subject:"\[Kernel\-packages\] \[Bug 1558553\] Re\: IMA\-appraisal is unusable in Ubuntu 16.04"

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

2016-04-08 Thread Mehmet Kayaalp

This trivial patch reduces the clutter from build output.

** Patch added: 
"0002-KEYS-Print-insert-sys-cert-information-to-stout-inst.patch"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+attachment/4629381/+files/0002-KEYS-Print-insert-sys-cert-information-to-stout-inst.patch

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1558553

Title:
  IMA-appraisal is unusable in Ubuntu 16.04

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  At some point, the IMA keyring changed from _ima to a trusted .ima
  keyring.   At that point, we couldn't add keys to the IMA keyring.
  Other distros import UEFI keys onto the system keyring.  Another
  method of loading keys on the system keyring is needed, which doesn't
  require the UEFI keys or rebuilding the kernel.

  To resolve this problem, the kernel should be built so that
  certificate memory is reserved and randomized.   Two patches are being
  upstreamed in this open window (linux-4.6):

  8e16789 KEYS: Use the symbol value for list size, updated by 
scripts/insert-sys-cert
  c4c3610 KEYS: Reserve an extra certificate symbol for inserting without 
recompiling

  We need to include these Kconfig options to reserve the memory:

  CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
  CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096

  An additional patch, which will be upstreamed, is needed to fill the
  reserved memory with random data before it is compressed.  (The patch
  is attached.)  After compiling the kernel with the reserved memory,
  the following build step is required:

  scripts/insert-sys-cert -b vmlinux -c /dev/null

  If you want to add a cert, the following command will unpack a
  bzImage, install the cert (DER format) in the vmlinuz, and repack the
  bzImage.

  scripts/insert-sys-cert -s  -z  -c 

  Contact Information = George Wilson  / Mimi Zohar
  

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

2016-04-08 Thread Mehmet Kayaalp

This bug is not fixed yet, since the random bytes are not added to the
build. The attached patch fixes it by adding the step for inserting the
null key during build.

** Patch added: 
"0001-KEYS-Insert-incompressible-bytes-to-vmlinux-to-reser.patch"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+attachment/4629379/+files/0001-KEYS-Insert-incompressible-bytes-to-vmlinux-to-reser.patch

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1558553

Title:
  IMA-appraisal is unusable in Ubuntu 16.04

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  At some point, the IMA keyring changed from _ima to a trusted .ima
  keyring.   At that point, we couldn't add keys to the IMA keyring.
  Other distros import UEFI keys onto the system keyring.  Another
  method of loading keys on the system keyring is needed, which doesn't
  require the UEFI keys or rebuilding the kernel.

  To resolve this problem, the kernel should be built so that
  certificate memory is reserved and randomized.   Two patches are being
  upstreamed in this open window (linux-4.6):

  8e16789 KEYS: Use the symbol value for list size, updated by 
scripts/insert-sys-cert
  c4c3610 KEYS: Reserve an extra certificate symbol for inserting without 
recompiling

  We need to include these Kconfig options to reserve the memory:

  CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
  CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096

  An additional patch, which will be upstreamed, is needed to fill the
  reserved memory with random data before it is compressed.  (The patch
  is attached.)  After compiling the kernel with the reserved memory,
  the following build step is required:

  scripts/insert-sys-cert -b vmlinux -c /dev/null

  If you want to add a cert, the following command will unpack a
  bzImage, install the cert (DER format) in the vmlinuz, and repack the
  bzImage.

  scripts/insert-sys-cert -s  -z  -c 

  Contact Information = George Wilson  / Mimi Zohar
  

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

2016-03-21 Thread Launchpad Bug Tracker

This bug was fixed in the package linux - 4.4.0-15.31

---
linux (4.4.0-15.31) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1559252

  * Xilinx KU3 Capi card does not show up in Ubuntu  16.04 (LP: #1557001)
- SAUCE: (noup) cxl: Allow initialization on timebase sync failures

