[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Ubuntu 23.10 (Mantic Minotaur) has reached end of life, so this bug will not be fixed for that specific release. ** Changed in: linux (Ubuntu Mantic) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Won't Fix Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for mantic-linux-laptop. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. The QA Regression Tests that failed were due to a timeout because I'm emulating in my machine, but they pass when the timeout is increased. georgia@sec-mantic-arm64:~$ uname -a Linux sec-mantic-arm64 6.5.0-1007-laptop #10-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 22 20:27:28 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux georgia@sec-mantic-arm64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 18:36 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ERROR: test_dbus (__main__.ApparmorTest.test_dbus) Test dbus apparmor activation from dbus-tests -- Traceback (most recent call last): File "/home/georgia/qrt-test-apparmor/./test-apparmor.py", line 719, in test_dbus rc, report = testlib.cmd(['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh'], ^^^ File "/home/georgia/qrt-test-apparmor/testlib.py", line 471, in cmd out, outerr = sp.communicate(input, timeout=timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 1209, in communicate stdout, stderr = self._communicate(input, endtime, timeout) ^^ File "/usr/lib/python3.11/subprocess.py", line 2109, in _communicate self._check_timeout(endtime, orig_timeout, stdout, stderr) File "/usr/lib/python3.11/subprocess.py", line 1253, in _check_timeout raise TimeoutExpired( subprocess.TimeoutExpired: Command '['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh']' timed out after 5 seconds - running attach_disconnected Fatal Error (unix_fd_server): Unable to run test sub-executable PASSED: aa_exec access at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_socket_pathname unix_socket_abstract unix_socket_unnamed unix_socket_autobind unlink userns xattrs xattrs_profile longpath nfs dbus_eavesdrop dbus_message dbus_service dbus_unrequested_reply io_uring aa_policy_cache exec_stack nnp stackonexec stackprofile FAILED: attach_disconnected make: *** [Makefile:402: alltests] Error 1 - ERROR: test_0 (__main__.TestLogprof.test_0) test 'ping' -- Traceback (most recent call last): File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/common_test.py", line 90, in stub_test self._run_test(test_data, expected) File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/test-logprof.py", line 99, in _run_test self.process.wait(timeout=0.2) File "/usr/lib/python3.11/subprocess.py", line 1264, in wait return self._wait(timeout=timeout) ^^^ File "/usr/lib/python3.11/subprocess.py", line 2038, in _wait raise TimeoutExpired(self.args, timeout) subprocess.TimeoutExpired: Command '['/usr/bin/python3', '../aa-logprof', '--json', '--configdir', './', '-f', './logprof/ping.auditlog', '-d', '/tmp/aa-test-tkkg1ex3/profiles', '--no-check-mountpoint']' timed out after 0.2 seconds -- Ran 62 tests in 43542.817s FAILED (failures=3, errors=1, skipped=3) Rerunning failing tests increasing the timeout georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ApparmorTest.test_dbus Skipping private tests . -- Ran 1 test in 19.786s OK
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for mantic-linux-lowlatency. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-14-lowlatency #14.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 20 13:01:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 14:19 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 14:19 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 14:22 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 14:19 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1745.243s OK (skipped=3) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-mantic-linux-lowlatency ** Tags added: verification-done-mantic-linux-lowlatency -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for jammy-linux-nvidia-6.5. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-1007-nvidia #7-Ubuntu SMP PREEMPT_DYNAMIC Wed Dec 6 01:27:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 14:11 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 14:09 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1435.853s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-nvidia-6.5 ** Tags added: verification-done-jammy-linux-nvidia-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for jammy-linux-hwe-6.5. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-14-generic #14~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 20 18:15:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 14:07 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 14:06 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-jammy-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1360.734s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-hwe-6.5 ** Tags added: verification-done-jammy-linux-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for linux gcp. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 13:58 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 13:59 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 13:58 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1325.124s OK (skipped=3) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-mantic-linux-gcp ** Tags added: verification-done-mantic-linux-gcp -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for jammy-linux-lowlatency-hwe-6.5. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-jammy-amd64:~$ uname -a Linux sec-jammy-amd64 6.5.0-14-lowlatency #14.1~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 22 16:24:11 UTC x86_64 x86_64 x86_64 GNU/Linux georgia@sec-jammy-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 13:35 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 13:47 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 13:33 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1366.317s OK (skipped=2) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-jammy-linux-lowlatency-hwe-6.5 ** Tags added: verification-done-jammy-linux-lowlatency-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Verification passed for linux azure. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~$ ll /proc/sys/kernel/*unprivileged* -rw--- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 13:54 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 13:54 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw--- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw--- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/unprivileged_bpf_disabled -rw--- 1 root root 0 Jan 12 13:55 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 13:54 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py . -- Ran 62 tests in 1300.394s OK (skipped=3) [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-mantic-linux-azure ** Tags added: verification-done-mantic-linux-azure -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
This bug is awaiting verification that the linux-lowlatency- hwe-6.5/6.5.0-14.14.1~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux- lowlatency-hwe-6.5' to 'verification-done-jammy-linux-lowlatency- hwe-6.5'. If the problem still exists, change the tag 'verification- needed-jammy-linux-lowlatency-hwe-6.5' to 'verification-failed-jammy- linux-lowlatency-hwe-6.5'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-lowlatency-hwe-6.5-v2 verification-needed-jammy-linux-lowlatency-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
This bug was fixed in the package linux - 6.6.0-14.14 --- linux (6.6.0-14.14) noble; urgency=medium * noble/linux: 6.6.0-14.14 -proposed tracker (LP: #2045243) * Noble update: v6.6.3 upstream stable release (LP: #2045244) - locking/ww_mutex/test: Fix potential workqueue corruption - btrfs: abort transaction on generation mismatch when marking eb as dirty - lib/generic-radix-tree.c: Don't overflow in peek() - x86/retpoline: Make sure there are no unconverted return thunks due to KCSAN - perf/core: Bail out early if the request AUX area is out of bound - srcu: Fix srcu_struct node grpmask overflow on 64-bit systems - selftests/lkdtm: Disable CONFIG_UBSAN_TRAP in test config - clocksource/drivers/timer-imx-gpt: Fix potential memory leak - clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware - srcu: Only accelerate on enqueue time - smp,csd: Throw an error if a CSD lock is stuck for too long - cpu/hotplug: Don't offline the last non-isolated CPU - workqueue: Provide one lock class key per work_on_cpu() callsite - x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size - wifi: plfxlc: fix clang-specific fortify warning - wifi: ath12k: Ignore fragments from uninitialized peer in dp - wifi: mac80211_hwsim: fix clang-specific fortify warning - wifi: mac80211: don't return unset power in ieee80211_get_tx_power() - atl1c: Work around the DMA RX overflow issue - bpf: Detect IP == ksym.end as part of BPF program - wifi: ath9k: fix clang-specific fortify warnings - wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats() - wifi: ath10k: fix clang-specific fortify warning - wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() - ACPI: APEI: Fix AER info corruption when error status data has multiple sections - net: sfp: add quirk for Fiberstone GPON-ONU-34-20BI - wifi: mt76: mt7921e: Support MT7992 IP in Xiaomi Redmibook 15 Pro (2023) - wifi: mt76: fix clang-specific fortify warnings - net: annotate data-races around sk->sk_tx_queue_mapping - net: annotate data-races around sk->sk_dst_pending_confirm - wifi: ath12k: mhi: fix potential memory leak in ath12k_mhi_register() - wifi: ath10k: Don't touch the CE interrupt registers after power up - net: sfp: add quirk for FS's 2.5G copper SFP - vsock: read from socket's error queue - bpf: Ensure proper register state printing for cond jumps - wifi: iwlwifi: mvm: fix size check for fw_link_id - Bluetooth: btusb: Add date->evt_skb is NULL check - Bluetooth: Fix double free in hci_conn_cleanup - ACPI: EC: Add quirk for HP 250 G7 Notebook PC - tsnep: Fix tsnep_request_irq() format-overflow warning - gpiolib: acpi: Add a ignore interrupt quirk for Peaq C1010 - platform/chrome: kunit: initialize lock for fake ec_dev - of: address: Fix address translation when address-size is greater than 2 - platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e - drm/gma500: Fix call trace when psb_gem_mm_init() fails - drm/amdkfd: ratelimited SQ interrupt messages - drm/komeda: drop all currently held locks if deadlock happens - drm/amd/display: Blank phantom OTG before enabling - drm/amd/display: Don't lock phantom pipe on disabling - drm/amd/display: add seamless pipe topology transition