Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

2017-10-29 Thread intrigeri 
> The kernel patch causing the issue has been reverted. So 4.14-rc7
should work as pre 4.14-rc2

Great! (Modulo Linus' commit message…)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278

Title:
  apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
  w/ 4.14-rc2 and later

Status in apparmor package in Ubuntu:
  Invalid
Status in apparmor source package in Xenial:
  Invalid
Status in apparmor source package in Zesty:
  Invalid
Status in apparmor source package in Artful:
  Invalid

Bug description:
  With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor
  2.10.95-0ubuntu2.7, in the system log each second the error message
  below is printed to.

  ```
  […]
  [Mi Okt  4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  […]
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

2017-10-24 Thread Paul Menzel 
Dear Christian,


Am 24.10.2017 um 19:14 schrieb Christian Boltz:
>> ... apparmor="DENIED" operation="create" ... family="unix"
> sock_type="stream"
> 
> With the pinned-down feature set, you probably "lost" support for unix
> rules.

Sorry, I have no clue about the internals. I just use what’s shipped in 
Ubuntu 16.04.

> In theory, apparmor_parser will downgrade those rules to "network unix,"
> - but in practise a bug in apparmor_parser prevented it. This bug was
> fixed in the point releases some days ago.

Just a note, that the no regression policy of Linux actually demands 
that the latest Linux kernel also works with buggy user space software.

> Can you please test with the latest apparmor_parser? "Latest" means
> 2.11.1, 2.10.3 or 2.9.5 - or, if you want to test only the bugfix, apply
> the patch from bzr trunk r3700 - http://bazaar.launchpad.net/~apparmor-
> dev/apparmor/master/revision/3700

The system is an up-to-date Ubuntu 16.04 installation. So that should be 
already installed? I can check tomorrow.


Kind regards,

Paul

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278

Title:
  apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
  w/ 4.14-rc2 and later

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Confirmed
Status in apparmor source package in Zesty:
  Confirmed
Status in apparmor source package in Artful:
  Confirmed

Bug description:
  With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor
  2.10.95-0ubuntu2.7, in the system log each second the error message
  below is printed to.

  ```
  […]
  [Mi Okt  4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  […]
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

2017-10-24 Thread Paul Menzel 
Dear John,


On 10/24/17 12:55, John Johansen wrote:
> On 10/24/2017 02:32 AM, Paul Menzel wrote:
>> I’d really like to try the Linux kernel fix. Can a get it from
>> somewhere?
>>
> commit 8baea25455c08173713fdbceac99309192518ffb
> Author: John Johansen 
> Date:   Mon Oct 23 08:51:24 2017 -0700
> 
>  apparmor: fix regression in network mediation when using feature pinning
>  
>  When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
>  or earlier pinned feature set, there is a regression in network
>  mediation where policy is not being correctly enforced, because the
>  compilation is completely dropping the af mediation table as expected
>  by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
>  
>  Resulting in network denials that can not be fixed by policy.
>  
>  Fixes: 651e28c5537a ("apparmor: add base infastructure for socket 
> mediation")
>  Signed-off-by: John Johansen 
> 
> diff --git a/security/apparmor/policy_unpack.c 
> b/security/apparmor/policy_unpack.c
> index 5a2aec358322..e348f8dec45d 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext 
> *e, char **ns_name)
>   }
>   if (!unpack_nameX(e, AA_ARRAYEND, NULL))
>   goto fail;
> + } else {
> + /* support policy pre AF socket mediation */
> + for (i = 0; i < AF_MAX; i++)
> + profile->net.allow[i] = 0x;
>   }
>   if (VERSION_LT(e->version, v7)) {
>   /* pre v7 policy always allowed these */

Thank you. Can I pull it from a tree? Trying [1], I am asked for 
credentials.

```
$ git remote add ubuntu 
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source
$ git fetch ubuntu
Username for 'https://git.launchpad.net':
```


Kind regards,

Paul


[1] 
https://code.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/saucy/+ref/mako

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278

Title:
  apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
  w/ 4.14-rc2 and later

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Confirmed
Status in apparmor source package in Zesty:
  Confirmed
Status in apparmor source package in Artful:
  Confirmed

Bug description:
  With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor
  2.10.95-0ubuntu2.7, in the system log each second the error message
  below is printed to.

  ```
  […]
  [Mi Okt  4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  […]
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

2017-10-24 Thread John Johansen 
On 10/24/2017 02:32 AM, Paul Menzel wrote:
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
> 
commit 8baea25455c08173713fdbceac99309192518ffb
Author: John Johansen 
Date:   Mon Oct 23 08:51:24 2017 -0700

apparmor: fix regression in network mediation when using feature pinning

When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.

Resulting in network denials that can not be fixed by policy.

Fixes: 651e28c5537a ("apparmor: add base infastructure for socket 
mediation")
Signed-off-by: John Johansen 

diff --git a/security/apparmor/policy_unpack.c 
b/security/apparmor/policy_unpack.c
index 5a2aec358322..e348f8dec45d 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, 
char **ns_name)
}
if (!unpack_nameX(e, AA_ARRAYEND, NULL))
goto fail;
+   } else {
+   /* support policy pre AF socket mediation */
+   for (i = 0; i < AF_MAX; i++)
+   profile->net.allow[i] = 0x;
}
if (VERSION_LT(e->version, v7)) {
/* pre v7 policy always allowed these */

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278

Title:
  apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
  w/ 4.14-rc2 and later

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Confirmed
Status in apparmor source package in Zesty:
  Confirmed
Status in apparmor source package in Artful:
  Confirmed

Bug description:
  With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor
  2.10.95-0ubuntu2.7, in the system log each second the error message
  below is printed to.

  ```
  […]
  [Mi Okt  4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  […]
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"

2017-10-09 Thread Paul Menzel 
Dear Doug,


Thank you for your reply.

On 10/06/17 21:16, Doug Smythies wrote:
> Which kernel are you using?

I am using Linux 4.14-rc3+.

> On my development 17.10 Desktop, I get the same as you but only for mainline
> kernels 4.14-rc2 and 4.14-rc3. Earlier kernels, including mainline 4.14-rc1 > 
> seem to be fine with respect to this issue.

I don’t know, when it started. The problem wasn’t there with Linux 4.13. 
So, your observation seems plausible.


Kind regards,

Paul

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278

Title:
  apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"

Status in apparmor package in Ubuntu:
  New

Bug description:
  With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor
  2.10.95-0ubuntu2.7, in the system log each second the error message
  below is printed to.

  ```
  […]
  [Mi Okt  4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  [Mi Okt  4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): 
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 
comm="cups-browsed" family="unix" sock_type="stream" protocol=0 
requested_mask="create" denied_mask="create"
  […]
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp