This change regressed my apparmor profile for a script I'm working on,
which walks over processes using python3-psutil, in bionic.
I have this config in the apparmor profile:
capability sys_ptrace,
ptrace trace,
With kernel 4.15.0-154-generic #161 it works.
With kernel 4.15.0-158-generic
This bug was fixed in the package linux - 4.15.0-156.163
---
linux (4.15.0-156.163) bionic; urgency=medium
* bionic/linux: 4.15.0-156.163 -proposed tracker (LP: #1940162)
* linux (LP: #1940564)
- SAUCE: Revert "scsi: core: Cap scsi_host cmd_per_lun at can_queue"
* fails
Tested on bionic-proposed using the test binary that can be obtained in
the old description and it worked as expected:
root@ubuntu:~# gcc ./readlink-ns.c && sudo apparmor_parser -r
./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
bionic' to 'verification-done-bionic'. If the problem still exists,
change the tag
** Changed in: linux (Ubuntu Bionic)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink()
Also to be clear, from jjohansen's comment to me last week, all of the
necessary patches are available in the 5.4 focal kernel, so kernels for
UC20 from canonical snaps should contain this fix on the 20 track.
--
You received this bug notification because you are a member of Kernel
Packages,
>From the commits mentioned that solve the issue, 338d0be437ef was not
available on 4.15 kernels. The cherry-pick was submitted to the kernel
team for approval.
** Description changed:
- Per 'man namespaces':
+ SRU Justification:
- "Permission to dereference or read (readlink(2)) these
FYI, John provided me a test kernel for 18.04 and it resolved the issue.
This will be the basis of the SRU.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace'
I spoke with John and he plans to SRU this. Marking as triaged and
assigning to him. Thanks John!
** Changed in: linux (Ubuntu Xenial)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Xenial)
Status: Confirmed => Triaged
** Changed in: linux (Ubuntu Bionic)
Status:
Thanks John! Is this something that we can get into the next SRU cycle?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/*
We didn't pick this up automatically because its fixes tag is for when
ptrace rules landed upstream. But ubuntu was carrying ptrace rules prior
to this
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
We need to pick the upstream fix
338d0be437ef apparmor: fix ptrace read check
and we should probably pick
1f8266ff5884 (fix-setuid) apparmor: don't try to replace stale label in
ptrace access check
to avoid other problems.
--
You received this bug notification because you are a member of
** Summary changed:
- 'ptrace trace' needed to readlink() /proc/*/ns/* files
+ 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
13 matches
Mail list logo