Which kernel are you using?
On my development 17.10 Desktop, I get the same as you but only for mainline
kernels 4.14-rc2 and 4.14-rc3. Earlier kernels, including mainline 4.14-rc1,
seem to be fine with respect to this issue.
--
You received this bug notification because you are a member of Ubu
Paul wrote:
> I am using Linux 4.14-rc3+.
O.K. that is/was really important information.
While I have been calling this a kernel regression, it might be that a
great number of apparmor profiles need to be updated to accommodate the
new security stuff that was introduced in kernel 4.14-rc2 (it mi
I've found that it's more than just cups blows up, some networking
related items (DHCP client, network manager IIRC) also explode.
** Summary changed:
- apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
+ apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/
Dear Doug,
Thank you for your reply.
On 10/06/17 21:16, Doug Smythies wrote:
> Which kernel are you using?
I am using Linux 4.14-rc3+.
> On my development 17.10 Desktop, I get the same as you but only for mainline
> kernels 4.14-rc2 and 4.14-rc3. Earlier kernels, including mainline 4.14-rc1 >
I've personally confirmed this with both artful and xenial userspace with
4.14-rc4.
A temporary solution other than compiling without apparmor is to do
teardown/stop
# /etc/init.d/apparmor teardown
# /etc/init.d/apparmor stop
--
You received this bug notification because you are a member of Ubu
> I've found that it's more than just cups blows up, some networking
> related items (DHCP client, network manager IIRC) also explode.
yes, and libvirtd and mysql.
I was not aware of "teardown". I'll try it when I get a chance.
--
You received this bug notification because you are a member of U
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apparmor (Ubuntu Zesty)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.lau
This isn't really an *Ubuntu* issue per se as we've never claimed to
support apparmor profiles with non-Ubuntu kernels. I do think it is
interesting that there are 'unix' denials on a kernel that isn't
supposed to support unix rules.
John, can you comment on this?
--
You received this bug notifi
And FWIW the /sbin/dhclient and /usr/lib/NetworkManager/nm-dhcp-helper
errors are also family="unix" denying create operations.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bug
>This isn't really an *Ubuntu* issue per se as we've never claimed to
support apparmor profiles with non-Ubuntu kernels.
So I think the problem is that kernel team maintains a PPA of mainline
kernels and often will ask users to check stuff with mainline kernel
when there are bugs that come up. Th
As of 4.13 the upstream kernel does support basic socket mediation which
does include unix sockets. This denial is not due to fine grained unix
socket mediation.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubun
@Doug,
not a kernel regression and not an incompatible kernel change either.
The kernel does support the older abi, however the compiled policy being
sent to the kernel is for the new abi that the kernel is now advertising
as being supported.
The kernel advertises its supported feature set and ab
err make that 4.14 not 4.13 in my above explanation
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/
Could someone who is having this issue also attach a profile cache file
for the profile that is failing? So I can verify what your local
compiles are doing.
you can grab the binary cache file out of
/etc/apparmor.d/cache/sbin.dhclient
or compile it with
apparmor_parser -o output_file /etc/app
@Doug,
I forgot to mention this in my above explanation the reason you see this
with 4.14-rc2 and not 4.14-rc1 is because there was a problem with the
security tree merge and Linus ended up pulling the security changes in
between rc1 and rc2.
--
You received this bug notification because you are
Here you go. This is from a kernel built on 4.14-rc4 right after boot
where dhclient is failing.
** Attachment added: "sbin.dhclient"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4974238/+files/sbin.dhclient
--
You received this bug notification because you ar
Ubuntu's parser is missing upstream commit r3700, resulting in this
failure.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="cr
John wrote:
> Ubuntu's parser is missing upstream commit r3700, resulting in this failure.
Is there any boot option that would allow Ubuntu mainline kernels to work?
For my own work, and as mentioned in comment #3, I am compiling with "#
CONFIG_SECURITY_APPARMOR is not set".
--
You received th
This bug is annoying in that there isn't a single switch to toggle to
work around it. You can pin the feature file but getting the feature
file you want requires some editing, or booting into a 4.13 upstream
kernel (at which point you loose the other features landed in 4.14).
To pin the features f
John,
It sounds like we should backport r3700 to all Ubuntu releases?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create"
Yes. Ideally we would grab the upstream maintenance releases with the
patches in them. But upstream hasn't had time to release them yet. It
should happen this week
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ub
@John:
I tried your suggestion on my main 16.04.3 test server. I edited
/etc/apparmor/parser.conf, keeping an "original copy" first.
And used "the hand edited features 4.14 feature file attached".
It made things worse, as in addition to mysql and libvirt not starting,
now the network doesn't sta
If it helps anyone, I've got 4.14-rc5 and apparmor working. I've posted
a patch at the duplicate bug
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1724450.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
@Doug,
thanks for testing, I've managed to track down a bug in the kernel, I'll
try to get a fix merged before 4.14 final,
also I have apparmor userspace fixes building in the apparmor ppa and
will post those up for further test once they are done
--
You received this bug notification because y
Rocko: thanks for the patch, just so people know this is a work around
patch which adjusts policy instead of fixing the bug in the parser.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launch
Alright userspace packages with the parser fix are available in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel
zesty is still building.
So to recap which solutions are needed where.
ubuntu kernel + apparmor 2.11.X - no patches needed
upstream 4.14-rc6 or earlier - policy p
I’d really like to try the Linux kernel fix. Can a get it from
somewhere?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="creat
Several people have asked for the patch
** Patch added: "Fix regression in network mediation"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4990797/+files/0001-apparmor-fix-regression-in-network-mediation-when-us.patch
--
You received this bug notification becau
The attachment "Fix regression in network mediation" seems to be a
patch. If it isn't, please remove the "patch" flag from the attachment,
remove the "patch" tag, and if you are a member of the ~ubuntu-
reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user o
@John: That patch works great, thanks.
On kernel 4.14-rc6 + patch, I re-did the stuff from my comment #22,
which in turn was implementing one of the methods from your comment #19.
This time it worked.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
@John, thank youf or the patch, but maybe I misunderstood it. Applying
that patch to Linus’ master branch, should fix the regression, right? No
user space change needed, correct?
```
$ git log --oneline -2
4a4a4a7 apparmor: fix regression in network mediation when using feature pinning
6cff0a1 Mer
> ... apparmor="DENIED" operation="create" ... family="unix"
sock_type="stream"
With the pinned-down feature set, you probably "lost" support for unix
rules.
In theory, apparmor_parser will downgrade those rules to "network unix,"
- but in practise a bug in apparmor_parser prevented it.This bug w
@Paul,
sorry no. At least not unless you are doing some very specific pinning
of the kernel features abi as I suggested as a solution in #19.
You will need the userspace fix in the ppa until ubuntu can land an SRU
of either patch r3700 or a full SRU of the current maintenance releases.
With the u
I integrated the PPA, but under Ubuntu 16.04.3 LTS no updates are
available. The package *apparmor* 2.10.95-0ubuntu2.7 is installed.
```
$ sudo add-apt-repository ppa:apparmor-dev/apparmor-devel
$ sudo apt-get update
```
--
You received this bug notification because you are a member of Ubuntu
To
Further to my comment #32: That setup then breaks lots of stuff if I
subsequently boot a normal default kernel (i.e. 4.4.0-96-generic). I'm
going back to just booting with apparmor disabled.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is s
@Doug,
can you attach your breakage?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
@John: O.K., I think this excerpt from kern.log is what you might be
looking for.
** Attachment added: "kern.log.txt"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4995556/+files/kern.log.txt
--
You received this bug notification because you are a member of Ubun
Okay thankyou everyone for your feedback.
The kernel patch causing the issue has been reverted. So 4.14-rc7 should
work as pre 4.14-rc2
This bug has become a dumping ground for multiple issues so I am going
to create new bugs to track the issues individually and close this bug
down. Please see th
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Xenial)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Zesty)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Artful)
Status: Confirmed => Invalid
Yes, that stings but wasn't unexpected. It will take awhile to get
features going back up stream but in the long term this will actually
benefit apparmor, as it is forcing the development of fine grained
policy version which has been needed for year but never a top priority.
--
You received this
*** This bug is a duplicate of bug 1728120 ***
https://bugs.launchpad.net/bugs/1728120
** This bug has been marked a duplicate of bug 1728120
apparmor_parser is missing fix for rule down grades
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
On 10/24/2017 02:32 AM, Paul Menzel wrote:
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
>
commit 8baea25455c08173713fdbceac99309192518ffb
Author: John Johansen
Date: Mon Oct 23 08:51:24 2017 -0700
apparmor: fix regression in network mediation when using fea
Dear John,
On 10/24/17 12:55, John Johansen wrote:
> On 10/24/2017 02:32 AM, Paul Menzel wrote:
>> I’d really like to try the Linux kernel fix. Can a get it from
>> somewhere?
>>
> commit 8baea25455c08173713fdbceac99309192518ffb
> Author: John Johansen
> Date: Mon Oct 23 08:51:24 2017 -0700
>
Dear Christian,
Am 24.10.2017 um 19:14 schrieb Christian Boltz:
>> ... apparmor="DENIED" operation="create" ... family="unix"
> sock_type="stream"
>
> With the pinned-down feature set, you probably "lost" support for unix
> rules.
Sorry, I have no clue about the internals. I just use what’s shi
> The kernel patch causing the issue has been reverted. So 4.14-rc7
should work as pre 4.14-rc2
Great! (Modulo Linus' commit message…)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad
45 matches
Mail list logo