** Changed in: linux (Ubuntu Noble)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Noble)
Status: New => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2086210
Title:
Backport some AppArmor complain-mode profile bugfixes from Oracular to
Noble
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Noble:
Confirmed
Bug description:
SRU Justification:
[Impact]
Backporting two AppArmor bugfixes (2de989ae726b "apparmor: allocate
xmatch for nullpdf inside aa_alloc_null" and 62bd5d5f2149 "apparmor:
properly handle cx/px lookup failure for complain") from the Ubuntu
Oracular kernel will fix incorrect behavior that occurs with the usage
of some complain mode profiles (a kernel oops and an actual denial
occurring in complain mode, respectively).
[Fix]
Apply the two patches 2de989ae726b and 62bd5d5f2149 from the Ubuntu
Oracular kernel, previously applied to the Oracular kernel via LP
#2028253 as #94/99 and #95/99 in the series.
[Test case]
Patch 62bd5d5f2149 can be tested by loading the following profile into
the kernel:
abi <abi/4.0>,
include <tunables/global>
profile ls_child flags=(complain) {
include <abstractions/base>
/dev/tty rw,
/usr/bin/ls cxr,
}
and exercising the profile's nonexistent transition with `aa-exec -p
ls_child sh -c ls`. With the patch applied, the ls command will
succeed instead of failing.
Patch 2de989ae726b is much harder to test, unfortunately. The
reproducer I have is (deterministically) finicky but goes through a
Docker indirection layer, although at least one other person has
encountered the same kernel oops without using Docker. I have attached
the files needed to construct a reproducer to the LP bug report.
With the patch applied, the run_reproducer.sh script will succeed
instead of generating a kernel oops.
[Regression potential]
This patch set fixes bugs in the handling of complain mode profiles,
and are both very small. A bug caused by patch 2de989ae726b would
cause, at most, a memory leak by preventing deallocation of a
reference-counted profile object. A bug introduced by patch
62bd5d5f2149 would show up in the handling of complain mode profiles
and would not affect enforcement of enforce mode profiles.
[Other Info]
This patchset backports some patches from
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2028253 which
were applied to Oracular but not to Noble.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2086210/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