  * policy namespace stacking (LP: #1379535)
- Revert "UBUNTU: SAUCE: Move replacedby allocation into label_alloc"
- Revert "UBUNTU: SAUCE: Fixup: __label_update() still doesn't handle some 
cases correctly."
- Revert "UBUNTU: SAUCE: fix: audit "no_new_privs" case for exec failure"
- Revert "UBUNTU: SAUCE: fixup: warning about aa_label_vec_find_or_create 
not being static"
- Revert "UBUNTU: SAUCE: apparmor: fix refcount race when finding a child 
profile"
- Revert "UBUNTU: SAUCE: fixup: cast poison values to remove warnings"
- Revert "UBUNTU: SAUCE: fixup: get rid of unused var build warning"
- Revert "UBUNTU: SAUCE: fixup: 20/23 locking issue around in 
__label_update"
- Revert "UBUNTU: SAUCE: fixup: make __share_replacedby private to get rid 
of build warning"
- Revert "UBUNTU: SAUCE: fix: replacedby forwarding is not being properly 
update when ns is destroyed"
- Revert "UBUNTU: SAUCE: apparmor: fix log of apparmor audit message when 
kern_path() fails"
- Revert "UBUNTU: SAUCE: fixup: cleanup return handling of labels"
- Revert "UBUNTU: SAUCE: apparmor: fix: ref count leak when profile sha1 
hash is read"
- Revert "UBUNTU: SAUCE: apparmor: Fix: query label file permission"
- Revert "UBUNTU: SAUCE: apparmor: Don't remove label on rcu callback if 
the label has already been removed"
- Revert "UBUNTU: SAUCE: apparmor: Fix: break circular refcount for label 
that is directly freed."
- Revert "UBUNTU: SAUCE: apparmor: Fix: refcount bug when inserting label 
update that transitions ns"
- Revert "UBUNTU: SAUCE: apparmor: Fix: now that insert can force 
replacement use it instead of remove_and_insert"
- Revert "UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation"
- Revert "UBUNTU: SAUCE: apparmor: ensure that repacedby sharing is done 
correctly"
- Revert "UBUNTU: SAUCE: apparmor: Fix: update replacedby allocation to 
take a gfp parameter"
- Revert "UBUNTU: SAUCE: apparmor: Fix: convert replacedby update to be 
protected by the labelset lock"
- Revert "UBUNTU: SAUCE: apparmor: Fix: add required locking of 
__aa_update_replacedby on merge path"
- Revert "UBUNTU: SAUCE: apparmor: Fix: deadlock in aa_put_label() call 
chain"
- Revert "UBUNTU: SAUCE: apparmor: Fix: label_vec_merge insertion"
- Revert "UBUNTU: SAUCE: apparmor: Fix: ensure new labels resulting from 
merge have a replacedby"
- Revert "UBUNTU: SAUCE: apparmor: Fix: refcount leak in aa_label_merge"
- Revert "UBUNTU: SAUCE: apparmor: Fix: refcount race between locating in 
labelset and get"
- Revert "UBUNTU: SAUCE: apparmor: Fix: label merge handling of marking 
unconfined and stale"
- Revert "UBUNTU: SAUCE: apparmor: add underscores to indicate 
aa_label_next_not_in_set() use needs locking"
- Revert "UBUNTU: SAUCE: apparmor: debug: POISON label and replaceby 
pointer on free"
- Revert "UBUNTU: SAUCE: apparmor: Fix: ensure aa_get_newest will trip 
debugging if the replacedby is not setup"
- Revert "UBUNTU: SAUCE: apparmor: Fix: insert race between label_update 
and label_merge"
- Revert "UBUNTU: SAUCE: apparmor: rework retrieval of the current label in 
the profile update case"
- Revert "UBUNTU: SAUCE: apparmor: Disallow update of cred when then 
subjective != the objective cred"
- Revert "UBUNTU: SAUCE: apparmor: Fix: oops do to invalid null ptr deref 
in label print fns"
- Revert "UBUNTU: SAUCE: fix-up: kern_mount fail path should not be doing 
put_buffers()"
- Revert "UBUNTU: SAUCE: apparmor: fix sleep from invalid context"
- Revert "UBUNTU: SAUCE: (no-up): apparmor: fix for failed mediation of 
socket that is being shutdown"
- Revert "UBUNTU: SAUCE: (no-up) apparmor: Fix incompatible pointer type 
warnings"
- Revert "UBUNTU: SAUCE: (no-up) apparmor: fix mount not handling 
disconnected paths"
- Revert "UBUNTU: SAUCE: (no-up): apparmor: fix mediation of fs unix 
sockets"
- Revert "UBUNTU: apparmor -- follow change to this_cpu_ptr"
- Revert "UBUNTU: SAUCE: (no-up) fix: bad unix_addr_fs macro"
- Revert "UBUNTU: SAUCE: Revert: fix: only allow a single threaded process 
to ..."
- Revert "UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot"
- Revert "UBUNTU: SAUCE: (no-up) apparmor: add parameter to control whether 
policy hashing is used"
- SAUCE: (no-up) apparmor: sync of apparmor3.5-beta1 snapshot
- SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Add arm64 NUMA support (LP: #1558765)
- SAUCE: (noup) efi: ARM/arm64: ignore DT memory nodes instead of removing 
them
- SAUCE:

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

2016-03-19 Thread Tim Gardner

** Also affects: linux (Ubuntu Xenial)
   Importance: High
 Assignee: Canonical Kernel Team (canonical-kernel-team)
   Status: Triaged

** Changed in: linux (Ubuntu Xenial)
   Status: Triaged => In Progress

** Changed in: linux (Ubuntu Xenial)
 Assignee: Canonical Kernel Team (canonical-kernel-team) => Tim Gardner 
(timg-tpi)

** Changed in: linux (Ubuntu Xenial)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1558553

Title:
  IMA-appraisal is unusable in Ubuntu 16.04

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  At some point, the IMA keyring changed from _ima to a trusted .ima
  keyring.   At that point, we couldn't add keys to the IMA keyring.
  Other distros import UEFI keys onto the system keyring.  Another
  method of loading keys on the system keyring is needed, which doesn't
  require the UEFI keys or rebuilding the kernel.

  To resolve this problem, the kernel should be built so that
  certificate memory is reserved and randomized.   Two patches are being
  upstreamed in this open window (linux-4.6):

  8e16789 KEYS: Use the symbol value for list size, updated by 
scripts/insert-sys-cert
  c4c3610 KEYS: Reserve an extra certificate symbol for inserting without 
recompiling

  We need to include these Kconfig options to reserve the memory:

  CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
  CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096

  An additional patch, which will be upstreamed, is needed to fill the
  reserved memory with random data before it is compressed.  (The patch
  is attached.)  After compiling the kernel with the reserved memory,
  the following build step is required:

  scripts/insert-sys-cert -b vmlinux -c /dev/null

  If you want to add a cert, the following command will unpack a
  bzImage, install the cert (DER format) in the vmlinuz, and repack the
  bzImage.

  scripts/insert-sys-cert -s  -z  -c 

  Contact Information = George Wilson  / Mimi Zohar
  

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

2016-03-19 Thread Leann Ogasawara

** Package changed: ubuntu => linux (Ubuntu)

** Changed in: linux (Ubuntu)
   Importance: Undecided => High

** Changed in: linux (Ubuntu)
   Status: New => Triaged

** Changed in: linux (Ubuntu)
 Assignee: Taco Screen team (taco-screen-team) => Canonical Kernel Team 
(canonical-kernel-team)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1558553

Title:
  IMA-appraisal is unusable in Ubuntu 16.04

Status in linux package in Ubuntu:
  Triaged

Bug description:
  At some point, the IMA keyring changed from _ima to a trusted .ima
  keyring.   At that point, we couldn't add keys to the IMA keyring.
  Other distros import UEFI keys onto the system keyring.  Another
  method of loading keys on the system keyring is needed, which doesn't
  require the UEFI keys or rebuilding the kernel.

  To resolve this problem, the kernel should be built so that
  certificate memory is reserved and randomized.   Two patches are being
  upstreamed in this open window (linux-4.6):

  8e16789 KEYS: Use the symbol value for list size, updated by 
scripts/insert-sys-cert
  c4c3610 KEYS: Reserve an extra certificate symbol for inserting without 
recompiling

  We need to include these Kconfig options to reserve the memory:

  CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
  CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096

  An additional patch, which will be upstreamed, is needed to fill the
  reserved memory with random data before it is compressed.  (The patch
  is attached.)  After compiling the kernel with the reserved memory,
  the following build step is required:

  scripts/insert-sys-cert -b vmlinux -c /dev/null

  If you want to add a cert, the following command will unpack a
  bzImage, install the cert (DER format) in the vmlinuz, and repack the
  bzImage.

  scripts/insert-sys-cert -s  -z  -c 

  Contact Information = George Wilson  / Mimi Zohar
  

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04

5 matches

Site Navigation

Mail list logo

Footer information