done-jammy-linux-intel-iotg -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Committed Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040192] Re: AppArmor spams kernel log with assert when auditing
Verification passed for mantic-linux-laptop. I ran the AppArmor QA Regression Tests [1] and the specific prompting tests [2] which were able to reproduce the issue before. The QA Regression Tests that failed were due to a timeout because I'm emulating in my machine, but they pass when the timeout is increased. georgia@sec-mantic-arm64:~$ uname -a Linux sec-mantic-arm64 6.5.0-1007-laptop #10-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 22 20:27:28 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux georgia@sec-mantic-arm64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh xpass: PROMPT (allow (rule link file l)) - root xpass: PROMPT (allow (flag link file l)) - root xpass: PROMPT (allow (rule mmap_exec file rwm)) - root xpass: PROMPT (allow (flag mmap_exec file rwm)) - root xpass: PROMPT (allow (rule lock file rwk)) - root xpass: PROMPT (allow (flag lock file rwk)) - root xpass: PROMPT (allow (rule exec file rix)) - root xpass: PROMPT (allow (flag exec file rix)) - root xpass: PROMPT (allow (rule exec file ux)) - root xpass: PROMPT (allow (flag exec file ux)) - root georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ERROR: test_dbus (__main__.ApparmorTest.test_dbus) Test dbus apparmor activation from dbus-tests -- Traceback (most recent call last): File "/home/georgia/qrt-test-apparmor/./test-apparmor.py", line 719, in test_dbus rc, report = testlib.cmd(['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh'], ^^^ File "/home/georgia/qrt-test-apparmor/testlib.py", line 471, in cmd out, outerr = sp.communicate(input, timeout=timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 1209, in communicate stdout, stderr = self._communicate(input, endtime, timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 2109, in _communicate self._check_timeout(endtime, orig_timeout, stdout, stderr) File "/usr/lib/python3.11/subprocess.py", line 1253, in _check_timeout raise TimeoutExpired( subprocess.TimeoutExpired: Command '['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh']' timed out after 5 seconds - running attach_disconnected Fatal Error (unix_fd_server): Unable to run test sub-executable PASSED: aa_exec access at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_socket_pathname unix_socket_abstract unix_socket_unnamed unix_socket_autobind unlink userns xattrs xattrs_profile longpath nfs dbus_eavesdrop dbus_message dbus_service dbus_unrequested_reply io_uring aa_policy_cache exec_stack nnp stackonexec stackprofile FAILED: attach_disconnected make: *** [Makefile:402: alltests] Error 1 - ERROR: test_0 (__main__.TestLogprof.test_0) test 'ping' -- Traceback (most recent call last): File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/common_test.py", line 90, in stub_test self._run_test(test_data, expected) File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/test-logprof.py", line 99, in _run_test self.process.wait(timeout=0.2) File "/usr/lib/python3.11/subprocess.py", line 1264, in wait return self._wait(timeout=timeout) ^^^ File "/usr/lib/python3.11/subprocess.py", line 2038, in _wait raise TimeoutExpired(self.args, timeout) subprocess.TimeoutExpired: Command '['/usr/bin/python3', '../aa-logprof', '--json', '--configdir', './', '-f', './logprof/ping.auditlog', '-d', '/tmp/aa-test-tkkg1ex3/profiles', '--no-check-mountpoint']' timed out after 0.2 seconds -- Ran 62 tests in 43542.817s FAILED (failures=3, errors=1, skipped=3) Rerunning failing tests increasing the timeout georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ApparmorTest.test_dbus Skipping private tests . -- Ran 1 test in 19.786s OK georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ sudo bash ./attach_disconnected.sh georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ echo $? 0
[Kernel-packages] [Bug 2040245] Re: apparmor oops when racing to retrieve a notification
Verification passed for mantic-linux-laptop. I ran the AppArmor QA Regression Tests [1] and specific prompting tests [2]. The QA Regression Tests that failed were due to a timeout because I'm emulating in my machine, but they pass when the timeout is increased. georgia@sec-mantic-arm64:~$ uname -a Linux sec-mantic-arm64 6.5.0-1007-laptop #10-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 22 20:27:28 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux georgia@sec-mantic-arm64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh xpass: PROMPT (allow (rule link file l)) - root xpass: PROMPT (allow (flag link file l)) - root xpass: PROMPT (allow (rule mmap_exec file rwm)) - root xpass: PROMPT (allow (flag mmap_exec file rwm)) - root xpass: PROMPT (allow (rule lock file rwk)) - root xpass: PROMPT (allow (flag lock file rwk)) - root xpass: PROMPT (allow (rule exec file rix)) - root xpass: PROMPT (allow (flag exec file rix)) - root xpass: PROMPT (allow (rule exec file ux)) - root xpass: PROMPT (allow (flag exec file ux)) - root georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ERROR: test_dbus (__main__.ApparmorTest.test_dbus) Test dbus apparmor activation from dbus-tests -- Traceback (most recent call last): File "/home/georgia/qrt-test-apparmor/./test-apparmor.py", line 719, in test_dbus rc, report = testlib.cmd(['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh'], ^^^ File "/home/georgia/qrt-test-apparmor/testlib.py", line 471, in cmd out, outerr = sp.communicate(input, timeout=timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 1209, in communicate stdout, stderr = self._communicate(input, endtime, timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 2109, in _communicate self._check_timeout(endtime, orig_timeout, stdout, stderr) File "/usr/lib/python3.11/subprocess.py", line 1253, in _check_timeout raise TimeoutExpired( subprocess.TimeoutExpired: Command '['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh']' timed out after 5 seconds - running attach_disconnected Fatal Error (unix_fd_server): Unable to run test sub-executable PASSED: aa_exec access at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_socket_pathname unix_socket_abstract unix_socket_unnamed unix_socket_autobind unlink userns xattrs xattrs_profile longpath nfs dbus_eavesdrop dbus_message dbus_service dbus_unrequested_reply io_uring aa_policy_cache exec_stack nnp stackonexec stackprofile FAILED: attach_disconnected make: *** [Makefile:402: alltests] Error 1 - ERROR: test_0 (__main__.TestLogprof.test_0) test 'ping' -- Traceback (most recent call last): File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/common_test.py", line 90, in stub_test self._run_test(test_data, expected) File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/test-logprof.py", line 99, in _run_test self.process.wait(timeout=0.2) File "/usr/lib/python3.11/subprocess.py", line 1264, in wait return self._wait(timeout=timeout) ^^^ File "/usr/lib/python3.11/subprocess.py", line 2038, in _wait raise TimeoutExpired(self.args, timeout) subprocess.TimeoutExpired: Command '['/usr/bin/python3', '../aa-logprof', '--json', '--configdir', './', '-f', './logprof/ping.auditlog', '-d', '/tmp/aa-test-tkkg1ex3/profiles', '--no-check-mountpoint']' timed out after 0.2 seconds -- Ran 62 tests in 43542.817s FAILED (failures=3, errors=1, skipped=3) Rerunning failing tests increasing the timeout georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ApparmorTest.test_dbus Skipping private tests . -- Ran 1 test in 19.786s OK georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ sudo bash ./attach_disconnected.sh georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ echo $? 0 georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/utils/test$ python3
[Kernel-packages] [Bug 2040250] Re: apparmor notification files verification
Verification passed for mantic-linux-laptop. I ran the AppArmor QA Regression Tests [1] and specific prompting tests [2]. The QA Regression Tests that failed were due to a timeout because I'm emulating in my machine, but they pass when the timeout is increased. georgia@sec-mantic-arm64:~$ uname -a Linux sec-mantic-arm64 6.5.0-1007-laptop #10-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 22 20:27:28 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux georgia@sec-mantic-arm64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh xpass: PROMPT (allow (rule link file l)) - root xpass: PROMPT (allow (flag link file l)) - root xpass: PROMPT (allow (rule mmap_exec file rwm)) - root xpass: PROMPT (allow (flag mmap_exec file rwm)) - root xpass: PROMPT (allow (rule lock file rwk)) - root xpass: PROMPT (allow (flag lock file rwk)) - root xpass: PROMPT (allow (rule exec file rix)) - root xpass: PROMPT (allow (flag exec file rix)) - root xpass: PROMPT (allow (rule exec file ux)) - root xpass: PROMPT (allow (flag exec file ux)) - root georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ERROR: test_dbus (__main__.ApparmorTest.test_dbus) Test dbus apparmor activation from dbus-tests -- Traceback (most recent call last): File "/home/georgia/qrt-test-apparmor/./test-apparmor.py", line 719, in test_dbus rc, report = testlib.cmd(['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh'], ^^^ File "/home/georgia/qrt-test-apparmor/testlib.py", line 471, in cmd out, outerr = sp.communicate(input, timeout=timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 1209, in communicate stdout, stderr = self._communicate(input, endtime, timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 2109, in _communicate self._check_timeout(endtime, orig_timeout, stdout, stderr) File "/usr/lib/python3.11/subprocess.py", line 1253, in _check_timeout raise TimeoutExpired( subprocess.TimeoutExpired: Command '['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh']' timed out after 5 seconds - running attach_disconnected Fatal Error (unix_fd_server): Unable to run test sub-executable PASSED: aa_exec access at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_socket_pathname unix_socket_abstract unix_socket_unnamed unix_socket_autobind unlink userns xattrs xattrs_profile longpath nfs dbus_eavesdrop dbus_message dbus_service dbus_unrequested_reply io_uring aa_policy_cache exec_stack nnp stackonexec stackprofile FAILED: attach_disconnected make: *** [Makefile:402: alltests] Error 1 - ERROR: test_0 (__main__.TestLogprof.test_0) test 'ping' -- Traceback (most recent call last): File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/common_test.py", line 90, in stub_test self._run_test(test_data, expected) File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/test-logprof.py", line 99, in _run_test self.process.wait(timeout=0.2) File "/usr/lib/python3.11/subprocess.py", line 1264, in wait return self._wait(timeout=timeout) ^^^ File "/usr/lib/python3.11/subprocess.py", line 2038, in _wait raise TimeoutExpired(self.args, timeout) subprocess.TimeoutExpired: Command '['/usr/bin/python3', '../aa-logprof', '--json', '--configdir', './', '-f', './logprof/ping.auditlog', '-d', '/tmp/aa-test-tkkg1ex3/profiles', '--no-check-mountpoint']' timed out after 0.2 seconds -- Ran 62 tests in 43542.817s FAILED (failures=3, errors=1, skipped=3) Rerunning failing tests increasing the timeout georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ApparmorTest.test_dbus Skipping private tests . -- Ran 1 test in 19.786s OK georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ sudo bash ./attach_disconnected.sh georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ echo $? 0 georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/utils/test$ python3