check - drm/edid: Fixup h/vsync_end instead of h/vtotal - md: don't rely on 'mddev->pers' to be set in mddev_suspend() - drm/amdgpu: not to save bo in the case of RAS err_event_athub - drm/amdkfd: Fix a race condition of vram buffer unref in svm code - drm/amdgpu: update retry times for psp vmbx wait - drm/amd: Update `update_pcie_parameters` functions to use uint8_t arguments - drm/amd/display: use full update for clip size increase of large plane source - string.h: add array-wrappers for (v)memdup_user() - kernel: kexec: copy user-array safely - kernel: watch_queue: copy user-array safely - drm_lease.c: copy user-array safely - drm: vmwgfx_surface.c: copy user-array safely - drm/msm/dp: skip validity check for DP CTS EDID checksum - drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 - drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga - drm/amdgpu: Fix potential null pointer derefernce - drm/panel: fix a possible null pointer dereference - drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference - drm/radeon: fix a possible null pointer dereference - drm/amdgpu/vkms: fix a possible null pointer dereference - drm/panel: st7703: Pick different reset sequence - drm/amdkfd: Fix shift out-of-bounds issue - drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL - drm/amd: Disable PP_PCIE_DPM_MASK when dynamic speed switching not supported -
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
This bug is awaiting verification that the linux-nvidia-6.5/6.5.0-1007.7 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-6.5' to 'verification-done- jammy-linux-nvidia-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-6.5' to 'verification-failed- jammy-linux-nvidia-6.5'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-nvidia-6.5-v2 verification-needed-jammy-linux-nvidia-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
This bug is awaiting verification that the linux- lowlatency/6.5.0-14.14.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-lowlatency' to 'verification-done-mantic-linux-lowlatency'. If the problem still exists, change the tag 'verification-needed-mantic-linux-lowlatency' to 'verification-failed-mantic-linux-lowlatency'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-mantic-linux-lowlatency-v2 verification-needed-mantic-linux-lowlatency -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
This bug is awaiting verification that the linux- hwe-6.5/6.5.0-14.14~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux- hwe-6.5' to 'verification-done-jammy-linux-hwe-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-hwe-6.5' to 'verification-failed-jammy-linux-hwe-6.5'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-hwe-6.5-v2 verification-needed-jammy-linux-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
This bug is awaiting verification that the linux-gcp/6.5.0-1010.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-gcp' to 'verification-done-mantic- linux-gcp'. If the problem still exists, change the tag 'verification- needed-mantic-linux-gcp' to 'verification-failed-mantic-linux-gcp'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-mantic-linux-gcp-v2 verification-needed-mantic-linux-gcp -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
This bug is awaiting verification that the linux-azure/6.5.0-1010.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-azure' to 'verification-done- mantic-linux-azure'. If the problem still exists, change the tag 'verification-needed-mantic-linux-azure' to 'verification-failed-mantic- linux-azure'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-mantic-linux-azure-v2 verification-needed-mantic-linux-azure -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
This bug is awaiting verification that the linux-laptop/6.5.0-1007.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-laptop' to 'verification-done- mantic-linux-laptop'. If the problem still exists, change the tag 'verification-needed-mantic-linux-laptop' to 'verification-failed- mantic-linux-laptop'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-mantic-linux-laptop-v2 verification-needed-mantic-linux-laptop -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Tested: the sysctl values can now be read by a non-root user. ** Tags removed: verification-needed-mantic-linux ** Tags added: verification-done-mantic-linux -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
This bug is awaiting verification that the linux/6.5.0-12.12 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux' to 'verification-done-mantic-linux'. If the problem still exists, change the tag 'verification-needed-mantic- linux' to 'verification-failed-mantic-linux'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
** Changed in: linux (Ubuntu) Status: Incomplete => Invalid ** Changed in: linux (Ubuntu Mantic) Status: Incomplete => Fix Committed ** Changed in: linux (Ubuntu Mantic) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Invalid Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
Could the LXD team instead just read /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns since this has the same value as the sysctl /proc/sys/kernel/apparmor_restrict_unprivileged_userns -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Incomplete Status in linux source package in Mantic: Incomplete Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp