eports to track workarounds on top of #1050256 that's
tracking the root cause, or something.
Cheers,
--
intrigeri
have added workarounds such as disabling
PrivateNetwork=yes for autopkgtests
Cheers,
--
intrigeri
/hypermail/linux/kernel/2104.3/01302.html
Ubuntu 22.04 LTS has this setting enabled by default.
KSPP recommends enabling it:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
Thanks for your attention,
cheers!
--
intrigeri
Hi Debian Kernel Team,
intrigeri (2014-12-11):
> Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) :
>> Please try the Linux 3.18 packages from experimental (they're not there
>> yet, but should be soon) and check that overlayfs does what you need.
>
> Thanks. I'll te
.
Thanks!
Cheers,
--
intrigeri
Control: reassign -1 linux-image-4.14.0-2-amd64
Control: found -1 4.14.7-1
Laszlo KERTESZ:
> So it happened again with no apparmor loaded.Twice.
Thanks for reporting! I'm therefore reassigning this bug to the
affected Linux kernel package.
Cheers,
--
intrigeri
ce/security
trade-off for Debian?
If it helps making a decision I could hunt for benchmark results (the
KSPP people tend to attach these to their pull requests when it
matters).
[0] https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/
Cheers,
--
intrigeri
Ben Hutchings:
> Yes, I now understand this. I'll add a Recommends: apparmor for the
> next upload so this broken configuration is less likely to occur.
Thanks!
Cheers,
--
intrigeri
c… minus the bug.
This might provide inspiration to whoever wants to fix this bug in
LXC :)
If these bugs are not tracked upstream yet: Felix, you seem to be the
one of us with the best understanding of the problem and you know
AppArmor pretty well, so perhaps you would be the best person to
report them?
Cheers,
--
intrigeri
rofile that is not ready for prime time.
Adding AppArmor confinement where we had none previously can
come later.
Cheers,
--
intrigeri
uot;unrelated" breakage
has been fixed, and the reasons behind it clarified. What do
you think?
Cheers,
--
intrigeri
Hi Laurent & everyone else who's listening!
Laurent Bigonville:
> Le 03/09/17 à 13:01, intrigeri a écrit :
>> Laurent Bigonville:
>>> IMVHO, in regard to the recent proposal of enabling apparmor in debian
>>> by default, this needs to be addressed first.
>
AppArmor by
default and can apparently live with this bug.
Can you please make it explicit, e.g. describing what exact use cases
would be harmed by enabling AppArmor by default without fixing this
bug first?
Thanks in advance!
Cheers,
--
intrigeri
Hi,
intrigeri:
> I might try to come up with a hackish PoC for Tails soon
Here we go! Installing the four following files (slightly adapted to
drop a couple Tails-specific bits) on a Stretch system seems to do the
job. I hope it can allow interested people to validate this approach,
and then
p.org/wiki/Software/systemd/RootStorageDaemons/
* systemd-shutdown(8)
Cheers,
--
intrigeri
on't ensure that busybox is installed when the cryptsetup hook
needs it though. But that's another problem, and as Guilhem pointed
out it's well tracked elsewhere already.
Cheers,
--
intrigeri
vor downgrading the severity and
> merging the bugs for the time being.
Makes sense to me!
Cheers,
--
intrigeri
, while cryptsetup might not be
So at this point, I suggest this bug is reassigned to cryptsetup, and
option 3 is implemented there. But downgrading to non-RC and leaving
things as-is seems acceptable to me as well.
Thoughts?
Cheers,
--
intrigeri
also seems to have useful information about this.
Cheers,
--
intrigeri
Ilya Guterman:
> which means there is no such file in /lib/firmware/nvidia/
> you can add it by installing 'apt-get install firmware-linux-nonfree'
I cannot confirm this.
> intrigeri:
> it seems the firmwares are in debian,
In which package/version, exactly?
nse to keep #827579 open.
Cheers,
--
intrigeri
Package: src:linux
Version: 3.16.7-ckt9-2
Severity: normal
In a level 1 KVM guest, starting a level 2 KVM guest with QEMU fails and
triggers "soft lockup" messages on the serial console. Then the level 1 KVM
guest becomes unresponsive.
That's a regression since Wheezy: this does not happen (ever
overlayfs than a path-based MAC such
as AppArmor.
Cheers,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/85h9tpxn41@boum.org
bug that tracks this issue:
https://bugs.launchpad.net/apparmor/+bug/1408106
Cheers,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/85a8zi1cxa@boum.org
Hi,
Ben Hutchings wrote (21 Dec 2014 23:20:15 GMT) :
> On Sun, 2014-12-21 at 21:53 +0100, intrigeri wrote:
>> 1. Due to overlayfs' stack depth limit of 2, until support more than
>>one read-only lower layer is completed, overlayfs breaks
>>live-boot's S
Hi,
intrigeri wrote (11 Dec 2014 13:13:43 GMT) :
> Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) :
>> Please try the Linux 3.18 packages from experimental (they're not there
>> yet, but should be soon) and check that overlayfs does what you need.
> Thanks. I'll test
st other live systems, e.g. our incremental upgrades features
uses it) once I find the time to.
Cheers,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http
think you'll have time to answer this request for additional
information sent by Ben a bit more than two months ago?
Also, it might be useful to try and reproduce this with Linux 3.13.x
from Debian unstable, if possible.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardn
d.
I would do it myself, if I were sure what exact version fixes it.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists
with some trivial bug triaging.)
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of &qu
on't need the functionality we've asked for in this
bug report. I wouldn't mind if the maintainers closed it.
Thanks for caring!
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri
ackage.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Index: debian/config/config
===
--- debian/config/config (re
for default
Debian installations.
So, I suggest we keep the default value ("1") for Jessie.
The beginning of the Jessie development cycle seems like a good time
to bring such changes in, so I suggest Yama is enabled in our 3.8+
kernels once the kernel team is done with their last Wheezy
Hi,
berta...@ptitcanardnoir.org wrote (27 Jun 2012 11:00:22 GMT) :
> On Wed, Jun 27, 2012 at 04:32:31AM +0100, Ben Hutchings wrote:
>> Yes, but I think it would make more sense to emulate a USB storage
>> device in qemu rather than the host kernel.
I do agree.
bertagaz and I have spent a bit mo
Hi,
maximilian attems wrote (27 Jun 2011 10:13:07 GMT) :
> tags 627547 + pending
Was this fixed eventually?
Year-old pending tag makes me doubtful, but I did not find any
reference to this bug in the changelog, so, I'm wondering.
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian
Michael Prokop wrote (23 Nov 2011 11:45:14 GMT) :
> maximilian: i've scheduled the patch for inclusion via
> mika/user_permissions.
Was this included eventually?
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@list
maximilian attems wrote (18 May 2011 16:29:43 GMT) :
> tags 468115 + pending
What happened to this patch / bug report ("Support for mount failure
hooks")?
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debia
Hi Ben,
Ben Hutchings wrote (24 Jun 2012 22:12:00 GMT) :
> Couldn't you also use usbip for this?
Thank you for mentionning usbip, I did not know about it!
After a quick look at it, I must say I'm happy to learn about it, and
I may use it for unrelated tasks, but it does not really seem to be
fit
Package: linux-2.6
Severity: wishlist
X-Debbugs-CC: tails-...@boum.org
User: tails-...@boum.org
Usertags: testing
Hi!
Please build dummy_hcd and g_mass_storage modules.
The USB dummy HCD and Mass Storage Gadget would be very useful to
implement automated testing of Live systems such as Tails [0]
Hi,
Ben Hutchings wrote (23 Jun 2012 19:02:06 GMT) :
> What is it that you think will happen at the freeze? We stop fixing
> all bugs and do nothing for the next few months?
Of course, and we'll lazily eat lots of icecream while you work hard
to release many shiny new Linux 3.2.x :)
Irony set as
s harmless or
>> else get a fix for it.
>>
> Right this breaks the controls over quieting of denial messages. Basically
> if policy specifies a reject should not be logged then the global controls
> that turn quieting off so that all rejects get logged aren't working
y are not task related
>>> +*/
>>> + if (in_interrupt())
>>> + return 0;
>>
>> I wonder why this is being checked at all.
>>
> Good question, I will have to dig into it.
John, have you had a chance to?
Cheers,
--
intrig
Hi,
Michal Suchanek wrote (05 Aug 2011 12:08:37 GMT) :
> At the very least the libc nss modules are required in intramfs to
> get dns lookup for netbooting. Splashscreen solutions like plymouth
> might need some of the graphics rendering modules.
I think it would be useful to mark as blocked by t
Package: linux-2.6
Severity: normal
Version: 3.2.19-1
Tags: patch
X-Debbugs-CC: john.johan...@canonical.com, k...@debian.org, mi...@riseup.net
Hi,
the AppArmor compatibility patch applied to fix #661151
totally breaks AppArmor support; this is a regression.
Details: http://bugs.debian.org/cgi-bin
intrigeri wrote (31 May 2012 13:14:13 GMT) :
>> Looking back over the bug log, I see that wasn't requested, so I'm
>> only applying 'AppArmor: compatibility patch for v5 interface' now.
Unfortunately, the resulting kernel (linux-image-3.2.0-2-amd64
3.2.19-1), comb
my initial bug report
(shyly) talked of the compatibility patch to solve both "network
mediation does not work at all" issue and the introspection ones,
so it would be absolutely wonderful if you could apply the part of the
compatibility patch that deals with network too (FTR, this would
connections
Regards,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Tro
ore
precisely to the commits of the new interface that have been
upstreamed already, and to the ones that have not been, so that we can
get a rough idea of where things are at.
Kees, others, what do you think?
Regards,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intr
nd this is why the v5 compat' patches got recently reverted
in Precise's kernel tree, right?
> Though those will require a more recent userspace.
John: that will be called 2.8, right?
Regards,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrige
tches/$LATEST/ directory of the apparmor 2.7.x tarball?
Or have you got updated patches, e.g. for Linux 3.2.x, published
somewhere to be found?
Thanks,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". T
if you want to, I won't complain ;). The purpose of this bug
report is rather to allow us to mark other bugs, reported against the
AppArmor userspace tools, as blocked by the lack of kernel support.
[1] http://lists.debian.org/debian-derivatives/2012/02/msg9.html
Cheers,
--
intrigeri
uld be
closed as well.
OTOH, I have since asked for memtest to be enabled for totally
different reasons, see #646361.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| So
kage proper, so that all users of Debian (and
derivatives) who need it can easily enable this feature.
What do you think?
Bye,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@
but I
failed to find it anywhere; could it be expressed here please?
It seems to me another LSM (Tomoyo) has been included since 2.6.32-13
without satisfying these conditions, hence my wondering.
P.S.: please Cc me or the bug - I don't read debian-kernel.
Bye,
--
intr
en. SysRq keys don't work.
Bye,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @
https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
| Then we'll come from the shadows.
--
To UNSUBSCRIBE, email to
Hi,
Alex Deucher wrote (13 Aug 2010 16:06:17 GMT) :
> Can you try a newer kernel? 2.6.35.x preferably?
Already done, see message #56.
> Did hibernate ever work with kms for you?
No.
Bye,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
e loaded at all. Should I?
Bye,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @
https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
| Did you exchange a walk on part in the war
| for a lead role in the cage?
--
To
?S15:50 0:00
[ext4-dio-unwrit]
root 435 0.0 0.0 0 0 ?S15:51 0:00 [flush-254:5]
root 439 0.0 0.1 2596 1216 ?S
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @
https://gaffer.ptitcanardnoir.
58 matches
Mail list logo