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for mantic-linux-laptop. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. The QA Regression Tests that failed were due to a timeout because I'm emulating in my machine, but they pass when the timeout is increased. georgia@sec-mantic-arm64:~$ uname -a Linux sec-mantic-arm64 6.5.0-1007-laptop #10-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 22 20:27:28 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux georgia@sec-mantic-arm64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 18:36 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ERROR: test_dbus (__main__.ApparmorTest.test_dbus) Test dbus apparmor activation from dbus-tests -- Traceback (most recent call last): File "/home/georgia/qrt-test-apparmor/./test-apparmor.py", line 719, in test_dbus rc, report = testlib.cmd(['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh'], ^^^ File "/home/georgia/qrt-test-apparmor/testlib.py", line 471, in cmd out, outerr = sp.communicate(input, timeout=timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 1209, in communicate stdout, stderr = self._communicate(input, endtime, timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 2109, in _communicate self._check_timeout(endtime, orig_timeout, stdout, stderr) File "/usr/lib/python3.11/subprocess.py", line 1253, in _check_timeout raise TimeoutExpired( subprocess.TimeoutExpired: Command '['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh']' timed out after 5 seconds - running attach_disconnected Fatal Error (unix_fd_server): Unable to run test sub-executable PASSED: aa_exec access at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_socket_pathname unix_socket_abstract unix_socket_unnamed unix_socket_autobind unlink userns xattrs xattrs_profile longpath nfs dbus_eavesdrop dbus_message dbus_service dbus_unrequested_reply io_uring aa_policy_cache exec_stack nnp stackonexec stackprofile FAILED: attach_disconnected make: *** [Makefile:402: alltests] Error 1 - ERROR: test_0 (__main__.TestLogprof.test_0) test 'ping' -- Traceback (most recent call last): File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/common_test.py", line 90, in stub_test self._run_test(test_data, expected) File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/test-logprof.py", line 99, in _run_test self.process.wait(timeout=0.2) File "/usr/lib/python3.11/subprocess.py", line 1264, in wait return self._wait(timeout=timeout) ^^^ File "/usr/lib/python3.11/subprocess.py", line 2038, in _wait raise TimeoutExpired(self.args, timeout) subprocess.TimeoutExpired: Command '['/usr/bin/python3', '../aa-logprof', '--json', '--configdir', './', '-f', './logprof/ping.auditlog', '-d', '/tmp/aa-test-tkkg1ex3/profiles', '--no-check-mountpoint']' timed out after 0.2 seconds -- Ran 62 tests in 43542.817s FAILED (failures=3, errors=1, skipped=3) Rerunning failing tests increasing the timeout georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ApparmorTest.test_dbus Skipping private tests . -- Ran 1 test in 19.786s OK
[Kernel-packages] [Bug 2040250] Re: apparmor notification files verification
Verification passed for jammy-linux-nvidia-6.5. I ran the AppArmor QA Regression Tests [1] and specific prompting tests [2]. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-1007-nvidia #7-Ubuntu SMP PREEMPT_DYNAMIC Wed Dec 6 01:27:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh xpass: PROMPT (allow (rule link file l)) - root xpass: PROMPT (allow (flag link file l)) - root xpass: PROMPT (allow (rule mmap_exec file rwm)) - root xpass: PROMPT (allow (flag mmap_exec file rwm)) - root xpass: PROMPT (allow (rule lock file rwk)) - root xpass: PROMPT (allow (flag lock file rwk)) - root xpass: PROMPT (allow (rule exec file rix)) - root xpass: PROMPT (allow (flag exec file rix)) - root xpass: PROMPT (allow (rule exec file ux)) - root xpass: PROMPT (allow (flag exec file ux)) - root georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1435.853s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing [2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests ** Tags removed: verification-needed-jammy-linux-nvidia-6.5 ** Tags added: verification-done-jammy-linux-nvidia-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040250 Title: apparmor notification files verification Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: apparmor notifications on the 6.5 kernel are failing verification between the header size and the returned size. When strings are appended to the notification the header size should be updated to reflect the correct size. While the size is also directly returned as part of delivering the notification, the header should also be update to conform to specification and allow for verification. If verification is enabled and the notification contains appended strings then notifications fail verification and won't be delivered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040250/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040250] Re: apparmor notification files verification
Verification passed for jammy-linux-hwe-6.5. I ran the AppArmor QA Regression Tests [1] and specific prompting tests [2]. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-14-generic #14~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 20 18:15:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh xpass: PROMPT (allow (rule link file l)) - root xpass: PROMPT (allow (flag link file l)) - root xpass: PROMPT (allow (rule mmap_exec file rwm)) - root xpass: PROMPT (allow (flag mmap_exec file rwm)) - root xpass: PROMPT (allow (rule lock file rwk)) - root xpass: PROMPT (allow (flag lock file rwk)) - root xpass: PROMPT (allow (rule exec file rix)) - root xpass: PROMPT (allow (flag exec file rix)) - root xpass: PROMPT (allow (rule exec file ux)) - root xpass: PROMPT (allow (flag exec file ux)) - root georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1360.734s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing [2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests ** Tags removed: verification-needed-jammy-linux-hwe-6.5 ** Tags added: verification-done-jammy-linux-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040250 Title: apparmor notification files verification Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: apparmor notifications on the 6.5 kernel are failing verification between the header size and the returned size. When strings are appended to the notification the header size should be updated to reflect the correct size. While the size is also directly returned as part of delivering the notification, the header should also be update to conform to specification and allow for verification. If verification is enabled and the notification contains appended strings then notifications fail verification and won't be delivered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040250/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040250] Re: apparmor notification files verification
Verification passed for jammy-linux-lowlatency-hwe-6.5. I ran the AppArmor QA Regression Tests [1] and specific prompting tests [2]. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-14-lowlatency #14.1~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 22 16:24:11 UTC x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh [sudo] password for georgia: xpass: PROMPT (allow (rule link file l)) - root xpass: PROMPT (allow (flag link file l)) - root xpass: PROMPT (allow (rule mmap_exec file rwm)) - root xpass: PROMPT (allow (flag mmap_exec file rwm)) - root xpass: PROMPT (allow (rule lock file rwk)) - root xpass: PROMPT (allow (flag lock file rwk)) - root xpass: PROMPT (allow (rule exec file rix)) - root xpass: PROMPT (allow (flag exec file rix)) - root xpass: PROMPT (allow (rule exec file ux)) - root xpass: PROMPT (allow (flag exec file ux)) - root georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1366.317s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing [2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests ** Tags removed: verification-needed-jammy-linux-lowlatency-hwe-6.5 ** Tags added: verification-done-jammy-linux-lowlatency-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040250 Title: apparmor notification files verification Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: apparmor notifications on the 6.5 kernel are failing verification between the header size and the returned size. When strings are appended to the notification the header size should be updated to reflect the correct size. While the size is also directly returned as part of delivering the notification, the header should also be update to conform to specification and allow for verification. If verification is enabled and the notification contains appended strings then notifications fail verification and won't be delivered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040250/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040250] Re: apparmor notification files verification
Verification passed for linux azure. I ran the AppArmor QA Regression Tests [1] and specific prompting tests [2]. georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh xpass: PROMPT (allow (rule link file l)) - root xpass: PROMPT (allow (flag link file l)) - root xpass: PROMPT (allow (rule mmap_exec file rwm)) - root xpass: PROMPT (allow (flag mmap_exec file rwm)) - root xpass: PROMPT (allow (rule lock file rwk)) - root xpass: PROMPT (allow (flag lock file rwk)) - root xpass: PROMPT (allow (rule exec file rix)) - root xpass: PROMPT (allow (flag exec file rix)) - root xpass: PROMPT (allow (rule exec file ux)) - root xpass: PROMPT (allow (flag exec file ux)) - root georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1300.394s OK (skipped=3) [1] https://launchpad.net/qa-regression-testing [2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests ** Tags removed: verification-needed-mantic-linux-azure ** Tags added: verification-done-mantic-linux-azure -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040250 Title: apparmor notification files verification Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: apparmor notifications on the 6.5 kernel are failing verification between the header size and the returned size. When strings are appended to the notification the header size should be updated to reflect the correct size. While the size is also directly returned as part of delivering the notification, the header should also be update to conform to specification and allow for verification. If verification is enabled and the notification contains appended strings then notifications fail verification and won't be delivered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040250/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040250] Re: apparmor notification files verification
Verification passed for linux gcp. I ran the AppArmor QA Regression Tests [1] and specific prompting tests [2]. georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-1010-gcp #10-Ubuntu SMP Fri Nov 17 21:33:36 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh xpass: PROMPT (allow (rule link file l)) - root xpass: PROMPT (allow (flag link file l)) - root xpass: PROMPT (allow (rule mmap_exec file rwm)) - root xpass: PROMPT (allow (flag mmap_exec file rwm)) - root xpass: PROMPT (allow (rule lock file rwk)) - root xpass: PROMPT (allow (flag lock file rwk)) - root xpass: PROMPT (allow (rule exec file rix)) - root xpass: PROMPT (allow (flag exec file rix)) - root xpass: PROMPT (allow (rule exec file ux)) - root xpass: PROMPT (allow (flag exec file ux)) - root georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1325.124s OK (skipped=3) [1] https://launchpad.net/qa-regression-testing [2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests ** Tags removed: verification-needed-mantic-linux-gcp ** Tags added: verification-done-mantic-linux-gcp -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040250 Title: apparmor notification files verification Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: apparmor notifications on the 6.5 kernel are failing verification between the header size and the returned size. When strings are appended to the notification the header size should be updated to reflect the correct size. While the size is also directly returned as part of delivering the notification, the header should also be update to conform to specification and allow for verification. If verification is enabled and the notification contains appended strings then notifications fail verification and won't be delivered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040250/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040245] Re: apparmor oops when racing to retrieve a notification
Verification passed for mantic-linux-lowlatency. I ran the AppArmor QA
Regression Tests [1] and specific prompting tests [2].
georgia@sec-mantic-amd64:~$ uname -a
Linux sec-mantic-amd64 6.5.0-14-lowlatency #14.1-Ubuntu SMP PREEMPT_DYNAMIC Mon
Nov 20 13:01:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1745.243s
OK (skipped=3)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-mantic-linux-lowlatency
** Tags added: verification-done-mantic-linux-lowlatency
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040245
Title:
apparmor oops when racing to retrieve a notification
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
When there is a race to receive a notification, the failing tasks
oopes when erroring
[ 196.140988] BUG: kernel NULL pointer dereference, address:
[ 196.140995] #PF: supervisor read access in kernel mode
[ 196.140996] #PF: error_code(0x) - not-present page
[ 196.140997] PGD 0 P4D 0
[ 196.140999] Oops: [#1] PREEMPT SMP NOPTI
[ 196.141001] CPU: 0 PID: 2316 Comm: aa-prompt Not tainted 6.5.0-9-generic
#9-\
Ubuntu
[ 196.141004] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.15.0-\
1 04/01/2014
[ 196.141005] RIP: 0010:aa_listener_unotif_recv+0x11d/0x260
[ 196.141011] Code: ff ff ff 8b 55 d0 48 8b 75 c8 4c 89 ef e8 6b db ff ff 49
8\
9 c2 48 85 c0 0f 88 c0 00 00 00 0f 84 25 ff ff ff 8b 05 3b 1c 1f 03 <49> 8b
55 \
00 83 e0 20 83 7a 08 07 74 66 85 c0 0f 85 01 01 00 00 48
[ 196.141012] RSP: 0018:a2674075fdd8 EFLAGS: 00010246
[ 196.141014] RAX: RBX: 974507a08404 RCX:
000\
0
[ 196.141017] RDX: RSI: RDI:
000\
0
[ 196.141017] RBP: a2674075fe10 R08: R09:
000\
0
[ 196.141018] R10: fffe R11: R12:
974507a0840\
0
[ 196.141019] R13: R14: 974507a08430 R15:
97451de00a0\
0
[ 196.141020] FS: 7f4ab6b30740() GS:97486fa0()
knlGS:\
[ 196.141022] CS: 0010 DS: ES: CR0: 80050033
[ 196.141024] CR2: CR3: 000104cf2003 CR4:
00770ef\
0
[ 196.141026] PKRU: 5554
[ 196.141027] Call Trace:
[ 196.141032]
[ 196.141034] ? show_regs+0x6d/0x80
[ 196.141041] ? __die+0x24/0x80
[ 196.141043] ? page_fault_oops+0x99/0x1b0
[ 196.141047] ? do_user_addr_fault+0x316/0x6b0
[ 196.141048] ? filemap_map_pages+0x2b3/0x460
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for mantic-linux-lowlatency. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-14-lowlatency #14.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 20 13:01:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 14:19 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 14:19 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 14:19 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1745.243s OK (skipped=3) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-mantic-linux-lowlatency ** Tags added: verification-done-mantic-linux-lowlatency -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040245] Re: apparmor oops when racing to retrieve a notification
Verification passed for jammy-linux-nvidia-6.5. I ran the AppArmor QA
Regression Tests [1] and specific prompting tests [2].
georgia@sec-jammy-amd64:~$ uname -a
Linux sec-jammy-amd64 6.5.0-1007-nvidia #7-Ubuntu SMP PREEMPT_DYNAMIC Wed Dec 6
01:27:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-jammy-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1435.853s
OK (skipped=2)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-jammy-linux-nvidia-6.5
** Tags added: verification-done-jammy-linux-nvidia-6.5
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040245
Title:
apparmor oops when racing to retrieve a notification
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
When there is a race to receive a notification, the failing tasks
oopes when erroring
[ 196.140988] BUG: kernel NULL pointer dereference, address:
[ 196.140995] #PF: supervisor read access in kernel mode
[ 196.140996] #PF: error_code(0x) - not-present page
[ 196.140997] PGD 0 P4D 0
[ 196.140999] Oops: [#1] PREEMPT SMP NOPTI
[ 196.141001] CPU: 0 PID: 2316 Comm: aa-prompt Not tainted 6.5.0-9-generic
#9-\
Ubuntu
[ 196.141004] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.15.0-\
1 04/01/2014
[ 196.141005] RIP: 0010:aa_listener_unotif_recv+0x11d/0x260
[ 196.141011] Code: ff ff ff 8b 55 d0 48 8b 75 c8 4c 89 ef e8 6b db ff ff 49
8\
9 c2 48 85 c0 0f 88 c0 00 00 00 0f 84 25 ff ff ff 8b 05 3b 1c 1f 03 <49> 8b
55 \
00 83 e0 20 83 7a 08 07 74 66 85 c0 0f 85 01 01 00 00 48
[ 196.141012] RSP: 0018:a2674075fdd8 EFLAGS: 00010246
[ 196.141014] RAX: RBX: 974507a08404 RCX:
000\
0
[ 196.141017] RDX: RSI: RDI:
000\
0
[ 196.141017] RBP: a2674075fe10 R08: R09:
000\
0
[ 196.141018] R10: fffe R11: R12:
974507a0840\
0
[ 196.141019] R13: R14: 974507a08430 R15:
97451de00a0\
0
[ 196.141020] FS: 7f4ab6b30740() GS:97486fa0()
knlGS:\
[ 196.141022] CS: 0010 DS: ES: CR0: 80050033
[ 196.141024] CR2: CR3: 000104cf2003 CR4:
00770ef\
0
[ 196.141026] PKRU: 5554
[ 196.141027] Call Trace:
[ 196.141032]
[ 196.141034] ? show_regs+0x6d/0x80
[ 196.141041] ? __die+0x24/0x80
[ 196.141043] ? page_fault_oops+0x99/0x1b0
[ 196.141047] ? do_user_addr_fault+0x316/0x6b0
[ 196.141048] ? filemap_map_pages+0x2b3/0x460
[Kernel-packages] [Bug 2040245] Re: apparmor oops when racing to retrieve a notification
Verification passed for jammy-linux-hwe-6.5. I ran the AppArmor QA
Regression Tests [1] and specific prompting tests [2].
georgia@sec-jammy-amd64:~$ uname -a
Linux sec-jammy-amd64 6.5.0-14-generic #14~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC
Mon Nov 20 18:15:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-jammy-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1360.734s
OK (skipped=2)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-jammy-linux-hwe-6.5
** Tags added: verification-done-jammy-linux-hwe-6.5
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040245
Title:
apparmor oops when racing to retrieve a notification
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
When there is a race to receive a notification, the failing tasks
oopes when erroring
[ 196.140988] BUG: kernel NULL pointer dereference, address:
[ 196.140995] #PF: supervisor read access in kernel mode
[ 196.140996] #PF: error_code(0x) - not-present page
[ 196.140997] PGD 0 P4D 0
[ 196.140999] Oops: [#1] PREEMPT SMP NOPTI
[ 196.141001] CPU: 0 PID: 2316 Comm: aa-prompt Not tainted 6.5.0-9-generic
#9-\
Ubuntu
[ 196.141004] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.15.0-\
1 04/01/2014
[ 196.141005] RIP: 0010:aa_listener_unotif_recv+0x11d/0x260
[ 196.141011] Code: ff ff ff 8b 55 d0 48 8b 75 c8 4c 89 ef e8 6b db ff ff 49
8\
9 c2 48 85 c0 0f 88 c0 00 00 00 0f 84 25 ff ff ff 8b 05 3b 1c 1f 03 <49> 8b
55 \
00 83 e0 20 83 7a 08 07 74 66 85 c0 0f 85 01 01 00 00 48
[ 196.141012] RSP: 0018:a2674075fdd8 EFLAGS: 00010246
[ 196.141014] RAX: RBX: 974507a08404 RCX:
000\
0
[ 196.141017] RDX: RSI: RDI:
000\
0
[ 196.141017] RBP: a2674075fe10 R08: R09:
000\
0
[ 196.141018] R10: fffe R11: R12:
974507a0840\
0
[ 196.141019] R13: R14: 974507a08430 R15:
97451de00a0\
0
[ 196.141020] FS: 7f4ab6b30740() GS:97486fa0()
knlGS:\
[ 196.141022] CS: 0010 DS: ES: CR0: 80050033
[ 196.141024] CR2: CR3: 000104cf2003 CR4:
00770ef\
0
[ 196.141026] PKRU: 5554
[ 196.141027] Call Trace:
[ 196.141032]
[ 196.141034] ? show_regs+0x6d/0x80
[ 196.141041] ? __die+0x24/0x80
[ 196.141043] ? page_fault_oops+0x99/0x1b0
[ 196.141047] ? do_user_addr_fault+0x316/0x6b0
[ 196.141048] ? filemap_map_pages+0x2b3/0x460
[Kernel-packages] [Bug 2040245] Re: apparmor oops when racing to retrieve a notification
Verification passed for linux azure. I ran the AppArmor QA Regression
Tests [1] and specific prompting tests [2].
georgia@sec-mantic-amd64:~$ uname -a
Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC
2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1300.394s
OK (skipped=3)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-mantic-linux-azure
** Tags added: verification-done-mantic-linux-azure
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040245
Title:
apparmor oops when racing to retrieve a notification
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
When there is a race to receive a notification, the failing tasks
oopes when erroring
[ 196.140988] BUG: kernel NULL pointer dereference, address:
[ 196.140995] #PF: supervisor read access in kernel mode
[ 196.140996] #PF: error_code(0x) - not-present page
[ 196.140997] PGD 0 P4D 0
[ 196.140999] Oops: [#1] PREEMPT SMP NOPTI
[ 196.141001] CPU: 0 PID: 2316 Comm: aa-prompt Not tainted 6.5.0-9-generic
#9-\
Ubuntu
[ 196.141004] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.15.0-\
1 04/01/2014
[ 196.141005] RIP: 0010:aa_listener_unotif_recv+0x11d/0x260
[ 196.141011] Code: ff ff ff 8b 55 d0 48 8b 75 c8 4c 89 ef e8 6b db ff ff 49
8\
9 c2 48 85 c0 0f 88 c0 00 00 00 0f 84 25 ff ff ff 8b 05 3b 1c 1f 03 <49> 8b
55 \
00 83 e0 20 83 7a 08 07 74 66 85 c0 0f 85 01 01 00 00 48
[ 196.141012] RSP: 0018:a2674075fdd8 EFLAGS: 00010246
[ 196.141014] RAX: RBX: 974507a08404 RCX:
000\
0
[ 196.141017] RDX: RSI: RDI:
000\
0
[ 196.141017] RBP: a2674075fe10 R08: R09:
000\
0
[ 196.141018] R10: fffe R11: R12:
974507a0840\
0
[ 196.141019] R13: R14: 974507a08430 R15:
97451de00a0\
0
[ 196.141020] FS: 7f4ab6b30740() GS:97486fa0()
knlGS:\
[ 196.141022] CS: 0010 DS: ES: CR0: 80050033
[ 196.141024] CR2: CR3: 000104cf2003 CR4:
00770ef\
0
[ 196.141026] PKRU: 5554
[ 196.141027] Call Trace:
[ 196.141032]
[ 196.141034] ? show_regs+0x6d/0x80
[ 196.141041] ? __die+0x24/0x80
[ 196.141043] ? page_fault_oops+0x99/0x1b0
[ 196.141047] ? do_user_addr_fault+0x316/0x6b0
[ 196.141048] ? filemap_map_pages+0x2b3/0x460
[ 196.141056]
[Kernel-packages] [Bug 2040245] Re: apparmor oops when racing to retrieve a notification
Verification passed for jammy-linux-lowlatency-hwe-6.5. I ran the
AppArmor QA Regression Tests [1] and specific prompting tests [2].
georgia@sec-jammy-amd64:~$ uname -a
Linux sec-jammy-amd64 6.5.0-14-lowlatency #14.1~22.04.1-Ubuntu SMP
PREEMPT_DYNAMIC Wed Nov 22 16:24:11 UTC x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-jammy-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
[sudo] password for georgia:
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1366.317s
OK (skipped=2)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-jammy-linux-lowlatency-hwe-6.5
** Tags added: verification-done-jammy-linux-lowlatency-hwe-6.5
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040245
Title:
apparmor oops when racing to retrieve a notification
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
When there is a race to receive a notification, the failing tasks
oopes when erroring
[ 196.140988] BUG: kernel NULL pointer dereference, address:
[ 196.140995] #PF: supervisor read access in kernel mode
[ 196.140996] #PF: error_code(0x) - not-present page
[ 196.140997] PGD 0 P4D 0
[ 196.140999] Oops: [#1] PREEMPT SMP NOPTI
[ 196.141001] CPU: 0 PID: 2316 Comm: aa-prompt Not tainted 6.5.0-9-generic
#9-\
Ubuntu
[ 196.141004] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.15.0-\
1 04/01/2014
[ 196.141005] RIP: 0010:aa_listener_unotif_recv+0x11d/0x260
[ 196.141011] Code: ff ff ff 8b 55 d0 48 8b 75 c8 4c 89 ef e8 6b db ff ff 49
8\
9 c2 48 85 c0 0f 88 c0 00 00 00 0f 84 25 ff ff ff 8b 05 3b 1c 1f 03 <49> 8b
55 \
00 83 e0 20 83 7a 08 07 74 66 85 c0 0f 85 01 01 00 00 48
[ 196.141012] RSP: 0018:a2674075fdd8 EFLAGS: 00010246
[ 196.141014] RAX: RBX: 974507a08404 RCX:
000\
0
[ 196.141017] RDX: RSI: RDI:
000\
0
[ 196.141017] RBP: a2674075fe10 R08: R09:
000\
0
[ 196.141018] R10: fffe R11: R12:
974507a0840\
0
[ 196.141019] R13: R14: 974507a08430 R15:
97451de00a0\
0
[ 196.141020] FS: 7f4ab6b30740() GS:97486fa0()
knlGS:\
[ 196.141022] CS: 0010 DS: ES: CR0: 80050033
[ 196.141024] CR2: CR3: 000104cf2003 CR4:
00770ef\
0
[ 196.141026] PKRU: 5554
[ 196.141027] Call Trace:
[ 196.141032]
[ 196.141034] ? show_regs+0x6d/0x80
[ 196.141041] ? __die+0x24/0x80
[ 196.141043] ? page_fault_oops+0x99/0x1b0
[ 196.141047] ? do_user_addr_fault+0x316/0x6b0
[
[Kernel-packages] [Bug 2040245] Re: apparmor oops when racing to retrieve a notification
Verification passed for linux gcp. I ran the AppArmor QA Regression
Tests [1] and specific prompting tests [2].
georgia@sec-mantic-amd64:~$ uname -a
Linux sec-mantic-amd64 6.5.0-1010-gcp #10-Ubuntu SMP Fri Nov 17 21:33:36 UTC
2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1325.124s
OK (skipped=3)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-mantic-linux-gcp
** Tags added: verification-done-mantic-linux-gcp
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040245
Title:
apparmor oops when racing to retrieve a notification
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
When there is a race to receive a notification, the failing tasks
oopes when erroring
[ 196.140988] BUG: kernel NULL pointer dereference, address:
[ 196.140995] #PF: supervisor read access in kernel mode
[ 196.140996] #PF: error_code(0x) - not-present page
[ 196.140997] PGD 0 P4D 0
[ 196.140999] Oops: [#1] PREEMPT SMP NOPTI
[ 196.141001] CPU: 0 PID: 2316 Comm: aa-prompt Not tainted 6.5.0-9-generic
#9-\
Ubuntu
[ 196.141004] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.15.0-\
1 04/01/2014
[ 196.141005] RIP: 0010:aa_listener_unotif_recv+0x11d/0x260
[ 196.141011] Code: ff ff ff 8b 55 d0 48 8b 75 c8 4c 89 ef e8 6b db ff ff 49
8\
9 c2 48 85 c0 0f 88 c0 00 00 00 0f 84 25 ff ff ff 8b 05 3b 1c 1f 03 <49> 8b
55 \
00 83 e0 20 83 7a 08 07 74 66 85 c0 0f 85 01 01 00 00 48
[ 196.141012] RSP: 0018:a2674075fdd8 EFLAGS: 00010246
[ 196.141014] RAX: RBX: 974507a08404 RCX:
000\
0
[ 196.141017] RDX: RSI: RDI:
000\
0
[ 196.141017] RBP: a2674075fe10 R08: R09:
000\
0
[ 196.141018] R10: fffe R11: R12:
974507a0840\
0
[ 196.141019] R13: R14: 974507a08430 R15:
97451de00a0\
0
[ 196.141020] FS: 7f4ab6b30740() GS:97486fa0()
knlGS:\
[ 196.141022] CS: 0010 DS: ES: CR0: 80050033
[ 196.141024] CR2: CR3: 000104cf2003 CR4:
00770ef\
0
[ 196.141026] PKRU: 5554
[ 196.141027] Call Trace:
[ 196.141032]
[ 196.141034] ? show_regs+0x6d/0x80
[ 196.141041] ? __die+0x24/0x80
[ 196.141043] ? page_fault_oops+0x99/0x1b0
[ 196.141047] ? do_user_addr_fault+0x316/0x6b0
[ 196.141048] ? filemap_map_pages+0x2b3/0x460
[ 196.141056] ?
[Kernel-packages] [Bug 2040192] Re: AppArmor spams kernel log with assert when auditing
Verification passed for jammy-linux-nvidia-6.5. I ran the AppArmor QA
Regression Tests [1] and the specific prompting tests [2] which were
able to reproduce the issue before.
georgia@sec-jammy-amd64:~$ uname -a
Linux sec-jammy-amd64 6.5.0-1007-nvidia #7-Ubuntu SMP PREEMPT_DYNAMIC Wed Dec
6 01:27:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-jammy-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1435.853s
OK (skipped=2)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-jammy-linux-nvidia-6.5
** Tags added: verification-done-jammy-linux-nvidia-6.5
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040192
Title:
AppArmor spams kernel log with assert when auditing
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
A reply to a prompt request that denies all permissions requested will throw
the following warning, because the auditing code does not expect the request
field to be empty when generating the audit message.
Sep 27 22:48:14 ubuntu-mantic snapd[596]: listener.go:189: Sending access
response back to kernel: {MsgNotification:{MsgHeader:{Length:0 Version:0}
NotificationType:APPARMOR_NOTIF_RESP Signalled:0 NoCache:1 ID:2 Error:0}
Error:-13 Allow:0 Deny:4}
Sep 27 22:48:14 ubuntu-mantic kernel: [ cut here ]
Sep 27 22:48:14 ubuntu-mantic kernel: AppArmor WARN aa_audit_file:
((!ad.request)):
Sep 27 22:48:14 ubuntu-mantic kernel: WARNING: CPU: 3 PID: 2082 at
security/apparmor/file.c:268 aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Modules linked in: snd_seq_dummy
snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device
snd_timer snd soundcore binfmt_misc nls_iso8859_1 kvm_intel kvm irqbypass
crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic
ghash_clmulni_intel sha512_ssse3 aesni_intel virtio_gpu crypto_simd cryptd
virtio_dma_buf drm_shmem_helper 9pnet_virtio drm_kms_helper 9pnet
vmw_vsock_virtio_transport virtio_input vmw_vsock_virtio_transport_common
input_leds joydev serio_raw vsock msr parport_pc ppdev lp parport drm virtiofs
efi_pstore ip_tables x_tables autofs4 virtio_net xhci_pci ahci psmouse
net_failover libahci xhci_pci_renesas failover virtio_rng
Sep 27 22:48:14 ubuntu-mantic kernel: CPU: 3 PID: 2082 Comm: bash Not tainted
6.5.0-5-generic #5+aa4.0.0+debug5-Ubuntu
Sep 27 22:48:14 ubuntu-mantic kernel: Hardware name: QEMU Standard PC (Q35 +
ICH9, 2009)/LXD, BIOS unknown 2/2/2022
Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0010:aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Code: 3c ff ff ff e8 80 6f a8 ff 44 8b
95 3c ff ff ff 5a 59 e9 e3 fe ff ff 48 c7 c6 98 5c 08 84 48 c7 c7 90 1a 60 84
e8 9f da 9d ff <0f> 0b 8b 85 78 ff ff ff e9 05 ff ff ff 48 89 de 4c 89 f7 e8 b7
f5
Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 0018:b66a82b57968 EFLAGS:
00010246
Sep 27 22:48:14 ubuntu-mantic kernel: RAX: RBX:
b66a82b57b24 RCX:
Sep 27 22:48:14 ubuntu-mantic kernel: RDX: RSI:
RDI:
Sep 27 22:48:14 ubuntu-mantic kernel: RBP: b66a82b57a30 R08:
R09:
Sep 27 22:48:14 ubuntu-mantic kernel: R10: R11:
R12:
Sep 27 22:48:14 ubuntu-mantic kernel: R13: 8b160239d800 R14:
b66a82b57970 R15: 0001
Sep 27 22:48:14 ubuntu-mantic kernel: FS: 7f1f7d3b3380()
GS:8b17778c() knlGS:
Sep 27 22:48:14 ubuntu-mantic kernel: CS: 0010 DS: ES: CR0:
80050033
Sep 27 22:48:14 ubuntu-mantic kernel: CR2: 55d4482063f0 CR3:
000137e64000 CR4: 00750ee0
Sep 27 22:48:14 ubuntu-mantic kernel: PKRU: 5554
Sep 27 22:48:14 ubuntu-mantic kernel: Call Trace:
Sep 27 22:48:14 ubuntu-mantic kernel:
Sep 27 22:48:14 ubuntu-mantic kernel: ? show_regs+0x6d/0x80
Sep 27 22:48:14 ubuntu-mantic kernel: ? __warn+0x89/0x160
Sep 27
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for jammy-linux-nvidia-6.5. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-1007-nvidia #7-Ubuntu SMP PREEMPT_DYNAMIC Wed Dec 6 01:27:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 14:09 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1435.853s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-nvidia-6.5 ** Tags added: verification-done-jammy-linux-nvidia-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040192] Re: AppArmor spams kernel log with assert when auditing
Verification passed for jammy-linux-lowlatency-hwe-6.5. I ran the
AppArmor QA Regression Tests [1] and the specific prompting tests [2]
which were able to reproduce the issue before.
georgia@sec-jammy-amd64:~$ uname -a
Linux sec-jammy-amd64 6.5.0-14-lowlatency #14.1~22.04.1-Ubuntu SMP
PREEMPT_DYNAMIC Wed Nov 22 16:24:11 UTC x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-jammy-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
[sudo] password for georgia:
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1366.317s
OK (skipped=2)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-jammy-linux-lowlatency-hwe-6.5
** Tags added: verification-done-jammy-linux-lowlatency-hwe-6.5
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040192
Title:
AppArmor spams kernel log with assert when auditing
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
A reply to a prompt request that denies all permissions requested will throw
the following warning, because the auditing code does not expect the request
field to be empty when generating the audit message.
Sep 27 22:48:14 ubuntu-mantic snapd[596]: listener.go:189: Sending access
response back to kernel: {MsgNotification:{MsgHeader:{Length:0 Version:0}
NotificationType:APPARMOR_NOTIF_RESP Signalled:0 NoCache:1 ID:2 Error:0}
Error:-13 Allow:0 Deny:4}
Sep 27 22:48:14 ubuntu-mantic kernel: [ cut here ]
Sep 27 22:48:14 ubuntu-mantic kernel: AppArmor WARN aa_audit_file:
((!ad.request)):
Sep 27 22:48:14 ubuntu-mantic kernel: WARNING: CPU: 3 PID: 2082 at
security/apparmor/file.c:268 aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Modules linked in: snd_seq_dummy
snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device
snd_timer snd soundcore binfmt_misc nls_iso8859_1 kvm_intel kvm irqbypass
crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic
ghash_clmulni_intel sha512_ssse3 aesni_intel virtio_gpu crypto_simd cryptd
virtio_dma_buf drm_shmem_helper 9pnet_virtio drm_kms_helper 9pnet
vmw_vsock_virtio_transport virtio_input vmw_vsock_virtio_transport_common
input_leds joydev serio_raw vsock msr parport_pc ppdev lp parport drm virtiofs
efi_pstore ip_tables x_tables autofs4 virtio_net xhci_pci ahci psmouse
net_failover libahci xhci_pci_renesas failover virtio_rng
Sep 27 22:48:14 ubuntu-mantic kernel: CPU: 3 PID: 2082 Comm: bash Not tainted
6.5.0-5-generic #5+aa4.0.0+debug5-Ubuntu
Sep 27 22:48:14 ubuntu-mantic kernel: Hardware name: QEMU Standard PC (Q35 +
ICH9, 2009)/LXD, BIOS unknown 2/2/2022
Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0010:aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Code: 3c ff ff ff e8 80 6f a8 ff 44 8b
95 3c ff ff ff 5a 59 e9 e3 fe ff ff 48 c7 c6 98 5c 08 84 48 c7 c7 90 1a 60 84
e8 9f da 9d ff <0f> 0b 8b 85 78 ff ff ff e9 05 ff ff ff 48 89 de 4c 89 f7 e8 b7
f5
Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 0018:b66a82b57968 EFLAGS:
00010246
Sep 27 22:48:14 ubuntu-mantic kernel: RAX: RBX:
b66a82b57b24 RCX:
Sep 27 22:48:14 ubuntu-mantic kernel: RDX: RSI:
RDI:
Sep 27 22:48:14 ubuntu-mantic kernel: RBP: b66a82b57a30 R08:
R09:
Sep 27 22:48:14 ubuntu-mantic kernel: R10: R11:
R12:
Sep 27 22:48:14 ubuntu-mantic kernel: R13: 8b160239d800 R14:
b66a82b57970 R15: 0001
Sep 27 22:48:14 ubuntu-mantic kernel: FS: 7f1f7d3b3380()
GS:8b17778c() knlGS:
Sep 27 22:48:14 ubuntu-mantic kernel: CS: 0010 DS: ES: CR0:
80050033
Sep 27 22:48:14 ubuntu-mantic kernel: CR2: 55d4482063f0 CR3:
000137e64000 CR4: 00750ee0
Sep 27 22:48:14 ubuntu-mantic kernel: PKRU: 5554
Sep 27 22:48:14 ubuntu-mantic kernel: Call Trace:
Sep 27 22:48:14 ubuntu-mantic kernel:
Sep 27 22:48:14 ubuntu-mantic kernel: ? show_regs+0x6d/0x80
Sep 27
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for jammy-linux-hwe-6.5. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-14-generic #14~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 20 18:15:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 14:06 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1360.734s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-hwe-6.5 ** Tags added: verification-done-jammy-linux-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for linux gcp. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 13:58 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 13:58 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1325.124s OK (skipped=3) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-mantic-linux-gcp ** Tags added: verification-done-mantic-linux-gcp -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for jammy-linux-lowlatency-hwe-6.5. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-14-lowlatency #14.1~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 22 16:24:11 UTC x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 13:35 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 13:33 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1366.317s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-lowlatency-hwe-6.5 ** Tags added: verification-done-jammy-linux-lowlatency-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for linux azure. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 13:54 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 13:54 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 13:54 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1300.394s OK (skipped=3) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-mantic-linux-azure ** Tags added: verification-done-mantic-linux-azure -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040192] Re: AppArmor spams kernel log with assert when auditing
Verification passed for jammy-linux-hwe-6.5. I ran the AppArmor QA
Regression Tests [1] and the specific prompting tests [2] which were
able to reproduce the issue before.
georgia@sec-jammy-amd64:~$ uname -a
Linux sec-jammy-amd64 6.5.0-14-generic #14~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC
Mon Nov 20 18:15:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-jammy-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1360.734s
OK (skipped=2)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-jammy-linux-hwe-6.5
** Tags added: verification-done-jammy-linux-hwe-6.5
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040192
Title:
AppArmor spams kernel log with assert when auditing
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
A reply to a prompt request that denies all permissions requested will throw
the following warning, because the auditing code does not expect the request
field to be empty when generating the audit message.
Sep 27 22:48:14 ubuntu-mantic snapd[596]: listener.go:189: Sending access
response back to kernel: {MsgNotification:{MsgHeader:{Length:0 Version:0}
NotificationType:APPARMOR_NOTIF_RESP Signalled:0 NoCache:1 ID:2 Error:0}
Error:-13 Allow:0 Deny:4}
Sep 27 22:48:14 ubuntu-mantic kernel: [ cut here ]
Sep 27 22:48:14 ubuntu-mantic kernel: AppArmor WARN aa_audit_file:
((!ad.request)):
Sep 27 22:48:14 ubuntu-mantic kernel: WARNING: CPU: 3 PID: 2082 at
security/apparmor/file.c:268 aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Modules linked in: snd_seq_dummy
snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device
snd_timer snd soundcore binfmt_misc nls_iso8859_1 kvm_intel kvm irqbypass
crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic
ghash_clmulni_intel sha512_ssse3 aesni_intel virtio_gpu crypto_simd cryptd
virtio_dma_buf drm_shmem_helper 9pnet_virtio drm_kms_helper 9pnet
vmw_vsock_virtio_transport virtio_input vmw_vsock_virtio_transport_common
input_leds joydev serio_raw vsock msr parport_pc ppdev lp parport drm virtiofs
efi_pstore ip_tables x_tables autofs4 virtio_net xhci_pci ahci psmouse
net_failover libahci xhci_pci_renesas failover virtio_rng
Sep 27 22:48:14 ubuntu-mantic kernel: CPU: 3 PID: 2082 Comm: bash Not tainted
6.5.0-5-generic #5+aa4.0.0+debug5-Ubuntu
Sep 27 22:48:14 ubuntu-mantic kernel: Hardware name: QEMU Standard PC (Q35 +
ICH9, 2009)/LXD, BIOS unknown 2/2/2022
Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0010:aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Code: 3c ff ff ff e8 80 6f a8 ff 44 8b
95 3c ff ff ff 5a 59 e9 e3 fe ff ff 48 c7 c6 98 5c 08 84 48 c7 c7 90 1a 60 84
e8 9f da 9d ff <0f> 0b 8b 85 78 ff ff ff e9 05 ff ff ff 48 89 de 4c 89 f7 e8 b7
f5
Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 0018:b66a82b57968 EFLAGS:
00010246
Sep 27 22:48:14 ubuntu-mantic kernel: RAX: RBX:
b66a82b57b24 RCX:
Sep 27 22:48:14 ubuntu-mantic kernel: RDX: RSI:
RDI:
Sep 27 22:48:14 ubuntu-mantic kernel: RBP: b66a82b57a30 R08:
R09:
Sep 27 22:48:14 ubuntu-mantic kernel: R10: R11:
R12:
Sep 27 22:48:14 ubuntu-mantic kernel: R13: 8b160239d800 R14:
b66a82b57970 R15: 0001
Sep 27 22:48:14 ubuntu-mantic kernel: FS: 7f1f7d3b3380()
GS:8b17778c() knlGS:
Sep 27 22:48:14 ubuntu-mantic kernel: CS: 0010 DS: ES: CR0:
80050033
Sep 27 22:48:14 ubuntu-mantic kernel: CR2: 55d4482063f0 CR3:
000137e64000 CR4: 00750ee0
Sep 27 22:48:14 ubuntu-mantic kernel: PKRU: 5554
Sep 27 22:48:14 ubuntu-mantic kernel: Call Trace:
Sep 27 22:48:14 ubuntu-mantic kernel:
Sep 27 22:48:14 ubuntu-mantic kernel: ? show_regs+0x6d/0x80
Sep 27 22:48:14 ubuntu-mantic kernel: ? __warn+0x89/0x160
Sep 27 22:48:14
[Kernel-packages] [Bug 2040192] Re: AppArmor spams kernel log with assert when auditing
Verification passed for linux gcp. I ran the AppArmor QA Regression
Tests [1] and the specific prompting tests [2] which were able to
reproduce the issue before.
georgia@sec-mantic-amd64:~$ uname -a
Linux sec-mantic-amd64 6.5.0-1010-gcp #10-Ubuntu SMP Fri Nov 17 21:33:36 UTC
2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1325.124s
OK (skipped=3)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-mantic-linux-gcp
** Tags added: verification-done-mantic-linux-gcp
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040192
Title:
AppArmor spams kernel log with assert when auditing
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
A reply to a prompt request that denies all permissions requested will throw
the following warning, because the auditing code does not expect the request
field to be empty when generating the audit message.
Sep 27 22:48:14 ubuntu-mantic snapd[596]: listener.go:189: Sending access
response back to kernel: {MsgNotification:{MsgHeader:{Length:0 Version:0}
NotificationType:APPARMOR_NOTIF_RESP Signalled:0 NoCache:1 ID:2 Error:0}
Error:-13 Allow:0 Deny:4}
Sep 27 22:48:14 ubuntu-mantic kernel: [ cut here ]
Sep 27 22:48:14 ubuntu-mantic kernel: AppArmor WARN aa_audit_file:
((!ad.request)):
Sep 27 22:48:14 ubuntu-mantic kernel: WARNING: CPU: 3 PID: 2082 at
security/apparmor/file.c:268 aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Modules linked in: snd_seq_dummy
snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device
snd_timer snd soundcore binfmt_misc nls_iso8859_1 kvm_intel kvm irqbypass
crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic
ghash_clmulni_intel sha512_ssse3 aesni_intel virtio_gpu crypto_simd cryptd
virtio_dma_buf drm_shmem_helper 9pnet_virtio drm_kms_helper 9pnet
vmw_vsock_virtio_transport virtio_input vmw_vsock_virtio_transport_common
input_leds joydev serio_raw vsock msr parport_pc ppdev lp parport drm virtiofs
efi_pstore ip_tables x_tables autofs4 virtio_net xhci_pci ahci psmouse
net_failover libahci xhci_pci_renesas failover virtio_rng
Sep 27 22:48:14 ubuntu-mantic kernel: CPU: 3 PID: 2082 Comm: bash Not tainted
6.5.0-5-generic #5+aa4.0.0+debug5-Ubuntu
Sep 27 22:48:14 ubuntu-mantic kernel: Hardware name: QEMU Standard PC (Q35 +
ICH9, 2009)/LXD, BIOS unknown 2/2/2022
Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0010:aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Code: 3c ff ff ff e8 80 6f a8 ff 44 8b
95 3c ff ff ff 5a 59 e9 e3 fe ff ff 48 c7 c6 98 5c 08 84 48 c7 c7 90 1a 60 84
e8 9f da 9d ff <0f> 0b 8b 85 78 ff ff ff e9 05 ff ff ff 48 89 de 4c 89 f7 e8 b7
f5
Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 0018:b66a82b57968 EFLAGS:
00010246
Sep 27 22:48:14 ubuntu-mantic kernel: RAX: RBX:
b66a82b57b24 RCX:
Sep 27 22:48:14 ubuntu-mantic kernel: RDX: RSI:
RDI:
Sep 27 22:48:14 ubuntu-mantic kernel: RBP: b66a82b57a30 R08:
R09:
Sep 27 22:48:14 ubuntu-mantic kernel: R10: R11:
R12:
Sep 27 22:48:14 ubuntu-mantic kernel: R13: 8b160239d800 R14:
b66a82b57970 R15: 0001
Sep 27 22:48:14 ubuntu-mantic kernel: FS: 7f1f7d3b3380()
GS:8b17778c() knlGS:
Sep 27 22:48:14 ubuntu-mantic kernel: CS: 0010 DS: ES: CR0:
80050033
Sep 27 22:48:14 ubuntu-mantic kernel: CR2: 55d4482063f0 CR3:
000137e64000 CR4: 00750ee0
Sep 27 22:48:14 ubuntu-mantic kernel: PKRU: 5554
Sep 27 22:48:14 ubuntu-mantic kernel: Call Trace:
Sep 27 22:48:14 ubuntu-mantic kernel:
Sep 27 22:48:14 ubuntu-mantic kernel: ? show_regs+0x6d/0x80
Sep 27 22:48:14 ubuntu-mantic kernel: ? __warn+0x89/0x160
Sep 27 22:48:14 ubuntu-mantic kernel: ?
[Kernel-packages] [Bug 2040192] Re: AppArmor spams kernel log with assert when auditing
Verification passed for linux azure. I ran the AppArmor QA Regression
Tests [1] and the specific prompting tests [2] which were able to
reproduce the issue before.
georgia@sec-mantic-amd64:~$ uname -a
Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC
2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo ./prompt.sh
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
.
