[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
@mvo I don't understand why we'd add the "assumes" to the kernel's snapcraft.yaml now since we're reverting the problematic AppArmor commit. A kernel with the AppArmor commit will never be released to stable (or -updates/-security) so I don't think that the "assumes" workaround is needed any longer. We decided to revert the commit rather than go down the "assumes" route because the breakage would affect more than just snap confinement. It also affects non-snap processes that are confined by AppArmor. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
Thanks Jamie! I looked into this from the snapd side and I think we should do the following: a) wait with the release of the *snap* until snapd 2.41 is released (scheduled Sep 9, we can try to release sooner if its criticial) b) add the following to the kernel snapcraft.yaml: "assumes: [snapd2.41]" The addition in (b) will mean that snapd will not refresh the kernel unless snapd 2.41 is available which is generate the right apparmor profiles. The UX of this is not super great right now, i.e. when doing: "snap refresh pc-kernel" with an older snapd the kernel will be downloaded but it will error and not install the kernel. The error message is sensible though. The background auto-refresh will behave in the same way. However this should be ok as long as we make sure the kernel is released after snapd 2.41 is available. Then pretty much everyone will get the auto-refreshed core first. And even if things happen out-of-order snapd will only install the kernel when snapd 2.41 is running. Of course it would be even nicer if the store would understand "assumes: [snapd2.41]" and only offer the refresh to devices that have snapd 2.41. We do send the snapd version to the store when we do a refresh so in theory all the piece are in place AFAICT. Then we could error early instead of having to download the snap first. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
If the kernel team could add the "assumes" to the edge kernel relatively soon that would be great. Then we can do some extra testing to double check that devices behave correctly when both core and kernel are refreshed in the same transaction. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
Reverting the patch according to comment #20. ** Changed in: linux (Ubuntu Xenial) Status: Fix Committed => Triaged -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
After discussing with Field, snapd, kernel and the security team, this will break existing Ubuntu Core devices that use the 4.4 kernel and the network-manager snap in the default channel (per reporter, the 1.10 channel is unaffected). Therefore, the 4.4 kernels snaps that include this change (ie, 4.4.0-160.188 based) must not be promoted to stable at this time. The snapd team is investigating an idea to gate the kernel snap refresh on snapd 2.41 (ie, that has the updated policy) and should know more tomorrow. If it works, we'll coordinate with the kernel team for any necessary changes. While this change may still be suitable for the Ubuntu archive, I'm marking it as verification-failed-xenial for now to ensure that automated processes don't promote 4.4.0-160.188 to stable without coordination. ** Tags removed: verification-done-xenial ** Tags added: verification-failed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
The fix causes at least the network-manager fails to work in Ubuntu Core: https://bugs.launchpad.net/snapd/+bug/1840873 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
Hello. I would like to note, that when Linux kernel has been updated to 4.4.0-160.188 version[1] (with, among others, patches for LP:#1658219 and LP:#1838090), I've had to update a few profiles (such as Audacious, Parole, Xorg, Logrotate etc.), because of a lot of "DENIED" entries in system log files. If it's about access controls (vide 'requested{denied}_mask'): most new rules required 'm' (memory map as executable), but some of them needed 'k' (file locking) etc.) However, it seems everything is okay now and I hope, that there will be no such issues anymore. Anyway, Mr Tyler Hicks was right: "users with custom policy have some reasonable expectation that upgrading to the new Ubuntu release or kernel version will require them to update their custom policy". By the way; what is an impact of these changes? (I mean LP:#1658219 and LP:#1838090). Does it means, that now, use of 'm' and 'k' access is secured/restricted/checked correctly by AppArmor? And one more thing: this problem is related to v4.4 kernel only, right? Thanks, best regards. __ [1] https://launchpad.net/ubuntu/+source/linux/4.4.0-160.188 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
** Changed in: linux (Ubuntu Xenial) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
** Changed in: linux (Ubuntu Xenial) Status: Triaged => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Confirmed Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
** Tags added: cscc -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
Re: [Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
On 2019-04-03 03:06:09, thighland wrote: > I encountered this issue on xenial after updating to Azure's 4.15 kernel > for testing. We started encountering an apparmor deny which doesn't > happen on the latest 4.4 kernel. I had missed setting the k flag for a > policy, and everything worked on the new kerenl once we fixed the > policy. > > Given that this bug leads to incorrect enforcement of policy does it > make sense to release a fix for xenial? I spoke with John Johansen and Jamie Strandboge about this today. We all agree that it would be really nice to backport the fix but, unfortunately, it is also very risky. Any time that we begin mediating an operation, it requires policy to be updated to allow the operation in the appropriate profiles. This typically happens during the development cycle of Ubuntu when we are landing a new version of the kernel. This gives us sufficient testing, by the time the Ubuntu release happens, in order to sort out any problems. Also, users with custom policy have some reasonable expectation that upgrading to the new Ubuntu release or kernel version will require them to update their custom policy. In this situation, we'd be mediating locking after Ubuntu 16.04 has been released and in use for 3 years. It is quite likely to result in broken systems after the kernel update. We may be able to sort out all the problems with profiles shipped as part of the distro but obviously could not fix custom AppArmor policies that users have implemented. We'll give it some more thought to see if it is something that we can safely backport to the 4.4 kernel but at this time the feeling is that it is too likely to regress users. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
