[Kernel-packages] [Bug 1660836] Re: apparmor auditing denied access of special apparmor .null fi\ le

Mon, 20 Feb 2017 19:17:02 -0800 

This bug was fixed in the package linux - 4.10.0-8.10

---------------
linux (4.10.0-8.10) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1664217

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the restriction on max segment size
    - scsi: storvsc: Enable multi-queue support
    - scsi: storvsc: use tagged SRB requests if supported by the device
    - scsi: storvsc: properly handle SRB_ERROR when sense message is present
    - scsi: storvsc: properly set residual data length on errors

  * Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
    caused KVM host hung and all KVM guests down. (LP: #1651248)
    - KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
    - KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
    - KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
    - KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
    - KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend

  * overlay: mkdir fails if directory exists in lowerdir in a user namespace
    (LP: #1531747)
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

  * CVE-2016-1575 (LP: #1534961)
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

  * CVE-2016-1576 (LP: #1535150)
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

  * Miscellaneous Ubuntu changes
    - SAUCE: md/raid6 algorithms: scale test duration for speedier boots
    - SAUCE: Import aufs driver
    - d-i: Build message-modules udeb for arm64
    - rebase to v4.10-rc8

  * Miscellaneous upstream changes
    - Revert "UBUNTU: SAUCE: aufs -- remove .readlink assignment"
    - Revert "UBUNTU: SAUCE: (no-up) aufs: for v4.9-rc1, support 
setattr_prepare()"
    - Revert "UBUNTU: SAUCE: aufs -- Add flags argument to aufs_rename()"
    - Revert "UBUNTU: SAUCE: aufs -- Convert to use xattr handlers"
    - Revert "UBUNTU: SAUCE: Import aufs driver"

  [ Upstream Kernel Changes ]

  * rebase to v4.10-rc8

 -- Tim Gardner <tim.gard...@canonical.com>  Mon, 06 Feb 2017 08:34:24
-0700

** Changed in: linux (Ubuntu Zesty)
       Status: In Progress => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1575

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1576

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1660836

Title:
  apparmor  auditing denied access of special apparmor .null fi\ le

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Yakkety:
  Fix Committed
Status in linux source package in Zesty:
  Fix Released

Bug description:
  When an fd is disallowed from being inherited during exec, instead of         
  
  closed it is duped to a special apparmor/.null file. This prevents the        
  
  fd from being reused by another file in case the application expects          
  
  the original file on a give fd (eg stdin/stdout etc). This results in         
  
  a denial message like                                                         
  
  [32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" 
op\
  eration="file_inherit" namespace="root//lxd-t_<var-lib-lxd>" 
profile="/sbin/dhc\
  lient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" 
denied_m\
  ask="wr" fsuid=165536 ouid=165536                                             
  
                                                                                
  
  Further access to the fd is resultin in the rather useless denial message     
  
  of                                                                            
  
  [32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" 
op\
  eration="file_perm" namespace="root//lxd-t_<var-lib-lxd>" 
profile="/sbin/dhclie\
  nt" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" 
denied_\
  mask="w" fsuid=165536 ouid=0                                                  
  
                                                                                
  
  since we have the original denial, the noisy and useless .null based          
  
  denials can be skipped.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660836/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to