[Bug 1658943] Re: aa-notify blocks desktop with garbage notifications

** Changed in: apparmor Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658943 Title: aa-notify blocks desktop with garbage notifications To manage notifications

[Bug 1658625] Re: linux i386 ADT apparmor self-tests OOM machine with linux-4.9.0-12.13

There are definitely, several ref count leaks that can lead to memory leaking during policy replacement. I haven't been able to trace down every leak yet, but the kernel in http://people.canonical.com/~jj/lp1656121/ contains several fixes that should help. I need to finish cleaning up the series

[Bug 1290107] Re: Vidalia does not start. AppArmor prevents

** Changed in: vidalia (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1290107 Title: Vidalia does not start. AppArmor prevents To manage notifications

[Bug 1630069] Re: Regression tests can not detect binfmt_elf mmpa semantic change

** Changed in: apparmor (Ubuntu) Status: New => Fix Released ** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: linux (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1592547] Re: vmalloc failure leads to null ptr dereference in aa_dfa_next

** Changed in: apparmor Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1592547 Title: vmalloc failure leads to null ptr dereference in aa_dfa_next To manage

[Bug 1651944] Re: Kernel panic when we call pipework to setup virtual network for docker containers

sudo snap refresh should refresh the kernel snap. However the suspected fix will not be in any snap kernel, nor can I atm build you a kernel snap to test with. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"

Okay, that looks like the kernel is working for you and you are now past the original [103975.623545] audit: type=1400 audit(1481284511.494:2807): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-tor_" profile="unconfined" name="system_tor" pid=18593

[Bug 1651944] Re: Kernel panic when we call pipework to setup virtual network for docker containers

Ignore the request to test the upstream kernel, for the moment. In this case the apparmor code that is in the trace does not exist upstream. Instead could you test the kernel in http://people.canonical.com/~jj/lp1648143/ While listed as being for bug 1648143, it contains several fixes

[Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"

sorry this took longer than expected. I have placed amd64 test kernels at http://people.canonical.com/~jj/lp1648143/ please let me know if this works for you -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1653347] Re: [profile] netstat(8): ptrace and many DENIED messages (target=*).

The denial messages like target=B00280F4B00280F are caused by a kernel bug, in reporting the the profile name of the target of the ptrace. In general ptrace operations are controlled by both capability and ptrace rules. This is because within the kernel ptrace calls in to the capability code,

[Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"

This occurs in a stacked policy situation, where there is a system policy is being applied but within the container namespace, the policy is unconfined. The special casing for unconfined with no-new-privs is not properly detecting this case. I will have a test kernel with a fix for this issue

[Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"

To clarify the container is missing the minimum requirements of the apparmor_parser and the apparmor init service. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648143 Title: tor in lxd:

[Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"

using lxc launch images:ubuntu/yakkety torcontainer to create the container the installing tor into the container and starting it I can replicate the error. However this is due to the container not having apparmor installed. The container is not booting with apparmor or loading the tor profile.

[Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads

Christian, could you please try against my test kernel? It has fixed the issue with my local reproducer The packages are in http://people.canonical.com/~jj/linux+jj/ you can probably get away with just installing linux- image-4.8.0-30-generic_4.8.0-30.32+lp1645037_amd64.deb but the other

[Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads

I have fully replicated this with just the apparmor_parser, and bash. It requires using both the fs based namespace mkdir/rmdir namespace interface and regular profile replacement/removal at the same time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1647586] Re: apparmor errors with current ntp

This should be fixed by add the rule dbus rw peer=(name=/run/dbus/system_bus_socket), the /usr/sbin/ntpd profile -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647586 Title: apparmor errors

[Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads

I think I may have replicated, in that I got log entries with task blocked for more than 120 seconds, very similar to the above logs. And the apparmor_parser could running ps on the system did show several apparmor_parsers waiting. However it did not crash nor did the apparmor_parser instances

[Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads

No, I haven't. I have been using the instructions you provided with no success. I have started some tests doing lower level direct calls of replace and reload so that I can have even more concurrency. -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads

How reliable/repeatable is this for you? I have been hammering a machine for multiple days and not been able to trip this once. I have been using the 4.8 ubuntu kernel the ubuntu-lxc/daily and the ubuntu-lxc/stable ppas. Any more info you can provide? -- You received this bug notification

[Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads

** Changed in: linux (Ubuntu Xenial) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: linux (Ubuntu Yakkety) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: linux (Ubuntu Zesty) Assignee: (unassigned) => John Johansen (jjohansen) *

[Bug 1634753] Re: srcname from mount rule corrupted under load

I have done some light testing on this, trying to develop a none snap based test to verify it. The test is no where near as reliable as the snappy test. I haven't been able to trigger the bug on the new kernel yet, with the caveat that it could just be the test. I am inclined to declare this

[Bug 1611078] Re: Support snaps inside of lxd containers

note: that for xenial there are several pieces that must land as different SRUs. Just using the xenial SRU kernel is not sufficient. There is an apparmor userspace SRU that is required, and squashfuse sru ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1637437] Re: linux 3.13.0-101.148 ADT test failure with linux 3.13.0-101.148

This appears to be a problem with the test ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification

[Bug 1637440] Re: linux 4.4.0-46.67 ADT test failure with linux 4.4.0-46.67

This appears to be an issue with the test. ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification

[Bug 1639660] Re: apparmor-parse cannot parse profile with stacking //

Alright I have replicated and there is indeed a problem here. It will work if the first profile starts with a / but fails when it doesn't ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => John Johansen (jjo

[Bug 1639660] Re: apparmor-parse cannot parse profile with stacking //

Yuqiong Sun, the parser is sensitive to white space. If your profile has white space in the name you will need to use quotes around it /root/test/read px -> "readtest1 //& readtest2", otherwise you will need to remove the white space and specify it as /root/test/read px -> readtest1//,

[Bug 1638996] Re: apparmor's raw_data file in securityfs is sometimes truncated

I need more information about what else is going on, on the system when the this triggers is there profile replacement happening, what kind of load, ... so far I have been unable to trigger this, and the code looks good ** Changed in: linux (Ubuntu) Status: In Progress => Incomplete --

[Bug 1638996] Re: apparmor's raw_data file in securityfs is sometimes truncated

** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed ** Changed in: linux (Ubuntu) Status: Confirmed => In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are

[Bug 1634753] Re: srcname from mount rule corrupted under load

** Changed in: linux (Ubuntu Yakkety) Status: Triaged => Invalid ** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Trusty) Status: New => Triaged ** Also affects: linux (Ubuntu Precise) Importance: Undecided

[Bug 1611078] Re: Support snaps inside of lxd containers

** Also affects: apparmor (Ubuntu Yakkety) Importance: Critical Assignee: Tyler Hicks (tyhicks) Status: Fix Released ** Also affects: linux (Ubuntu Yakkety) Importance: Critical Assignee: John Johansen (jjohansen) Status: Fix Released ** Also affects: lxd (Ubuntu

[Bug 1630069] Re: Regression tests can not detect binfmt_elf mmpa semantic change

** Changed in: apparmor Status: New => Fix Committed ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1630069

[Bug 1630354] Re: can not switch workspaces using keyboard short cuts

I'm not sure what messed up the settings, but there isn't enough of a trail to say if it was the unity update, compiz update or some other random change. So moving to invalid ** Changed in: unity (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a

[Bug 1630354] Re: can not switch workspaces using keyboard short cuts

Got it. It required that I install ccsm and toggle the Desktop Wall setting -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1630354 Title: can not switch workspaces using keyboard short cuts To

[Bug 1630354] [NEW] can not switch workspaces using keyboard short cuts

Public bug reported: 16.04 - fully updated keyboard short cuts to switch workspaces used to work. After last reboot they don't. Checked in system settings, keyboard short cuts are set. Tried resetting them, no go. Tried alternate keys short cuts, no go. Tried rebooting they still don't work.

[Bug 1630069] [NEW] Regression tests can not detect binfmt_elf mmpa semantic change

but it results in the test breaking for everyone using upstream releases against pre 4.8 kernels. ** Affects: apparmor Importance: Undecided Assignee: John Johansen (jjohansen) Status: New ** Affects: linux (Ubuntu) Importance: Undecided Assignee: John Johansen (jjohansen

[Bug 1611078] Re: Support snaps inside of lxd containers

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Importance: Undecided => Critical ** Changed in: linux (Ubuntu) Status: New => In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => John Johansen (

[Bug 1628285] Re: apparmor should be allowed to start in containers

slight revision /sys/kernel/security/apparmor/features/domain/ns_stacked contains yes/no if stacked across policy namespace /sys/kernel/security/apparmor/features/domain/ns_name contains the name of the namespace as long as lxc sets up a detectable namespace ns_name can be used to

[Bug 1626984] Re: kernel BUG at /build/linux-lts-xenial-_hWfOZ/linux-lts-xenial-4.4.0/security/apparmor/include/context.h:69!

In testing I have not been able to reproduce. But from the oops it looks either like potentially like memory corruption, or corruption of the cred. The oops reports invalid opcode: [#1] SMP however the piece of code triggering this is used all the time, so the more likely scenario is

[Bug 1615881] Re: The label build for onexec when stacking is wrong

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615881 Title: The label build for onexec when stacking is wrong

[Bug 1615882] Re: dfa is missing a bounds check which can cause an oops

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615882 Title: dfa is missing a bounds check which can cause an

[Bug 1593874] Re: warning stack trace while playing with apparmor namespaces

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1593874 Title: warning stack trace while playing with apparmor

[Bug 1615878] Re: __label_update proxy comparison test is wrong

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615878 Title: __label_update proxy comparison test is wrong To

[Bug 1615880] Re: The inherit check for new to old label comparison for domain transitions is wrong

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615880 Title: The inherit check for new to old label comparison

[Bug 1615889] Re: label vec reductions can result in reference labels instead of direct access to labels

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615889 Title: label vec reductions can result in reference labels

[Bug 1615892] Re: deleted files outside of the namespace are not being treated as disconnected

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615892 Title: deleted files outside of the namespace are not being

[Bug 1615895] Re: apparmor module parameters can be changed after the policy is locked

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615895 Title: apparmor module parameters can be changed after the

[Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615887 Title: profiles from different namespaces can block other

[Bug 1615893] Re: change_hat is logging failures during expected hat probing

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615893 Title: change_hat is logging failures during expected hat

[Bug 1579135] Re: AppArmor profile reloading causes an intermittent kernel BUG

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: AppArmor profile reloading causes an intermittent

[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615890 Title: stacking to unconfined in a child namespace confuses

[Bug 1615895] Re: apparmor module parameters can be changed after the policy is locked

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1609885] Re: exec transitions to profiles with '.' in name don't work

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615889] Re: label vec reductions can result in reference labels instead of direct access to labels

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615892] Re: deleted files outside of the namespace are not being treated as disconnected

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615893] Re: change_hat is logging failures during expected hat probing

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615878] Re: __label_update proxy comparison test is wrong

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615882] Re: dfa is missing a bounds check which can cause an oops

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615880] Re: The inherit check for new to old label comparison for domain transitions is wrong

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1615881] Re: The label build for onexec when stacking is wrong

** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status:

[Bug 1579135] Re: AppArmor profile reloading causes an intermittent kernel BUG

) Importance: Critical Assignee: John Johansen (jjohansen) Status: Incomplete ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed ** Changed in: linux (Ubuntu Yakkety) Status:

[Bug 1579135] Re: AppArmor profile reloading causes an intermittent kernel BUG

I believe I have finally tracked this one down. It only occurs when an fd is shared between 9 or more separate profile domains and one of those profiles is removed. The removal part can happen during the apparmor reload phase, if a profile was renamed which is more likely on touch and snappy.

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

*** This bug is a duplicate of bug 1579135 *** https://bugs.launchpad.net/bugs/1579135 Note: there is a new test kernel using +jj61 at http://people.canonical.com/~jj/linux+jj/ This should be the final fix for this issue -- You received this bug notification because you are a member of

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

could you try reproducing with the kernel in http://people.canonical.com/~jj/linux+jj/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: kernel BUG on snap disconnect from within a snap

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

can you try the kernel in http://people.canonical.com/~jj/linux+jj/ yes it is a xenial kernel but it should still work on trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581990 Title:

[Bug 1594202] Re: apparmor messages everywhere

The apparmor profile is tailored for the default dovecot install if you have a custom build or have tweaked the configuration the apparmor profile may need to be modified. Can you tell how/where your dovecot came from, apt/snap/custom build Can you please attach your dovecot configs so we can

[Bug 1373070] Re: full fix for disconnected path (paths)

possibly. There isn't actually enough information in that bug to be sure if it is an actual namespacing issue or it is a separate bug to do with unix domain sockets. Unfortunately the workaround of attach_disconnect is still required to deal with these issues. -- You received this bug

[Bug 1378123] Re: unix_socket_abstract.sh triggers an AppArmor WARN

This should be fixed in Xenial, there is a large patchset (30 or so patches) that can be SRUed to vivids 3.16 kernel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1378123 Title:

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

Is the snap removed and then reinstalled? Has this been triggered just by running the snap? When was the kernel rebooted since the snap was installed? Since the snap was removed? ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

I have been unable to trigger the first bug reported. Can you attach a flattened versions of your profile set? apparmor_parser -p your_profile > flattened_profile -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

I have been unable to trigger this bug can you please provide more information? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: kernel BUG on snap disconnect from within a snap To

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

I have updated the debug kernel at http://people.canonical.com/~jj/lp1581990/ it adds more debug and fixes the 2nd issue you encountered. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581990

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

That sadly was not very helpful, it died in a completely different place and didn't trip any of the additional debug. Would it be possible to try it again? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

I have uploaded a debug kernels to http://people.canonical.com/~jj/lp1581990/ If you could install that and test, hopefully it has enough debug to track this issue down -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

Are the oops warnings reliable for you? It appears to be a ref count bug or race and I have not been able to track it down yet. If it is some what reliable would you be willing to try a debug kernel to help track the issue down? -- You received this bug notification because you are a member of

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

No, which means its a race of some kind -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: kernel BUG on snap disconnect from within a snap To manage notifications about this bug go to:

[Bug 1446794] Re: parser error with 'deny change_profile'

The deny modifier has been fixed in the 2.11 parser. However, the audit modifier is not properly supported by the backend permission format and will result in equality.sh failing With the above patch to equality.sh, the failures all involve audit which is being silently dropped in permission

[Bug 1581202] Re: CVE-2016-0758

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581202 Title: CVE-2016-0758 To manage notifications about this bug go to:

[Bug 1581201] Re: CVE-2016-3713

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581201 Title: CVE-2016-3713 To manage notifications about this bug go to:

[Bug 1581990] Re: Profile reload leads to kernel NULL pointer dereference

are these custom/modified dovecot profiles? what other profiles are loaded? can you provide the output of aa-status? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1581990 Title: Profile reload

[Bug 1581202] [NEW] CVE-2016-0758

*** This bug is a security vulnerability *** Private security bug reported: Placeholder ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux-raspi2 (Ubuntu) Importance: Undecided Status: New ** Affects: linux-ti-omap4 (Ubuntu)

[Bug 1581201] [NEW] CVE-2016-3713

*** This bug is a security vulnerability *** Private security bug reported: Placeholder ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux-raspi2 (Ubuntu) Importance: Undecided Status: New ** Affects: linux-ti-omap4 (Ubuntu)

Re: [Bug 1580463] Re: Snap blocks access to system input methods (ibus, fctix, ...)

On 05/11/2016 11:46 AM, Tyler Hicks wrote: > On 05/11/2016 10:22 AM, Jamie Strandboge wrote: > ... >> >> We then have dbus-session-strict: >> unix (connect, receive, send) >>type=stream >>peer=(addr="@/tmp/dbus-*"), >> >> There is a problem with this policy though; that access is

[Bug 1579135] Re: kernel BUG on snap disconnect from within a snap

What kernel (full version) did this occur on? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: kernel BUG on snap disconnect from within a snap To manage notifications about this bug

[Bug 1575392] Re: Use force-complain symlinks instead of hard-coded "complain" flags

To be clear we are not talking about removing support for flags=(complain) from the parser or the language. Just defaulting to using the symlink for aa-complain because of broken packaging systems :P -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1575392] Re: Use force-complain symlinks instead of hard-coded "complain" flags

Hrmmm, I thought this was fixed in the parser. Maybe its only part 1 or a 2 part fix that was done, we will have to check but the cached policy know stores a flag in the header that it was built with complain mode making it possible to detect this condition without having to parse the whole cache

[Bug 1525119] Re: Cannot permit some operations for sssd

** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd To manage

[Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1528139 Title: serialize_profile_from_old_profile() crash if file contains

[Bug 1534405] Re: Regression in parser compiling/loading a directory

** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1534405 Title: Regression in parser compiling/loading a directory To manage

[Bug 1324608] Re: when aa-logprof processed file access rules with mask of "c" the resulting profile doesn't work

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1324608 Title: when aa-logprof processed file access rules with mask of "c" the

[Bug 1540562] Re: aa-genprof crashes in logparser NoneType has no "replace"

** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1540562 Title: aa-genprof crashes in logparser NoneType has no "replace" To

[Bug 1568485] Re: kernel: audit: type=1400 audit(1460259033.648:34): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13

It needs to be set in the profile file /etc/apparmor.d/sbin.dhclient apply the following change --- a/sbin.dhclient 2016-02-25 06:32:17.0 -0800 +++ b/sbin.dhclient 2016-04-10 12:41:41.826906424 -0700 @@ -3,7 +3,7 @@ # Author: Jamie Strandboge #include

[Bug 1561330] Re: ps security data column includes AppArmor confinement mode in 16.04

For the record it is this commit that made the change https://gitlab.com/procps- ng/procps/commit/5da390422d2b58902731655ddd12439126a051da it was previously terminating the string when it hit the space before the mode. Now it is using isprint(outbuf[len]) and space is a printable character. --

Re: Can we include HWE in the release version?

On 04/06/2016 02:32 PM, Dimitri John Ledkov wrote: > On 6 April 2016 at 22:25, Xen wrote: >> Bryan Quigley schreef op 06-04-16 22:35: >>> Hi all, >>> >>> The naming scheme of just "Ubuntu 14.04.4 LTS" is no longer >>> meaningful when it comes to determining what

[Bug 1561330] Re: ps security data column includes AppArmor confinement mode in 16.04

The apparmor /proc/ interface has always included the mode info, so the change must be in how ps handles the security label -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1561330 Title: ps security

[Bug 1350598] Re: AppArmor policy compile improvements

@Jamie, I had assumed we would be using --skip-kernel-load. I was just bringing up that policy versioning is not just about having different versions of policy for different kernels but also about dealing with failure cases. -- You received this bug notification because you are a member of

[Bug 1350598] Re: AppArmor policy compile improvements

Versioned policy is needed on touch if the compile is going to be done before reboot. You do not want to blow away currently enforcing policy and install the new version and then run into a situation where you fail, or don't reboot. So at the very least for the failure case we need to support

[Bug 1373070] Re: full fix for disconnected path (paths)

Correct. There are actually several ways to get disconnected paths and this specific one is being caused by the new file ns. The proper fix for this is delegating access to the object that would not normally be accessible, however delegation is not available in the current releases of apparmor

[Bug 1458014] Re: audit_printk_skb slowing down boot

Alessio, so from the boot chart I am not able to say what is causing the delay. What I do see is a large gap in activity for both the cpu and i/o. That gap lines up roughly with the start of pulse audio, but that doesn't necessarily make it the culprit. We then get a large gap of little to no

<    1   2   3   4   5   6   7   8   9   10   >