I encountered this issue on xenial after updating to Azure's 4.15 kernel for testing. We started encountering an apparmor deny which doesn't happen on the latest 4.4 kernel. I had missed setting the k flag for a policy, and everything worked on the new kerenl once we fixed the policy. Given that this bug leads to incorrect enforcement of policy does it make sense to release a fix for xenial? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
Note: this bug affects more than just lock mediation permissions. It at a minimum can also affect the mmap executable (m) permission. Further work is required to resubmit this fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Triaged Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
** Changed in: linux (Ubuntu Yakkety) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Triaged Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
This bug was fixed in the package linux - 4.8.0-45.48 --- linux (4.8.0-45.48) yakkety; urgency=low * CVE-2017-7184 - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder -- Stefan BaderFri, 24 Mar 2017 12:03:39 +0100 ** Changed in: linux (Ubuntu Yakkety) Status: Triaged => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2017-7184 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Fix Released Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
Not fixed because we had to revert the commits due to various regressions. ** Changed in: linux (Ubuntu Xenial) Status: Fix Released => Triaged ** Changed in: linux (Ubuntu Yakkety) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Triaged Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
This bug was fixed in the package linux - 4.8.0-40.43 --- linux (4.8.0-40.43) yakkety; urgency=low * linux: 4.8.0-40.43 -proposed tracker (LP: #1667066) [ Andy Whitcroft ] * NFS client : permission denied when trying to access subshare, since kernel 4.4.0-31 (LP: #1649292) - fs: Better permission checking for submounts * shaking screen (LP: #1651981) - drm/radeon: drop verde dpm quirks * [0bda:0328] Card reader failed after S3 (LP: #1664809) - usb: hub: Wait for connection to be reestablished after port reset * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial 4.4.0-63.84~14.04.2 (LP: #1664912) - SAUCE: apparmor: fix link auditing failure due to, uninitialized var * In Ubuntu 17.04 : after reboot getting message in console like Unable to open file: /etc/keys/x509_ima.der (-2) (LP: #1656908) - SAUCE: ima: Downgrade error to warning * 16.04.2: Extra patches for POWER9 (LP: #1664564) - powerpc/mm: Fix no execute fault handling on pre-POWER5 - powerpc/mm: Fix spurrious segfaults on radix with autonuma * ibmvscsis: Add SGL LIMIT (LP: #1662551) - ibmvscsis: Add SGL limit * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions) (LP: #1663687) - scsi: storvsc: Enable tracking of queue depth - scsi: storvsc: Remove the restriction on max segment size - scsi: storvsc: Enable multi-queue support - scsi: storvsc: use tagged SRB requests if supported by the device - scsi: storvsc: properly handle SRB_ERROR when sense message is present - scsi: storvsc: properly set residual data length on errors * Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs caused KVM host hung and all KVM guests down. (LP: #1651248) - KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT - KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter - KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends - KVM: PPC: Book 3S: XICS: Implement ICS P/Q states - KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend * ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666) - blk-mq: Avoid memory reclaim when remapping queues - blk-mq: Fix failed allocation path when mapping queues - blk-mq: Always schedule hctx->next_cpu * systemd-udevd hung in blk_mq_freeze_queue_wait testing unpartitioned NVMe drive (LP: #1662673) - percpu-refcount: fix reference leak during percpu-atomic transition * [Yakkety SRU] Enable KEXEC support in ARM64 kernel (LP: #1662554) - [Config] Enable KEXEC support in ARM64. * [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430) - Drivers: hv: vmbus: On write cleanup the logic to interrupt the host - Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the host - Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read() * brd module compiled as built-in (LP: #1593293) - CONFIG_BLK_DEV_RAM=m * regession tests failing after stackprofile test is run (LP: #1661030) - SAUCE: fix regression with domain change in complain mode * Permission denied and inconsistent behavior in complain mode with 'ip netns list' command (LP: #1648903) - SAUCE: fix regression with domain change in complain mode * flock not mediated by 'k' (LP: #1658219) - SAUCE: apparmor: flock mediation is not being enforced on cache check * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt from a unshared mount namespace (LP: #1656121) - SAUCE: apparmor: null profiles should inherit parent control flags * apparmor refcount leak of profile namespace when removing profiles (LP: #1660849) - SAUCE: apparmor: fix ns ref count link when removing profiles from policy * tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor" (LP: #1648143) - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked namespaces * apparmor_parser hangs indefinitely when called by multiple threads (LP: #1645037) - SAUCE: apparmor: fix lock ordering for mkdir * apparmor leaking securityfs pin count (LP: #1660846) - SAUCE: apparmor: fix leak on securityfs pin count * apparmor reference count leak when securityfs_setup_d_inode\ () fails (LP: #1660845) - SAUCE: apparmor: fix reference count leak when securityfs_setup_d_inode() fails * apparmor not checking error if security_pin_fs() fails (LP: #1660842) - SAUCE: apparmor: fix not handling error case when securityfs_pin_fs() fails * apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840) - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails * apparmor auditing denied access of special apparmor .null fi\ le (LP: #1660836) - SAUCE: apparmor:
