This bug was fixed in the package linux - 4.4.0-2.16 --------------- linux (4.4.0-2.16) xenial; urgency=low
[ Andy Whitcroft ] * Release Tracking Bug - LP: #1539090 * SAUCE: hv: hv_set_ifconfig -- convert to python3 - LP: #1506521 * SAUCE: dm: introduce a target_ioctl op to allow target specific ioctls - LP: #1538618 [ Colin Ian King ] * SAUCE: ACPI / tables: Add acpi_force_32bit_fadt_addr option to force 32 bit FADT addresses (LP: #1529381) - LP: #1529381 [ John Johansen ] * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown - LP: #1446906 [ Mahesh Salgaonkar ] * SAUCE: Powernv: Remove the usage of PACAR1 from opal wrappers - LP: #1537881 * SAUCE: powerpc/book3s: Fix TB corruption in guest exit path on HMI interrupt. - LP: #1537881 * SAUCE: KVM: PPC: Book3S HV: Fix soft lockups in KVM on HMI for time base errors - LP: #1537881 [ Paolo Pisati ] * SAUCE: arm64: errata: Add -mpc-relative-literal-loads to erratum #843419 build flags - LP: #1533009 * [Config] MFD_TPS65217=y && REGULATOR_TPS65217=y * [Config] disable ARCH_ZX (ZTE ZX Soc) [ Tim Gardner ] * Revert "SAUCE: (noup) cxlflash: a couple off by one bugs" * SAUCE: (no-up) Update bnx2x firmware to 7.12.30.0 - LP: #1536719 * SAUCE: drop obsolete bnx2x firmware * SAUCE: i40e: Silence 'may be used uninitialized' warnings - LP: #1536474 * [Config] CONFIG_ZONE_DMA=y for amd64 lowlatency - LP: #1534647 * [Config] Add pvpanic to virtual flavour - LP: #1537923 * [Config] CONFIG_INTEL_PUNIT_IPC=m, CONFIG_INTEL_TELEMETRY=m - LP: #1520457 [ Upstream Kernel Changes ] * i40evf: fix compiler warning of unused variable - LP: #1536474 * intel: i40e: fix confused code - LP: #1536474 * i40e/i40evf: remove unused tunnel parameter - LP: #1536474 * i40e: Change BUG_ON to WARN_ON in service event complete - LP: #1536474 * i40e: remove BUG_ON from feature string building - LP: #1536474 * i40e: remove BUG_ON from FCoE setup - LP: #1536474 * i40e: Workaround fix for mss < 256 issue - LP: #1536474 * i40e/i40evf: Add a stat to track how many times we have to do a force WB - LP: #1536474 * i40e: Move the saving of old link info from handle_link_event to link_event - LP: #1536474 * i40e/i40evf: Add comment to #endif - LP: #1536474 * i40e/i40evf: clean up error messages - LP: #1536474 * i40evf: handle many MAC filters correctly - LP: #1536474 * i40e: return the number of enabled queues for ETHTOOL_GRXRINGS - LP: #1536474 * i40e: rework the functions to configure RSS with similar parameters - LP: #1536474 * i40e: create a generic configure rss function - LP: #1536474 * i40e: Bump version to 1.4.2 - LP: #1536474 * i40e: add new fields to store user configuration - LP: #1536474 * i40e: rename rss_size to alloc_rss_size in i40e_pf - LP: #1536474 * i40e/i40evf: Fix RS bit update in Tx path and disable force WB workaround - LP: #1536474 * i40e/i40evf: prefetch skb data on transmit - LP: #1536474 * i40evf: rename VF adapter specific RSS function - LP: #1536474 * i40evf: create a generic config RSS function - LP: #1536474 * i40evf: create a generic get RSS function - LP: #1536474 * i40evf: add new fields to store user configuration of RSS - LP: #1536474 * i40e: Update error messaging - LP: #1536474 * i40e: fix confusing message - LP: #1536474 * i40e: make error message more useful - LP: #1536474 * i40evf: quoth the VF driver, Nevermore - LP: #1536474 * i40evf: allocate queue vectors dynamically - LP: #1536474 * i40evf: allocate ring structs dynamically - LP: #1536474 * i40e/i40evf: Bump i40e version to 1.4.4 and i40evf to 1.4.1 - LP: #1536474 * i40e: fix: do not sleep in netdev_ops - LP: #1536474 * i40e: remove unused argument - LP: #1536474 * i40evf: increase max number of queues - LP: #1536474 * i40evf: set real num queues - LP: #1536474 * i40evf: remove duplicate string - LP: #1536474 * i40e: Detection and recovery of TX queue hung logic moved to service_task from tx_timeout - LP: #1536474 * i40e: Fix memory leaks, sideband filter programming - LP: #1536474 * i40evf: don't use atomic allocation - LP: #1536474 * i40e: propagate properly - LP: #1536474 * i40evf: use correct types - LP: #1536474 * i40e: use priv flags to control packet split - LP: #1536474 * i40e: Remove separate functions gathering XOFF Rx stats - LP: #1536474 * i40e: fix whitespace - LP: #1536474 * i40e/i40evf: use logical operator - LP: #1536474 * i40e/i40evf: Bump version to 1.4.7 for i40e and 1.4.3 for i40evf - LP: #1536474 * i40e: trivial fixes - LP: #1536474 * i40e: Fix i40e_print_features() VEB mode output - LP: #1536474 * i40e: chomp the BIT(_ULL) - LP: #1536474 * i40e: properly delete VF MAC filters - LP: #1536474 * i40e: don't add zero MAC filter - LP: #1536474 * i40evf: check rings before freeing resources - LP: #1536474 * i40e: use explicit cast from u16 to u8 - LP: #1536474 * i40e: Opcode and structures required by OEM Post Update AQ command and add new NVM arq message - LP: #1536474 * i40e: hush little warnings - LP: #1536474 * i40e/i40evf: Add a new offload for RSS PCTYPE V2 for X722 - LP: #1536474 * i40e: clean whole mac filter list - LP: #1536474 * i40evf: change version string generation - LP: #1536474 * i40e/i40evf: Bump i40e to 1.4.8 and i40evf to 1.4.4 - LP: #1536474 * geneve: UDP checksum configuration via netlink - LP: #1536474 * geneve: Add geneve udp port offload for ethernet devices - LP: #1536474 * i40e: geneve tunnel offload support - LP: #1536474 * geneve: Add geneve_get_rx_port support - LP: #1536474 * i40e: Call geneve_get_rx_port to get the existing Geneve ports - LP: #1536474 * i40e: change log messages and error returns - LP: #1536474 * i40e: allow zero MAC address for VFs - LP: #1536474 * i40e: Look up MAC address in Open Firmware or IDPROM - LP: #1536474 * i40e: Fix Rx hash reported to the stack by our driver - LP: #1536474 * i40e: remove forever unused ID - LP: #1536474 * igb: add 88E1543 initialization code * igb: don't unmap NULL hw_addr * igb: use the correct i210 register for EEMNGCTL * igb: fix NULL derefs due to skipped SR-IOV enabling * igb: improve handling of disconnected adapters * igb: Remove GS40G specific defines/functions * igb: Don't add PHY address to PCDL address * igb: Improve cable length function for I210, etc. * igb: Explicitly label self-test result indices * ixgbe: drop null test before destroy functions - LP: #1536473 * ixgbe: Delete redundant include file - LP: #1536473 * ixgbe: fix multiple kernel-doc errors - LP: #1536473 * ixgbe: Fix handling of NAPI budget when multiple queues are enabled per vector - LP: #1536473 * ixgbe: Add KR mode support for CS4227 chip - LP: #1536473 * ixgbevf: Limit lowest interrupt rate for adaptive interrupt moderation to 12K - LP: #1536473 * ixgbe/ixgbevf: use napi_schedule_irqoff() - LP: #1536473 * ixgbe: Remove CS4227 diagnostic code - LP: #1536473 * ixgbevf: use ether_addr_copy instead of memcpy - LP: #1536473 * ixgbevf: fix spoofed packets with random MAC - LP: #1536473 * ixgbe: Prevent KR PHY reset in ixgbe_init_phy_ops_x550em - LP: #1536473 * ixgbe: Add support for newer thermal alarm - LP: #1536473 * ixgbe: Use private workqueue to avoid certain possible hangs - LP: #1536473 * ixgbevf: Use a private workqueue to avoid certain possible hangs - LP: #1536473 * ixgbevf: Minor cleanups - LP: #1536473 * ixgbe: Refactor MAC address configuration code - LP: #1536473 * ixgbe: Use __dev_uc_sync and __dev_uc_unsync for unicast addresses - LP: #1536473 * ixgbe: Allow FDB entries access to more RAR filters - LP: #1536473 * ixgbe: Update PTP to support X550EM_x devices - LP: #1536473 * ixgbe: Correct spec violations by waiting after reset - LP: #1536473 * ixgbe: Wait for master disable to be set - LP: #1536473 * ixgbe: Save VF info and take references - LP: #1536473 * ixgbe: Handle extended IPv6 headers in Tx path - LP: #1536473 * ixgbe: Always turn PHY power on when requested - LP: #1536473 * ixgbevf: Handle extended IPv6 headers in Tx path - LP: #1536473 * ixgbe: Return error on failure to allocate mac_table - LP: #1536473 * ixgbe: Fix SR-IOV VLAN pool configuration - LP: #1536473 * ixgbe: Simplify definitions for regidx and bit in set_vfta - LP: #1536473 * ixgbe: Reduce VT code indent in set_vfta by introducing jump label - LP: #1536473 * ixgbe: Simplify configuration of setting VLVF and VLVFB - LP: #1536473 * ixgbe: Add support for adding/removing VLAN on PF bypassing the VLVF - LP: #1536473 * ixgbe: Reorder search to work from the top down instead of bottom up - LP: #1536473 * ixgbe: Add support for VLAN promiscuous with SR-IOV - LP: #1536473 * ixgbe: Fix VLAN promisc in relation to SR-IOV - LP: #1536473 * ixgbe: Clear stale pool mappings - LP: #1536473 * ixgbe: Clean stale VLANs when changing port VLAN or resetting - LP: #1536473 * ixgbe: do not report 2.5 Gbps as supported - LP: #1536473 * ixgbevf: Fix handling of NAPI budget when multiple queues are enabled per vector - LP: #1536473 * ixgbevf: minor cleanups for ixgbevf_set_itr() - LP: #1536473 * ixgbe: add support for QSFP PHY types in ixgbe_get_settings() - LP: #1536473 * ixgbe: report correct media type for KR, KX and KX4 interfaces - LP: #1536473 * ixgbe: Clean up redundancy in hw_enc_features - LP: #1536473 * ixgbe: fix RSS limit for X550 - LP: #1536473 * ixgbe: Correct X550EM_x revision check - LP: #1536473 * ixgbe: Fix bugs in ixgbe_clear_vf_vlans() - LP: #1536473 * ixgbe: Fill at least min credits to a TC credit refills - LP: #1536473 * ixgbe: use correct FCoE DDP max check - LP: #1536473 * ixgbe: fix broken PFC with X550 - LP: #1536473 * ixgbe: do not call check_link for ethtool in ixgbe_get_settings() - LP: #1536473 * ixgbe: Correct handling of any outer UDP checksum setting - LP: #1536473 * ixgbe: Fix to get FDMI HBA attributes information with X550 - LP: #1536473 * ixgbe: Fix MDD events generated when FCoE+SRIOV are enabled - LP: #1536473 * ixgbe: Make ATR recognize IPv6 extended headers - LP: #1536473 * e1000: make eeprom read/write scheduler friendly * e1000: fix data race between tx_ring->next_to_clean * e1000: Remove checkpatch coding style errors * e1000: clean up the checking logic * e1000: fix a typo in the comment * e1000e: clean up the local variable * e1000: fix kernel-doc argument being missing * e1000: get rid of duplicate exit path * e1000: Elementary checkpatch warnings and checks removed * e1000e: fix division by zero on jumbo MTUs * e1000e: Increase timeout of polling bit RSPCIPHY * e1000e: initial support for i219-LM (3) * e1000e: Switch e1000e_up to void, drop code checking for error result * e1000e: Remove unreachable code * e1000e: Do not read ICR in Other interrupt * e1000e: Do not write lsc to ics in msi-x mode * e1000e: Fix msi-x interrupt automask * acpi: pci: Setup MSI domain for ACPI based pci devices * irqdomain: Introduce is_fwnode_irqchip helper * irqchip/gic-v2m: Refactor to prepare for ACPI support * irqchip/gic-v2m: acpi: Introducing GICv2m ACPI support * clk: xgene: Fix divider with non-zero shift value * i2c: designware: Do not require clock when SSCN and FFCN are provided * fm10k: do not assume VF always has 1 queue - LP: #1536475 * fm10k: Correct MTU for jumbo frames - LP: #1536475 * fm10k: Fix handling of NAPI budget when multiple queues are enabled per vector - LP: #1536475 * fm10k: use napi_schedule_irqoff() - LP: #1536475 * fm10k: set netdev features in one location - LP: #1536475 * fm10k: reset max_queues on init_hw_vf failure - LP: #1536475 * fm10k: always check init_hw for errors - LP: #1536475 * fm10k: reinitialize queuing scheme after calling init_hw - LP: #1536475 * fm10k: Correct typecast in fm10k_update_xc_addr_pf - LP: #1536475 * fm10k: explicitly typecast vlan values to u16 - LP: #1536475 * fm10k: add statistics for actual DWORD count of mbmem mailbox - LP: #1536475 * fm10k: rename mbx_tx_oversized statistic to mbx_tx_dropped - LP: #1536475 * fm10k: Add support for ITR scaling based on PCIe link speed - LP: #1536475 * fm10k: introduce ITR_IS_ADAPTIVE macro - LP: #1536475 * fm10k: Update adaptive ITR algorithm - LP: #1536475 * fm10k: use macro for default Tx and Rx ITR values - LP: #1536475 * fm10k: change default Tx ITR to 25usec - LP: #1536475 * fm10k: TRIVIAL fix typo of hardware - LP: #1536475 * fm10k: TRIVIAL cleanup order at top of fm10k_xmit_frame - LP: #1536475 * fm10k: use ether_addr_copy to copy MAC address - LP: #1536475 * fm10k: do not use CamelCase - LP: #1536475 * fm10k: remove unnecessary else block from if statements with return - LP: #1536475 * fm10k: remove namespace pollution of fm10k_iov_msg_data_pf - LP: #1536475 * fm10k: consistently refer to VLANs and VLAN IDs - LP: #1536475 * fm10k: bump driver version - LP: #1536475 * fm10k: conditionally compile DCB and DebugFS support - LP: #1536475 * fm10k: Cleanup MSI-X interrupts in case of failure - LP: #1536475 * fm10k: Cleanup exception handling for mailbox interrupt - LP: #1536475 * fm10k: do not inline fm10k_iov_select_vid() - LP: #1536475 * fm10k: whitespace cleanups - LP: #1536475 * fm10k: use BIT() macro instead of open-coded bit-shifting - LP: #1536475 * fm10k: cleanup namespace pollution - LP: #1536475 * fm10k: cleanup overly long lines - LP: #1536475 * fm10k: initialize xps at driver load - LP: #1536475 * fm10k: don't initialize fm10k_workqueue at global level - LP: #1536475 * fm10k: correctly pack TLV structures and explain reasoning - LP: #1536475 * fm10k: Cleanup exception handling for changing queues - LP: #1536475 * fm10k: use ether_addr_equal instead of memcmp - LP: #1536475 * fm10k: address operator not needed when declaring function pointers - LP: #1536475 * fm10k: constify fm10k_mac_ops, fm10k_iov_ops and fm10k_info structures - LP: #1536475 * fm10k: remove unused struct element - LP: #1536475 * fm10k: use true/false for boolean get_host_state - LP: #1536475 * fm10k: cleanup mailbox code comments etc - LP: #1536475 * fm10k: IS_ENABLED() is not appropriate for boolean kconfig option - LP: #1536475 * device property: always check for fwnode type - LP: #1533035 * device property: rename helper functions - LP: #1533035 * device property: refactor built-in properties support - LP: #1533035 * device property: keep single value inplace - LP: #1533035 * device property: helper macros for property entry creation - LP: #1533035 * device property: improve readability of macros - LP: #1533035 * device property: return -EINVAL when property isn't found in ACPI - LP: #1533035 * device property: Fallback to secondary fwnode if primary misses the property - LP: #1533035 * device property: Take a copy of the property set - LP: #1533035 * driver core: platform: Add support for built-in device properties - LP: #1533035 * driver core: Do not overwrite secondary fwnode with NULL if it is set - LP: #1533035 * mfd: core: propagate device properties to sub devices drivers - LP: #1533035 * mfd: intel-lpss: Add support for passing device properties - LP: #1533035 * mfd: intel-lpss: Pass SDA hold time to I2C host controller driver - LP: #1533035 * mfd: intel-lpss: Pass HSUART configuration via properties - LP: #1533035 * i2c: designware: Convert to use unified device property API - LP: #1533035 * keys, trusted: fix: *do not* allow duplicate key options - LP: #1398274 * keys, trusted: select hash algorithm for TPM2 chips - LP: #1398274 * keys, trusted: seal with a TPM2 authorization policy - LP: #1398274 * perf/x86/intel: Add perf core PMU support for Intel Knights Landing - LP: #1461360 * perf/x86/intel/uncore: Add Knights Landing uncore PMU support - LP: #1461360 * perf/x86/intel/uncore: Remove hard coding of PMON box control MSR offset - LP: #1461360 * drm/i915: WaRsDisableCoarsePowerGating - LP: #1527462 * drm/i915/skl: Add SKL GT4 PCI IDs - LP: #1527462 * drm/i915/skl: Disable coarse power gating up until F0 - LP: #1527462 * platform:x86: add Intel P-Unit mailbox IPC driver - LP: #1520457 * intel_punit_ipc: add NULL check for input parameters - LP: #1520457 * platform/x86: Add Intel Telemetry Core Driver - LP: #1520457 * intel_pmc_ipc: update acpi resource structure for Punit - LP: #1520457 * platform:x86: Add Intel telemetry platform device - LP: #1520457 * platform:x86: Add Intel telemetry platform driver - LP: #1520457 * platform:x86: Add Intel Telemetry Debugfs interfaces - LP: #1520457 * cxlflash: a couple off by one bugs -- Andy Whitcroft <a...@canonical.com> Thu, 28 Jan 2016 13:56:00 +0000 ** Changed in: linux (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1446906 Title: lxc container with postfix, permission denied on mailq Status in linux package in Ubuntu: Fix Released Status in lxc package in Ubuntu: Confirmed Status in linux source package in Vivid: Fix Committed Status in lxc source package in Vivid: New Status in linux source package in Wily: Fix Committed Status in lxc source package in Wily: New Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Confirmed Bug description: [Impact] * Users may encounter situations where they use applications, confined by AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX stream sockets. * These failures typically occur when the confined applications attempts to read from an AF_UNIX stream socket when the other end of the socket has already been closed. * AppArmor is mistakenly denying the socket operations due to the socket shutdown operation making the sun_path no longer being available for AppArmor mediation after the socket is shutdown. [Test Case] The expected test case is: $ sudo apt-get install postfix # installing in 'local only' config is fine $ cat > bug-profile << EOF profile bug-profile flags=(attach_disconnected) { network, file, } EOF $ sudo apparmor_parser -r bug.profile $ aa-exec -p bug-profile -- mailq Mail queue is empty A failed test case will see the mailq command exit with an error: $ aa-exec -p bug-profile -- mailq postqueue: warning: close: Permission denied and these denials will be found in the syslog: Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(1453762589.727:29): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(1453762589.727:30): apparmor="DENIED" operation="file_perm" profile="bug-profile" name="public/showq" pid=4923 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [Regression Potential] * The changes are local to the path-based AF_UNIX stream socket mediation code so that limits the regression potential to some degree. * John Johansen authored the patch and I reviewed it. It is small and there's no obvious areas of concern to me regarding potential regressions. [Other Info] * None at this time [Original bug report] Hello, on three Vivid host, all of them up-to-date, I have the problem described here: https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223 That bug report shows the problem was fixed, but it is not (at least on current Vivid) ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools ii apparmor 2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor Reproducible with: $ sudo lxc-create -n test -t ubuntu $ sudo lxc-start -n test (inside container) $ sudo apt-get install postfix $ mailq postqueue: warning: close: Permission denied dmesg shows: [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 --- ApportVersion: 2.17.2-0ubuntu1 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: zoolook 1913 F.... pulseaudio CurrentDesktop: Unity DistroRelease: Ubuntu 15.04 HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6 InstallationDate: Installed on 2015-02-27 (53 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: LENOVO 20150 Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7 ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3 RelatedPackageVersions: linux-restricted-modules-3.19.0-15-generic N/A linux-backports-modules-3.19.0-15-generic N/A linux-firmware 1.143 Tags: vivid Uname: Linux 3.19.0-15-generic x86_64 UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago) UserGroups: adm docker libvirtd lpadmin sambashare sudo _MarkForUpload: True dmi.bios.date: 12/19/2012 dmi.bios.vendor: LENOVO dmi.bios.version: 5ECN95WW(V9.00) dmi.board.asset.tag: No Asset Tag dmi.board.name: INVALID dmi.board.vendor: LENOVO dmi.board.version: 31900004WIN8 STD SGL dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Lenovo G580 dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr31900004WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580: dmi.product.name: 20150 dmi.product.version: Lenovo G580 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1446906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp