Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later
> The kernel patch causing the issue has been reverted. So 4.14-rc7 should work as pre 4.14-rc2 Great! (Modulo Linus' commit message…) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Xenial: Invalid Status in apparmor source package in Zesty: Invalid Status in apparmor source package in Artful: Invalid Bug description: With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor 2.10.95-0ubuntu2.7, in the system log each second the error message below is printed to. ``` […] [Mi Okt 4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" […] ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later
Dear Christian, Am 24.10.2017 um 19:14 schrieb Christian Boltz: >> ... apparmor="DENIED" operation="create" ... family="unix" > sock_type="stream" > > With the pinned-down feature set, you probably "lost" support for unix > rules. Sorry, I have no clue about the internals. I just use what’s shipped in Ubuntu 16.04. > In theory, apparmor_parser will downgrade those rules to "network unix," > - but in practise a bug in apparmor_parser prevented it. This bug was > fixed in the point releases some days ago. Just a note, that the no regression policy of Linux actually demands that the latest Linux kernel also works with buggy user space software. > Can you please test with the latest apparmor_parser? "Latest" means > 2.11.1, 2.10.3 or 2.9.5 - or, if you want to test only the bugfix, apply > the patch from bzr trunk r3700 - http://bazaar.launchpad.net/~apparmor- > dev/apparmor/master/revision/3700 The system is an up-to-date Ubuntu 16.04 installation. So that should be already installed? I can check tomorrow. Kind regards, Paul -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Xenial: Confirmed Status in apparmor source package in Zesty: Confirmed Status in apparmor source package in Artful: Confirmed Bug description: With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor 2.10.95-0ubuntu2.7, in the system log each second the error message below is printed to. ``` […] [Mi Okt 4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" […] ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later
Dear John, On 10/24/17 12:55, John Johansen wrote: > On 10/24/2017 02:32 AM, Paul Menzel wrote: >> I’d really like to try the Linux kernel fix. Can a get it from >> somewhere? >> > commit 8baea25455c08173713fdbceac99309192518ffb > Author: John Johansen> Date: Mon Oct 23 08:51:24 2017 -0700 > > apparmor: fix regression in network mediation when using feature pinning > > When the 4.14-rc6 and earlier kernels are used with an upstream 4.13 > or earlier pinned feature set, there is a regression in network > mediation where policy is not being correctly enforced, because the > compilation is completely dropping the af mediation table as expected > by pre 4.14 kernels but the 4.14 kernel is not accounting for this. > > Resulting in network denials that can not be fixed by policy. > > Fixes: 651e28c5537a ("apparmor: add base infastructure for socket > mediation") > Signed-off-by: John Johansen > > diff --git a/security/apparmor/policy_unpack.c > b/security/apparmor/policy_unpack.c > index 5a2aec358322..e348f8dec45d 100644 > --- a/security/apparmor/policy_unpack.c > +++ b/security/apparmor/policy_unpack.c > @@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext > *e, char **ns_name) > } > if (!unpack_nameX(e, AA_ARRAYEND, NULL)) > goto fail; > + } else { > + /* support policy pre AF socket mediation */ > + for (i = 0; i < AF_MAX; i++) > + profile->net.allow[i] = 0x; > } > if (VERSION_LT(e->version, v7)) { > /* pre v7 policy always allowed these */ Thank you. Can I pull it from a tree? Trying [1], I am asked for credentials. ``` $ git remote add ubuntu https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source $ git fetch ubuntu Username for 'https://git.launchpad.net': ``` Kind regards, Paul [1] https://code.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/saucy/+ref/mako -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Xenial: Confirmed Status in apparmor source package in Zesty: Confirmed Status in apparmor source package in Artful: Confirmed Bug description: With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor 2.10.95-0ubuntu2.7, in the system log each second the error message below is printed to. ``` […] [Mi Okt 4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" […] ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later
On 10/24/2017 02:32 AM, Paul Menzel wrote: > I’d really like to try the Linux kernel fix. Can a get it from > somewhere? > commit 8baea25455c08173713fdbceac99309192518ffb Author: John JohansenDate: Mon Oct 23 08:51:24 2017 -0700 apparmor: fix regression in network mediation when using feature pinning When the 4.14-rc6 and earlier kernels are used with an upstream 4.13 or earlier pinned feature set, there is a regression in network mediation where policy is not being correctly enforced, because the compilation is completely dropping the af mediation table as expected by pre 4.14 kernels but the 4.14 kernel is not accounting for this. Resulting in network denials that can not be fixed by policy. Fixes: 651e28c5537a ("apparmor: add base infastructure for socket mediation") Signed-off-by: John Johansen diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 5a2aec358322..e348f8dec45d 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) } if (!unpack_nameX(e, AA_ARRAYEND, NULL)) goto fail; + } else { + /* support policy pre AF socket mediation */ + for (i = 0; i < AF_MAX; i++) + profile->net.allow[i] = 0x; } if (VERSION_LT(e->version, v7)) { /* pre v7 policy always allowed these */ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Xenial: Confirmed Status in apparmor source package in Zesty: Confirmed Status in apparmor source package in Artful: Confirmed Bug description: With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor 2.10.95-0ubuntu2.7, in the system log each second the error message below is printed to. ``` […] [Mi Okt 4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" […] ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
Dear Doug, Thank you for your reply. On 10/06/17 21:16, Doug Smythies wrote: > Which kernel are you using? I am using Linux 4.14-rc3+. > On my development 17.10 Desktop, I get the same as you but only for mainline > kernels 4.14-rc2 and 4.14-rc3. Earlier kernels, including mainline 4.14-rc1 > > seem to be fine with respect to this issue. I don’t know, when it started. The problem wasn’t there with Linux 4.13. So, your observation seems plausible. Kind regards, Paul -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" Status in apparmor package in Ubuntu: New Bug description: With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor 2.10.95-0ubuntu2.7, in the system log each second the error message below is printed to. ``` […] [Mi Okt 4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" […] ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp