** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a membe
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a membe
Alright, so I broke complain mode for execs with
UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using
stacked namespaces
I have a fix and the test kernels are building and will be available in
http://people.canonical.com/~jj/linux+jj/
--
You received this bug notifica
These kernels are working for me
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1661030
Title:
regession tests failing after stackprofile test is run
To manage notifications about this bug go to:
ht
James, I can give you access to a custom kernel and library that
provides a fix for the apparmor end if you would like. The issue is that
these are not in the distro yet, and have not been backported to earlier
releases (yet).
--
You received this bug notification because you are a member of Ubun
Yuqiong Sun,
the parser is sensitive to white space. If your profile has white space
in the name you will need to use quotes around it
/root/test/read px -> "readtest1 //& readtest2",
otherwise you will need to remove the white space and specify it as
/root/test/read px -> readtest1//&readt
Alright I have replicated and there is indeed a problem here. It will
work if the first profile starts with a / but fails when it doesn't
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen
This appears to be an issue with the test.
** Changed in: linux (Ubuntu)
Status: Confirmed => Invalid
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification bec
This appears to be a problem with the test
** Changed in: linux (Ubuntu)
Status: Confirmed => Invalid
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification be
note: that for xenial there are several pieces that must land as
different SRUs. Just using the xenial SRU kernel is not sufficient.
There is an apparmor userspace SRU that is required, and squashfuse sru
...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
There are definitely, several ref count leaks that can lead to memory
leaking during policy replacement. I haven't been able to trace down
every leak yet, but the kernel in
http://people.canonical.com/~jj/lp1656121/
contains several fixes that should help. I need to finish cleaning up
the series
** Changed in: apparmor
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658943
Title:
aa-notify blocks desktop with garbage notifications
To manage notifications abou
We need to make it so it can scan ahead and use summary mode if the
outstanding number of messages is larger than the threshold when it goes
to display the next message.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.laun
No, the chromium and firefox profiles can be fixed. However the current
fixes are not ideal. Basically apparmor currently needs to allow
capability sys_admin and a few other dangerous privileges in the base
profile.
This is not do to the complexity of the sandbox model but because the
linux namesp
The denial messages like
target=B00280F4B00280F
are caused by a kernel bug, in reporting the the profile name of the
target of the ptrace.
In general ptrace operations are controlled by both capability and
ptrace rules. This is because within the kernel ptrace calls in to the
capability code, a
sorry this took longer than expected. I have placed amd64 test kernels at
http://people.canonical.com/~jj/lp1648143/
please let me know if this works for you
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
Ignore the request to test the upstream kernel, for the moment.
In this case the apparmor code that is in the trace does not exist upstream.
Instead could you test the kernel in
http://people.canonical.com/~jj/lp1648143/
While listed as being for bug 1648143, it contains several fixes
includin
Okay, that looks like the kernel is working for you and you are now past
the original
[103975.623545] audit: type=1400 audit(1481284511.494:2807):
apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1
namespace="root//lxd-tor_" profile="unconfined"
name="system_tor" pid=18593 co
sudo snap refresh
should refresh the kernel snap. However the suspected fix will not be in
any snap kernel, nor can I atm build you a kernel snap to test with.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.ne
** Changed in: apparmor
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592547
Title:
vmalloc failure leads to null ptr dereference in aa_dfa_next
To manage notificatio
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
** Changed in: apparmor
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Xenial)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is sub
** Changed in: vidalia (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1290107
Title:
Vidalia does not start. AppArmor prevents
To manage notifications ab
The issue appears to be refcount related, I am still chasing this one
down but for this release we should revert
UBUNTU: SAUCE: apparmor: fix lock ordering for mkdir
UBUNTU: SAUCE: apparmor: fix leak on securityfs pin count
UBUNTU: SAUCE: apparmor: fix reference count leak when
securityfs_setup_d
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1664912
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1656121
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660849
Title:
Please describe the failure, including the logs so I can analyze. Just
because the container fails to start does not mean that the fix is bad.
There can be other issues that result in the failure.
Specifically this bug is for the denial message seen in comment #5 and
not the denied messages (unlin
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660836
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660840
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660834
Title:
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660833
Title:
** Tags removed: verification-needed-yakkety
** Tags added: verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660832
Title:
unix domain socket cross permission check failing w
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1638996
Title:
Yes, that stings but wasn't unexpected. It will take awhile to get
features going back up stream but in the long term this will actually
benefit apparmor, as it is forcing the development of fine grained
policy version which has been needed for year but never a top priority.
--
You received this
Public bug reported:
The Ubuntu version of apparmor is missing the fix for rule down grades
that exist in the current upstream maintenance releases.
This fix is needed to properly handle policy for different kernel abis.
The fix can be obtained either through SRUing the appropriate
maintenance r
Public bug reported:
When a feature abi that does not support network rules is loaded into a
kernel that does, the policy is incorrectly enforced resulting in
network denials.
The kernel should be correctly enforcing the feature abi by not applying
the network mediation that is explicitly not sup
Public bug reported:
Currently allows pinning a single feature abi or running in a developer
mode where the full abi available of the current kernel is enforced.
However this can result in breaking applications in undesirable ways.
If an application is shipped with its own policy, that policy mi
Okay thankyou everyone for your feedback.
The kernel patch causing the issue has been reverted. So 4.14-rc7 should
work as pre 4.14-rc2
This bug has become a dumping ground for multiple issues so I am going
to create new bugs to track the issues individually and close this bug
down. Please see th
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Xenial)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Zesty)
Status: Confirmed => Invalid
** Changed in: apparmor (Ubuntu Artful)
Status: Confirmed => Invalid
@Doug,
thanks for testing, I've managed to track down a bug in the kernel, I'll
try to get a fix merged before 4.14 final,
also I have apparmor userspace fixes building in the apparmor ppa and
will post those up for further test once they are done
--
You received this bug notification because y
Rocko: thanks for the patch, just so people know this is a work around
patch which adjusts policy instead of fixing the bug in the parser.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
Alright userspace packages with the parser fix are available in
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel
zesty is still building.
So to recap which solutions are needed where.
ubuntu kernel + apparmor 2.11.X - no patches needed
upstream 4.14-rc6 or earlier - policy p
On 10/24/2017 02:32 AM, Paul Menzel wrote:
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
>
commit 8baea25455c08173713fdbceac99309192518ffb
Author: John Johansen
Date: Mon Oct 23 08:51:24 2017 -0700
apparmor: fix regression in network mediation w
Several people have asked for the patch
** Patch added: "Fix regression in network mediation"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4990797/+files/0001-apparmor-fix-regression-in-network-mediation-when-us.patch
--
You received this bug notification becau
@Paul,
sorry no. At least not unless you are doing some very specific pinning
of the kernel features abi as I suggested as a solution in #19.
You will need the userspace fix in the ppa until ubuntu can land an SRU
of either patch r3700 or a full SRU of the current maintenance releases.
With the u
@Doug,
can you attach your breakage?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
w/ 4.14-rc2 and later
To m
I have placed amd64 test kernels at
http://people.canonical.com/~jj/lp1679704/
It fixes the complain issue, which should let you proceed without
removing the profile and I am working on a regression test to add to the
test suite.
--
You received this bug notification because you are a member of
>From an apparmor pov those 2 kernels are almost identical, with the 4.4
kernel picking up a couple of backport patches, that just do some simple
remapping and should not affect behavior.
There are however some external changes that could affect apparmor mediation
binfmt_elf change (9f834ec18def
Well that explains it. So we would have seen this issues from release
except for the cloud-init bug.
Now we need to isolate the fix and backport it to the ga kernel.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchp
There is a xenial test kernel at
http://people.canonical.com/~jj/lp1701297/
I have not had a chance to try it yet. I'll try to get to it in a few
hours after some sleep.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.la
@Bjoern can you set a couple of apparmor flags and report back what is
reported in the logs?
Specifically as root can you do
echo -n "noquiet" > /sys/module/apparmor/parameters/audit
echo 1 > /sys/module/apparmor/parameters/debug
echo 0 > /proc/sys/kernel/printk_ratelimit
and then restart dnsma
Its an anonymous socket. The best you can do is
to /usr/sbin/dovecot/anvil add
unix (send, receive) peer=(label=/usr/sbin/dovecot),
to /usr/sbin/dovecot add
unix (send, receive) peer=(label=/usr/sbin/dovecot/anvil),
--
You received this bug notification because you are a member of Ubuntu
Bu
This is caused by an anonymous socket communication channel between
dovecot and anvil. If this problem is not happening in 16.04 (unless you
are using the release kernel) then it will be because o a change to
dovecot, newer versions of apparmor have been SRUed back to 16.04
--
You received this b
The entire apparmor patch series was reverted regardless of whether the
patch had any link to a regression, or security fix.
The majority of the patches will be reapplied and go through the SRU
cycle again.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is s
For now yes, but I think going forward we are going to want to split the
systemd bits in a subabstraction.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1670408
Title:
Missing apparmor rules cause t
Note: this bug affects more than just lock mediation permissions. It at
a minimum can also affect the mmap executable (m) permission.
Further work is required to resubmit this fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https:
Public bug reported:
When a compound label is used as part of a target namespace the change
profile will result in a bad change
a task confined by profile lxd doing
change_profile(&:ns://foo//&unconfined)
results in a change_profile to
:ns://foo
and
unconfined
causing the local system prof
Public bug reported:
gsettings mediation needs to be able to determine if apparmor supports
label data queries. A label data query can be done to test for support
but its failure is indistinguishable from other failures, making it an
unreliable indicator.
Fix by making support of label data queri
Public bug reported:
User space trusted helpers have no way to detect when policy changes
have been loaded into the kernel. This prevents the applications from
being able to cache permission queries. Currently trusted helpers have
not done caching (wish list feature), however the gsetting proxy
re
Public bug reported:
The apparmor query interface does not make available information about
what is currently supported. Add the base set of information for label
queries through the apparmorfs features subtree.
Note: this will be needed to support user space permission caching used
by trusted he
This is because boot params are processed before apparmor is fully
initialized and policy_view_capable() will oops because the rootns is
not setup.
We should by-pass policy_view_capable() for params being set at boot.
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Public bug reported:
When an apparmor parameter is set on the grub kernel line it results in
an oops and failure to boot.
eg. setting
apparmor.audit=noquiet
will cause the kernel to fail to boot.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ub
please update your kernel, you are running the 4.4.0-21.37
This issue was fixed in Ubuntu 4.4.0-37.56 kernel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1678291
Title:
kernel panic while updating
The capable request comes from chrome after it has setup a user
namespace. However apparmor can not currently detect the difference
between the system namespace and the user namespace.
Unfortunately the only solution at this time it to allow
capable sys_admin,
in the /usr/bin/evince//sanitized_
As of 4.13 the upstream kernel does support basic socket mediation which
does include unix sockets. This denial is not due to fine grained unix
socket mediation.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.ne
err make that 4.14 not 4.13 in my above explanation
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
w/ 4.14-rc2 a
@Doug,
not a kernel regression and not an incompatible kernel change either.
The kernel does support the older abi, however the compiled policy being
sent to the kernel is for the new abi that the kernel is now advertising
as being supported.
The kernel advertises its supported feature set and ab
@Doug,
I forgot to mention this in my above explanation the reason you see this
with 4.14-rc2 and not 4.14-rc1 is because there was a problem with the
security tree merge and Linus ended up pulling the security changes in
between rc1 and rc2.
--
You received this bug notification because you are
Could someone who is having this issue also attach a profile cache file
for the profile that is failing? So I can verify what your local
compiles are doing.
you can grab the binary cache file out of
/etc/apparmor.d/cache/sbin.dhclient
or compile it with
apparmor_parser -o output_file /etc/app
*** This bug is a duplicate of bug 1721278 ***
https://bugs.launchpad.net/bugs/1721278
** This bug has been marked a duplicate of bug 1721278
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/
4.14-rc2 and later
--
You received this bug notification because you are
Ubuntu's parser is missing upstream commit r3700, resulting in this
failure.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/cups
This bug is annoying in that there isn't a single switch to toggle to
work around it. You can pin the feature file but getting the feature
file you want requires some editing, or booting into a 4.13 upstream
kernel (at which point you loose the other features landed in 4.14).
To pin the features f
Yes. Ideally we would grab the upstream maintenance releases with the
patches in them. But upstream hasn't had time to release them yet. It
should happen this week
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.
** Changed in: apparmor/2.10
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.11
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
B
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1628286
Title:
[utils] DBus rules enforce stricter ordering of dbus attributes
To
** Changed in: apparmor
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.10
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs,
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1661766
Title:
aa-genprof crashes on start due to python 3.6 bug
To manage notific
** Changed in: apparmor/master
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.11
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.10
Status: Fix Committed => Fix Released
** Changed in: apparmor/master
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.11
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.10
Status: Fix Committed => Fix Released
** Changed in: apparmor
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.10
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs,
possibly. There isn't actually enough information in that bug to be sure
if it is an actual namespacing issue or it is a separate bug to do with
unix domain sockets.
Unfortunately the workaround of attach_disconnect is still required to
deal with these issues.
--
You received this bug notificati
The apparmor profile is tailored for the default dovecot install if you
have a custom build or have tweaked the configuration the apparmor
profile may need to be modified.
Can you tell how/where your dovecot came from, apt/snap/custom build
Can you please attach your dovecot configs so we can ide
On 05/11/2016 11:46 AM, Tyler Hicks wrote:
> On 05/11/2016 10:22 AM, Jamie Strandboge wrote:
> ...
>>
>> We then have dbus-session-strict:
>> unix (connect, receive, send)
>>type=stream
>>peer=(addr="@/tmp/dbus-*"),
>>
>> There is a problem with this policy though; that access is
*** This bug is a security vulnerability ***
Private security bug reported:
Placeholder
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux-raspi2 (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux-ti-omap4 (Ubuntu)
Importan
*** This bug is a security vulnerability ***
Private security bug reported:
Placeholder
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux-raspi2 (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux-ti-omap4 (Ubuntu)
Importan
are these custom/modified dovecot profiles?
what other profiles are loaded?
can you provide the output of aa-status?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1581990
Title:
Profile reload leads
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1581201
Title:
CVE-2016-3713
To manage notifications about this bug go to:
https:/
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1581202
Title:
CVE-2016-0758
To manage notifications about this bug go to:
https:/
The deny modifier has been fixed in the 2.11 parser. However, the audit
modifier is not properly supported by the backend permission format and
will result in equality.sh failing
With the above patch to equality.sh, the failures all involve audit
which is being silently dropped in permission encod
No, which means its a race of some kind
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1579135
Title:
kernel BUG on snap disconnect from within a snap
To manage notifications about this bug go to:
h
Are the oops warnings reliable for you? It appears to be a ref count bug
or race and I have not been able to track it down yet. If it is some
what reliable would you be willing to try a debug kernel to help track
the issue down?
--
You received this bug notification because you are a member of Ub
** Description changed:
- Tracking bug for supporting stacked namesapaces (ie, different profiles
- on host, container, container in a container, etc)
+ Tracking bug for supporting stacked policy namesapaces (ie, different
+ profiles on host, container, container in a container, etc)
--
You rece
** Summary changed:
- namespace stacking
+ policy namespace stacking
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1379535
Title:
policy namespace stacking
To manage notifications about this bug g
Versioned policy is needed on touch if the compile is going to be done
before reboot. You do not want to blow away currently enforcing policy
and install the new version and then run into a situation where you
fail, or don't reboot. So at the very least for the failure case we
need to support vers
@Jamie, I had assumed we would be using --skip-kernel-load. I was just
bringing up that policy versioning is not just about having different
versions of policy for different kernels but also about dealing with
failure cases.
--
You received this bug notification because you are a member of Ubuntu
The apparmor /proc/ interface has always included the mode info, so the
change must be in how ps handles the security label
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1561330
Title:
ps security d
For the record it is this commit that made the change
https://gitlab.com/procps-
ng/procps/commit/5da390422d2b58902731655ddd12439126a051da
it was previously terminating the string when it hit the space before
the mode. Now it is using isprint(outbuf[len]) and space is a printable
character.
--
*** This bug is a duplicate of bug 1579135 ***
https://bugs.launchpad.net/bugs/1579135
Note: there is a new test kernel using +jj61 at
http://people.canonical.com/~jj/linux+jj/
This should be the final fix for this issue
--
You received this bug notification because you are a member of Ubun
I believe I have finally tracked this one down. It only occurs when an
fd is shared between 9 or more separate profile domains and one of those
profiles is removed. The removal part can happen during the apparmor
reload phase, if a profile was renamed which is more likely on touch and
snappy.
Note
)
Importance: Critical
Assignee: John Johansen (jjohansen)
Status: Incomplete
** Also affects: linux (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Status: New => Fix Committed
** Changed in: linux (Ubuntu Yakkety)
Status:
901 - 1000 of 8094 matches
Mail list logo