--
Ran 62 tests in 1300.394s
OK (skipped=3)
[1] https://launchpad.net/qa-regression-testing
[2] https://gitlab.com/georgiag/apparmor/-/tree/prompt-regression-tests
** Tags removed: verification-needed-mantic-linux-azure
** Tags added: verification-done-mantic-linux-azure
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040192
Title:
AppArmor spams kernel log with assert when auditing
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Mantic:
Fix Committed
Bug description:
A reply to a prompt request that denies all permissions requested will throw
the following warning, because the auditing code does not expect the request
field to be empty when generating the audit message.
Sep 27 22:48:14 ubuntu-mantic snapd[596]: listener.go:189: Sending access
response back to kernel: {MsgNotification:{MsgHeader:{Length:0 Version:0}
NotificationType:APPARMOR_NOTIF_RESP Signalled:0 NoCache:1 ID:2 Error:0}
Error:-13 Allow:0 Deny:4}
Sep 27 22:48:14 ubuntu-mantic kernel: [ cut here ]
Sep 27 22:48:14 ubuntu-mantic kernel: AppArmor WARN aa_audit_file:
((!ad.request)):
Sep 27 22:48:14 ubuntu-mantic kernel: WARNING: CPU: 3 PID: 2082 at
security/apparmor/file.c:268 aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Modules linked in: snd_seq_dummy
snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device
snd_timer snd soundcore binfmt_misc nls_iso8859_1 kvm_intel kvm irqbypass
crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic
ghash_clmulni_intel sha512_ssse3 aesni_intel virtio_gpu crypto_simd cryptd
virtio_dma_buf drm_shmem_helper 9pnet_virtio drm_kms_helper 9pnet
vmw_vsock_virtio_transport virtio_input vmw_vsock_virtio_transport_common
input_leds joydev serio_raw vsock msr parport_pc ppdev lp parport drm virtiofs
efi_pstore ip_tables x_tables autofs4 virtio_net xhci_pci ahci psmouse
net_failover libahci xhci_pci_renesas failover virtio_rng
Sep 27 22:48:14 ubuntu-mantic kernel: CPU: 3 PID: 2082 Comm: bash Not tainted
6.5.0-5-generic #5+aa4.0.0+debug5-Ubuntu
Sep 27 22:48:14 ubuntu-mantic kernel: Hardware name: QEMU Standard PC (Q35 +
ICH9, 2009)/LXD, BIOS unknown 2/2/2022
Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0010:aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Code: 3c ff ff ff e8 80 6f a8 ff 44 8b
95 3c ff ff ff 5a 59 e9 e3 fe ff ff 48 c7 c6 98 5c 08 84 48 c7 c7 90 1a 60 84
e8 9f da 9d ff <0f> 0b 8b 85 78 ff ff ff e9 05 ff ff ff 48 89 de 4c 89 f7 e8 b7
f5
Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 0018:b66a82b57968 EFLAGS:
00010246
Sep 27 22:48:14 ubuntu-mantic kernel: RAX: RBX:
b66a82b57b24 RCX:
Sep 27 22:48:14 ubuntu-mantic kernel: RDX: RSI:
RDI:
Sep 27 22:48:14 ubuntu-mantic kernel: RBP: b66a82b57a30 R08:
R09:
Sep 27 22:48:14 ubuntu-mantic kernel: R10: R11:
R12:
Sep 27 22:48:14 ubuntu-mantic kernel: R13: 8b160239d800 R14:
b66a82b57970 R15: 0001
Sep 27 22:48:14 ubuntu-mantic kernel: FS: 7f1f7d3b3380()
GS:8b17778c() knlGS:
Sep 27 22:48:14 ubuntu-mantic kernel: CS: 0010 DS: ES: CR0:
80050033
Sep 27 22:48:14 ubuntu-mantic kernel: CR2: 55d4482063f0 CR3:
000137e64000 CR4: 00750ee0
Sep 27 22:48:14 ubuntu-mantic kernel: PKRU: 5554
Sep 27 22:48:14 ubuntu-mantic kernel: Call Trace:
Sep 27 22:48:14 ubuntu-mantic kernel:
Sep 27 22:48:14 ubuntu-mantic kernel: ? show_regs+0x6d/0x80
Sep 27 22:48:14 ubuntu-mantic kernel: ? __warn+0x89/0x160
Sep 27 22:48:14 ubuntu-mantic kernel: ?
[Kernel-packages] [Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
Ran AppArmor tests from the QA Regression Tests [1] and POSIX mqueue tests from the AppArmor test suite and they all passed as expected. georgia@sec-jammy-amd64:~/apparmor-3.0.4/tests/regression/apparmor$ uname -a Linux sec-jammy-amd64 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1252.754s OK (skipped=2) georgia@sec-jammy-amd64:~$ apt source apparmor georgia@sec-jammy-amd64:~$ cd apparmor-3.0.4/tests/regression/apparmor/ georgia@sec-jammy-amd64:~/apparmor-3.0.4/tests/regression/apparmor$ USE_SYSTEM=1 make georgia@sec-jammy-amd64:~/apparmor-3.0.4/tests/regression/apparmor$ sudo ./posix_mq.sh BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word xpass: POSIX MQUEUE (confined root - mqueue label 1) xpass: POSIX MQUEUE (confined root - mqueue label 1 : mq_notify) xpass: POSIX MQUEUE (confined root - mqueue label 1 : select) xpass: POSIX MQUEUE (confined root - mqueue label 1 : poll) xpass: POSIX MQUEUE (confined root - mqueue label 1 : epoll) xpass: POSIX MQUEUE (confined root - mqueue label 2) xpass: POSIX MQUEUE (confined root - mqueue label 2 : mq_notify) xpass: POSIX MQUEUE (confined root - mqueue label 2 : select) xpass: POSIX MQUEUE (confined root - mqueue label 2 : poll) xpass: POSIX MQUEUE (confined root - mqueue label 2 : epoll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : mq_notify) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : select) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : poll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 1 : epoll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : mq_notify) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : select) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : poll) xpass: POSIX MQUEUE (confined 1001 - mqueue label 2 : epoll) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux ** Tags added: verification-done-jammy-linux -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy Status in linux package in Ubuntu: Triaged Status in livecd-rootfs package in Ubuntu: New Status in linux source package in Jammy: Fix Committed Status in livecd-rootfs source package in Jammy: New Bug description: [ Impact ] mq-posix snapd interface does not work on Ubuntu Core 22. It results in permission denied even all interfaces are connected. Our brandstore customer is using posix message queue for IPC between snaps. They added mq-posix interface and connected them properly but getting permission denied error. The AppArmor patch for posix message queue created for other customer did not land in the standard jammy kernel. Userspace support for AppArmor message queue handling is already present in Ubuntu Core 22, it is just missing from the kernel. [ Test Plan ] * Create snaps using the posix-mq snapd interface on Ubuntu Core 22 or Classic 22.04 with the standard kernel. * Example snaps for testing: https://code.launchpad.net/~itrue/+git/mqtest-provider and https://code.launchpad.net/~itrue/+git/mqtest-client [ Where problems could occur ] * The patches already exist for 5.15 and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues. [ Other Info ] * This is a time-sensitive issue for a paying customer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2038443] Re: mantic:linux: ubuntu_qrt_apparmor: ApparmorTestsuites.test_regression_testsuiteattach_disconnected.
Hi! Could you share the kernel and apparmor version? I tested on mantic with the configuration below and I wasn't able to reproduce the failure for this specific test. I did see an unrelated dbus issue with the test suite and proposed a fixed on https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/453056 georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ApparmorTestsuites.test_regression_testsuite [sudo] password for georgia: Skipping private tests preparing apparmor_4.0.0~alpha2-0ubuntu5.dsc... done (disabling ptrace for this test) . -- Ran 1 test in 574.715s OK georgia@sec-mantic-amd64:~/qrt-test-apparmor$ uname -a Linux sec-mantic-amd64 6.5.0-7-generic #7-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 29 09:14:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~/qrt-test-apparmor$ apt-cache policy apparmor apparmor: Installed: 4.0.0~alpha2-0ubuntu5 Candidate: 4.0.0~alpha2-0ubuntu5 Version table: *** 4.0.0~alpha2-0ubuntu5 500 500 http://archive.ubuntu.com/ubuntu mantic/main amd64 Packages 100 /var/lib/dpkg/status georgia@sec-mantic-amd64:~/qrt-test-apparmor$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu Mantic Minotaur (development branch) Release:23.10 Codename: mantic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2038443 Title: mantic:linux: ubuntu_qrt_apparmor: ApparmorTestsuites.test_regression_testsuiteattach_disconnected. Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in apparmor source package in Mantic: New Status in linux source package in Mantic: Confirmed Bug description: This might be apparmor, the test case, kernel or anything in between: 7720s running attach_disconnected 7720s Fatal Error (unix_fd_server): Unable to run test sub-executable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2038443/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1939915] Re: memory leaking when removing a profile
Tested on -proposed by causing the leak and checking the memory used
with "free", since CONFIG_DEBUG_KMEMLEAK is not set. It worked as
expected - the memory used shown in "free" after removing the profile
was in an expected range.
** Tags removed: verification-needed-bionic verification-needed-focal
** Tags added: verification-done-bionic verification-done-focal
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1939915
Title:
memory leaking when removing a profile
Status in AppArmor:
New
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Focal:
Fix Committed
Bug description:
There's a memory leak in the kernel when removing a profile.
A simple reproducible example:
root@ubuntu:~# echo "profile foo {}" > profile
root@ubuntu:~# apparmor_parser profile
root@ubuntu:~# apparmor_parser -R profile
root@ubuntu:~# echo scan > /sys/kernel/debug/kmemleak
root@ubuntu:~# cat /sys/kernel/debug/kmemleak
unreferenced object 0x99bcf5128bb0 (size 16):
comm "apparmor_parser", pid 1318, jiffies 4295139856 (age 33.196s)
hex dump (first 16 bytes):
01 00 00 00 00 00 00 00 98 1f 01 fd bc 99 ff ff
backtrace:
[] kmem_cache_alloc_trace+0xd8/0x1e0
[<86ca7bd9>] aa_alloc_proxy+0x30/0x60
[<0e34f34c>] aa_alloc_profile+0xd4/0x100
[] unpack_profile+0x16f/0xe10
[<19033e2b>] aa_unpack+0x119/0x500
[] aa_replace_profiles+0x94/0xca0
[<1833f520>] policy_update+0x124/0x1e0
[<992f950e>] profile_load+0x7d/0xa0
[] __vfs_write+0x1b/0x40
[<4e709f5d>] vfs_write+0xb9/0x1a0
[<280db840>] SyS_write+0x5e/0xe0
[<14c5ab5d>] do_syscall_64+0x79/0x130
[] entry_SYSCALL_64_after_hwframe+0x41/0xa6
[<9d368497>] 0x
This issue was already fixed upstream 3622ad25d4d6 v5.8-rc1~102^2
It still needs to be applied on xenial, bionic and focal.
This issue could lead to a OOM and eventually DoS. We could see this
issue happening during a test in which snaps were disconnected and
reconnected, causing the leak every time the profile was removed.
Since it is a refcount issue, there could be a lot of memory involved
because the whole profile would be leaked.
Note that only privileged users can remove a profile.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1939915/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1939915] Re: memory leaking when removing a profile
** Description changed:
There's a memory leak in the kernel when removing a profile.
A simple reproducible example:
root@ubuntu:~# echo "profile foo {}" > profile
root@ubuntu:~# apparmor_parser profile
root@ubuntu:~# apparmor_parser -R profile
root@ubuntu:~# echo scan > /sys/kernel/debug/kmemleak
root@ubuntu:~# cat /sys/kernel/debug/kmemleak
unreferenced object 0x99bcf5128bb0 (size 16):
comm "apparmor_parser", pid 1318, jiffies 4295139856 (age 33.196s)
hex dump (first 16 bytes):
01 00 00 00 00 00 00 00 98 1f 01 fd bc 99 ff ff
backtrace:
[] kmem_cache_alloc_trace+0xd8/0x1e0
[<86ca7bd9>] aa_alloc_proxy+0x30/0x60
[<0e34f34c>] aa_alloc_profile+0xd4/0x100
[] unpack_profile+0x16f/0xe10
[<19033e2b>] aa_unpack+0x119/0x500
[] aa_replace_profiles+0x94/0xca0
[<1833f520>] policy_update+0x124/0x1e0
[<992f950e>] profile_load+0x7d/0xa0
[] __vfs_write+0x1b/0x40
[<4e709f5d>] vfs_write+0xb9/0x1a0
[<280db840>] SyS_write+0x5e/0xe0
[<14c5ab5d>] do_syscall_64+0x79/0x130
[] entry_SYSCALL_64_after_hwframe+0x41/0xa6
[<9d368497>] 0x
This issue was already fixed upstream 3622ad25d4d6 v5.8-rc1~102^2
It still needs to be applied on xenial, bionic and focal.
+
+ This issue could lead to a OOM and eventually DoS. We could see this
+ issue happening during a test in which snaps were disconnected and
+ reconnected, causing the leak every time the profile was removed.
+ Since it is a refcount issue, there could be a lot of memory involved
+ because the whole profile would be leaked.
+ Note that only privileged users can remove a profile.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1939915
Title:
memory leaking when removing a profile
Status in AppArmor:
New
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
In Progress
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Focal:
Fix Committed
Bug description:
There's a memory leak in the kernel when removing a profile.
A simple reproducible example:
root@ubuntu:~# echo "profile foo {}" > profile
root@ubuntu:~# apparmor_parser profile
root@ubuntu:~# apparmor_parser -R profile
root@ubuntu:~# echo scan > /sys/kernel/debug/kmemleak
root@ubuntu:~# cat /sys/kernel/debug/kmemleak
unreferenced object 0x99bcf5128bb0 (size 16):
comm "apparmor_parser", pid 1318, jiffies 4295139856 (age 33.196s)
hex dump (first 16 bytes):
01 00 00 00 00 00 00 00 98 1f 01 fd bc 99 ff ff
backtrace:
[] kmem_cache_alloc_trace+0xd8/0x1e0
[<86ca7bd9>] aa_alloc_proxy+0x30/0x60
[<0e34f34c>] aa_alloc_profile+0xd4/0x100
[] unpack_profile+0x16f/0xe10
[<19033e2b>] aa_unpack+0x119/0x500
[] aa_replace_profiles+0x94/0xca0
[<1833f520>] policy_update+0x124/0x1e0
[<992f950e>] profile_load+0x7d/0xa0
[] __vfs_write+0x1b/0x40
[<4e709f5d>] vfs_write+0xb9/0x1a0
[<280db840>] SyS_write+0x5e/0xe0
[<14c5ab5d>] do_syscall_64+0x79/0x130
[] entry_SYSCALL_64_after_hwframe+0x41/0xa6
[<9d368497>] 0x
This issue was already fixed upstream 3622ad25d4d6 v5.8-rc1~102^2
It still needs to be applied on xenial, bionic and focal.
This issue could lead to a OOM and eventually DoS. We could see this
issue happening during a test in which snaps were disconnected and
reconnected, causing the leak every time the profile was removed.
Since it is a refcount issue, there could be a lot of memory involved
because the whole profile would be leaked.
Note that only privileged users can remove a profile.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1939915/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
Tested on bionic-proposed using the test binary that can be obtained in the old description and it worked as expected: root@ubuntu:~# gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid path: /proc/1/ns/pid rpath: pid:[4026531836] root@ubuntu:~# uname -a Linux ubuntu 4.15.0-156-generic #163-Ubuntu SMP Thu Aug 19 23:31:58 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1890848 Title: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Fix Committed Bug description: SRU Justification: [Impact] Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when only 'ptrace read' should be required according to 'man namespaces': "Permission to dereference or read (readlink(2)) these symbolic links is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2)." [Fix] Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace read check. [Test Plan] BugLink contains the source of a binary that reproduces the issue. In summary, it executes readlink() on /proc/*/ns/*. There's also a policy that has only 'ptrace read' permission. When the bug is fixed, execution is allowed. [Where problems could occur] The regression can be considered as low, since it's lowering the number of permissions required. Existing policies that already contain the permission 'ptrace trace' and 'ptrace read' will have a broader policy than required. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
>From the commits mentioned that solve the issue, 338d0be437ef was not
available on 4.15 kernels. The cherry-pick was submitted to the kernel
team for approval.
** Description changed:
- Per 'man namespaces':
+ SRU Justification:
- "Permission to dereference or read (readlink(2)) these symbolic links is
- governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
+ [Impact]
+ Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
+ only 'ptrace read' should be required according to 'man namespaces':
+
+ "Permission to dereference or read (readlink(2)) these symbolic links
+ is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
- This suggests that a 'ptrace read' rule should be sufficient to
- readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
- (Ubuntu 20.04 LTS).
+ [Fix]
- However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
- Here is a reproducer:
+ Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
+ read check.
- $ cat ./readlink-ns.c
- #include
- #include
- #include
- #include
- #include
- #include
- #include
+ [Test Plan]
- void usage() {
- fprintf(stderr, "Usage: readlink-ns -p -n \n");
- }
+ BugLink contains the source of a binary that reproduces the issue. In
+ summary, it executes readlink() on /proc/*/ns/*. There's also a policy
+ that has only 'ptrace read' permission. When the bug is fixed,
+ execution is allowed.
- int main(int argc, char *argv[])
- {
- pid_t pid = 0;
- char *ns = NULL;
- char path[PATH_MAX] = {};
- char rpath[PATH_MAX] = {};
- int c;
+ [Where problems could occur]
- while ((c = getopt(argc, argv, "hn:p:")) != -1) {
- switch(c) {
- case 'n':
- ns = optarg;
- break;
- case 'p':
- pid = atoi(optarg);
- break;
- case 'h':
- usage();
- return 0;
- case '?':
- usage();
- return 1;
- default:
- return 1;
- }
- }
-
- int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
- if (n < 0 || (size_t)n >= sizeof(path)) {
- fprintf(stderr, "cannot format string\n");
- return 1;
- }
- path[n] = '\0';
- printf("path: %s\n", path);
-
- n = readlink(path, rpath, sizeof(rpath));
- if (n < 0) {
- perror("readlink()");
- return 1;
- } else if (n == sizeof(rpath)) {
- fprintf(stderr, "cannot readlink()\n");
- return 1;
- }
- printf("rpath: %s\n", rpath);
-
- return 0;
- }
-
- $ cat ./readlink-ns.apparmor
- #include
-
- profile test {
- #include
-
- # focal
- ptrace (read) peer="unconfined",
-
- # xenial, bionic
- #ptrace (trace) peer="unconfined",
- }
-
-
- # bionic and xenial need 'ptrace trace'
- $ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
- path: /proc/1/ns/pid
- readlink(): Permission denied
-
- Denial:
- Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
-
-
- # focal needs only 'ptrace read'
- $ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
- path: /proc/1/ns/pid
- rpath: pid:[4026531836]
+ The regression can be considered as low, since it's lowering the number
+ of permissions required. Existing policies that already contain the
+ permission 'ptrace trace' and 'ptrace read' will have a broader policy
+ than required.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Triaged
Status in linux source package in Bionic:
Triaged
Bug description:
SRU Justification:
[Impact]
Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
only 'ptrace read' should be required according to 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links
is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
[Fix]
Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
read check.
[Test Plan]
BugLink contains the source of