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
This bug was fixed in the package linux - 4.4.0-65.86 --- linux (4.4.0-65.86) xenial; urgency=low * linux: 4.4.0-65.86 -proposed tracker (LP: #1667052) [ Stefan Bader ] * Upgrade Redpine RS9113 driver to support AP mode (LP: #1665211) - SAUCE: Redpine driver to support Host AP mode * NFS client : permission denied when trying to access subshare, since kernel 4.4.0-31 (LP: #1649292) - fs: Better permission checking for submounts * [Hyper-V] SAUCE: pci-hyperv fixes for SR-IOV on Azure (LP: #1665097) - SAUCE: PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal - SAUCE: pci-hyperv: properly handle pci bus remove - SAUCE: pci-hyperv: lock pci bus on device eject * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and image (LP: #1650058) - net/mlx4_en: Fix bad WQE issue - net/mlx4_core: Fix racy CQ (Completion Queue) free - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions - net/mlx4_core: Avoid command timeouts during VF driver device shutdown * Xenial update to v4.4.49 stable release (LP: #1664960) - ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup - selinux: fix off-by-one in setprocattr - Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback" - cpumask: use nr_cpumask_bits for parsing functions - hns: avoid stack overflow with CONFIG_KASAN - ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write - target: Don't BUG_ON during NodeACL dynamic -> explicit conversion - target: Use correct SCSI status during EXTENDED_COPY exception - target: Fix early transport_generic_handle_tmr abort scenario - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status - ARM: 8642/1: LPAE: catch pending imprecise abort on unmask - mac80211: Fix adding of mesh vendor IEs - netvsc: Set maximum GSO size in the right place - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send - scsi: aacraid: Fix INTx/MSI-x issue with older controllers - scsi: mpt3sas: disable ASPM for MPI2 controllers - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() - ALSA: seq: Fix race at creating a queue - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done() - drm/i915: fix use-after-free in page_flip_completed() - Linux 4.4.49 * NFS client : kernel 4.4.0-57 crash with nfsv4 enries in /etc/fstab (LP: #1650336) - SUNRPC: fix refcounting problems with auth_gss messages. * [0bda:0328] Card reader failed after S3 (LP: #1664809) - usb: hub: Wait for connection to be reestablished after port reset * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial 4.4.0-63.84~14.04.2 (LP: #1664912) - SAUCE: apparmor: fix link auditing failure due to, uninitialized var * ibmvscsis: Add SGL LIMIT (LP: #1662551) - ibmvscsis: Add SGL limit * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions) (LP: #1663687) - scsi: storvsc: Enable tracking of queue depth - scsi: storvsc: Remove the restriction on max segment size - scsi: storvsc: Enable multi-queue support - scsi: storvsc: use tagged SRB requests if supported by the device - scsi: storvsc: properly handle SRB_ERROR when sense message is present - scsi: storvsc: properly set residual data length on errors * ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666) - blk-mq: Avoid memory reclaim when remapping queues - blk-mq: Fix failed allocation path when mapping queues * Possible missing firmware /lib/firmware/i915/kbl_dmc_ver1.bin for module i915_bpo (LP: #1624164) - SAUCE: i915_bpo: Remove MODULE_FIRMWARE statement for i915/kbl_dmc_ver1.bin * Intel I210 ethernet does not work both after S3 (LP: #1662763) - igb: implement igb_ptp_suspend - igb: call igb_ptp_suspend during suspend/resume cycle * [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430) - Drivers: hv: vmbus: On write cleanup the logic to interrupt the host - Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the host - Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read() * brd module compiled as built-in (LP: #1593293) - [Config] CONFIG_BLK_DEV_RAM=m * regession tests failing after stackprofile test is run (LP: #1661030) - SAUCE: fix regression with domain change in complain mode * Permission denied and inconsistent behavior in complain mode with 'ip netns list' command (LP: #1648903) - SAUCE: fix regression with domain change in complain mode * flock not mediated by 'k' (LP: #1658219) - SAUCE: apparmor: flock mediation is not being enforced on cache check * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt from a unshared mount
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
4.4.0-65.86-generic fixes this issue on xenial. ** Tags removed: verification-needed-xenial verification-needed-yakkety ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
4.8.0-40.43-generic fixes this issue on yakkety. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
4.10.0-8.10-generic has the fix for this bug so marking the zesty task as released. ** Changed in: linux (Ubuntu) Status: Incomplete => Fix Released ** Changed in: apparmor Status: Triaged => In Progress ** Changed in: apparmor Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial ** Tags added: verification-needed-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: Triaged Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- yakkety' to 'verification-done-yakkety'. If the problem still exists, change the tag 'verification-needed-yakkety' to 'verification-failed- yakkety'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: Triaged Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
** Changed in: linux (Ubuntu Yakkety) Status: New => Fix Committed ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: Triaged Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: Triaged Status in linux package in Ubuntu: New Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: $ cat ./apparmor.profile #include profile test { #include /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp