** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1839037
Title:
Stacked onexe
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1839037
Title:
Stacked onexec transitions fail when under NO NEW PRIVS restrictions
Status in linu
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN k
It is fixed to the degree it can be fixed until upstream agrees on
changes in the LSM layer.
The apparmor devs certainly can do the work of proposing new hooks, etc
that are necessary but it hasn't been the highest priority item. I will
note that this is a high priority item, just that others have
ntu Xenial)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: Confirmed
** Tags: xenial
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen
The patch has been tested against a reproducer and fixes the issue.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN kernel stack trac
Fix selected and backported from a larger patch that originally landed
in Zesty and subsequently landed in upstream.
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-audit-failures-when-perfor.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838627/+attachment/5280320/+files/0001-
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658219
Title:
flock not mediated by 'k'
Status in AppArmor:
In
Public bug reported:
running the apparmor nnp regression tests results in the following
failure
Error: transition failed. Test 'NNP (stack onexec - NNP)' was expected
to 'pass'. Reason for failure 'FAIL - execv: Operation not permitted'
with a log message of
[ 1169.863302] audit: type=1400 audi
*** This bug is a duplicate of bug 1658219 ***
https://bugs.launchpad.net/bugs/1658219
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Eoan)
Importance: Undecided
Status: Confirmed
** Also affects: linux (Ubuntu Bionic)
Im
Can you please attach the features file you are setting in
/etc/apparmor/apparmor.conf
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1842459
Title:
apparmor abi-feature pinning not work
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1842459
Title:
apparmor abi-feature pinning
This might be in the compiler
The feature file you are inning supports v8 socket mediation. The user
space however does not. The ubuntu kernel supports v7 and v8 socket
mediation, but the user space only supports v7. I need to dig into this
more but it looks like the user space compiler is generat
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1758471
Title:
apparmor: fix bad __initdata tagging on,
No disagreement that this is a high priority item. There is some work
around fine grained mediation happening but I am unsure when it will
land.
The problem is that this is not the only high priority item that needs
to be addressed. Changing priority of these items can certainly be
discussed again
The 4.17 patch set did not have any changes that should affect this. I
will have to investigate what is going on further. At this time DO NOT
backport the 4.17 patchset.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
http
Okay, so lets split this between upstream and ubuntu kernels
previous upstream kernels did not have socket mediation and could NOT
have generated the denial message being seen.
Jul 04 15:11:11 host audit[28404]: AVC apparmor="DENIED" operation="file_lock"
profile="lxc-container-default-cgns" pi
You are correct that the kernel reports a supported abi, and currently
the abi does not export that it is supporting link mediation for
sockets. However the kernel is currently enforcing link mediation on
sockets and there are reasons to want to continue to do so.
The plan would be to let the pars
I will try to get the point releases out today.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
S
Sadly we ran into two separate issues.
1. the kernel mapping of the permission won't allow the lock perm to be
carried through on all kernels.
I have a patch for it now, but pita
2. the release process needed some updating to uhm work with the move to
git and gitlab as hosting.
So with the abo
I have placed ubuntu test kernels for xenial and bionic in
http://people.canonical.com/~jj/lp1780227/
the patch is attached
** Patch added:
"0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+attachment/5168755/+
** Tags removed: verification-needed-bionic verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking socke
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
Status in
In 4.20 we landed some of the infrastructure to support this.
Specifically secmark support was landed which provides the
infrastructure needed for apparmor labels to interact with iptables and
iptables to interact with apparmor.
This isn't something generally available for use yet as it
infrastruc
There was an attempt to revive this Dec. 6, 2017
https://lists.ubuntu.com/archives/apparmor/2017-December/011370.html
upstream there is belief in using a generic audit message types. The
problem is that apparmor, selinux and smack messages differ, so they
aren't so common.
This is going to have
We need to pick the upstream fix
338d0be437ef apparmor: fix ptrace read check
and we should probably pick
1f8266ff5884 (fix-setuid) apparmor: don't try to replace stale label in
ptrace access check
to avoid other problems.
--
You received this bug notification because you are a member of Kern
We didn't pick this up automatically because its fixes tag is for when
ptrace rules landed upstream. But ubuntu was carrying ptrace rules prior
to this
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1898280
Title:
Please unrevert the apparmor audit rule filtering f
The LSMs respecting the nnp flag was actually mandated by Linus. So yes
it breaks apparmor.
Kernel 3.5: Tasks that have nnp block apparmor policy transitions except
for unconfined, as transitions in that case always result in reduced
permissions.
Kernel 4.13: Loosened these restrictions around st
I should add that bug 1839037 is a bug in the subset test introduced in
kernel 4.13 (and earlier Ubuntu 4.4 Xenial kernels). Some subsets will
properly transition some won't it all depends on what is in the stack
being transitioned. The patch fixes it so the all transitions
combinations pass correc
In the above regression we have
lxd-ns0_//&:root//lxd-ns0_://unconfined
transitioning to
lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd//&:root//lxd-ns0_:///usr/sbin/nsd
this is not a strict subset of profiles, however the unconfined
exception needs to be taken into account when nnp is set.
There is a bug
I am testing a fix for this that won't require reverting the patch. I
will put up a test kernel if it passes.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] N
There are some test kernels at
https://people.canonical.com/~jj/lp1844186/
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivileges incompatible with Ap
okay, thanks for testing. I'll submit the patch for 4.4 and 4.15 kernels
and look into why the 5.0 kernel is blocking policy loads
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Ti
ha, its by mistake. I fetched the new kernel but missed doing the
rebase. I'll get a new 5.0 up asap
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivi
updated to the 5.0.0-29 kernel
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844186
Title:
[regression] NoNewPrivileges incompatible with Apparmor
Status in linux package in Ubuntu:
sorry it appears I added the comments about the v2 patch to the wrong
bug
thanks for testing. I will get the request sent out to the kt.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1844
Its true there are a few issues with apparmor profiles being loaded as
part of a stack when namespacing is involved. However this does not
appear to be one of them.
However the application may be behaving slightly differently resulting
in the profile needed to be extended. Can you please attach yo
Hey Christian,
thanks for the profiles, I haven't had a chance to dig into them yet,
but after a quick first pass they look as expected.
so very interesting. First up apparmor has always done mediation post
symlink resolution, this is not new with stacking. What is new with
stacking is we are now
Thanks Stéphane,
@Christian, it looks like adding a rule
/dev/pts/ptmx rw,
to the profile is necessary for now.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Title:
KVM gues
Yes, the split parser has been a issue for a long time. There has been a
plan to make the flex/yacc/C parser code available as a lib for the
other tools but its one of those things that never gets resources
allocated.
The short term fix for this is probably a backport of a newer version of
the pyt
The Ubuntu mainline kernel build unfortunately currently does not have
apparmor set as the default LSM. This is due to some config changes done
when adding the LSM stacking patches (Ubuntu tries to keep the configs
as close as possible). Addressing this is wip and should land with the
next revision
This only affect Xenial.
** Changed in: linux (Ubuntu Xenial)
Status: New => Confirmed
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscri
Status: Incomplete
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: Confirmed
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member
No logs needed as its a build warning
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1758471
Title:
apparmor: fix b
Maybe but we would more information to say for sure.
There have been no changes in apparmor between the reported working
20180109 and 20180126.
The warning
> "Warning failed to create cache: usr.sbin.sssd" before the instance
just means that apparmor was not able to cache the binary policy that
The are no changes to apparmor in that range, but that does cover the
kaiser changes. Since there were no apparmor changes and kaiser changes
the kernel userspace memory interaction my guess is that something is
triggering in the copy_from_user when policy is loaded.
--
You received this bug noti
Fixed in
commit 393d5cca6af1070709f2baaf291d16e27fbea366
Author: John Johansen
Date: Thu Oct 5 13:50:51 2017 -0700
Fix test-kernel-security.py when LSM stacking based kernel is used.
In the LSM stacking kernel DEFAULT_SECURITY_APPARMOR is not set instead
Marking it Fix Released. Please re-open if you find you still have
issues.
** Changed in: linux (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad
yep thanks, fixed and pushed
** Changed in: linux (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1720660
Title:
linux 4.13.0-13.14 ADT
Klaus,
agreed logs are not needed, thanks for the confirmation. The comment in
#1 is generated by a bot so don't worry about it.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1737005
Tit
*** This bug is a security vulnerability ***
Public security bug reported:
An issue was discovered in the size of the stack guard page on Linux,
specifically a 4k stack guard page is not sufficiently large and can be
jumped over
Break-Fix: 320b2b8de12698082609ebbc1a17165727f4c893 -
** Affects:
CVE-2017-1000364
** Also affects: linux (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: linux-ti-omap4 (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: linux-raspi2 (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affec
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1696352
Title:
linux: 3.13.0-120
Loooks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1696357
Title:
linux: 4.4.0-80.
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-aws in Ubuntu.
https://bugs.launchpad.net/bugs/1696362
Title:
linux-aws: 4.
Looks good
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-aws in Ubuntu.
https://bugs.launchpad.net/bugs/1696362
Title:
linux-aws: 4.4.0-1019.28 -proposed tracker
Status in Kernel SRU Workflow:
In Progress
Status in Kernel SRU
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1696365
Title:
linux: 4.8.0-55.5
Looks good
** Changed in: kernel-sru-workflow/security-signoff
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1696369
Title:
linux: 4.10.0-23.
sort of. The code was broken into patches and upstreamed piece meal, so
the tighter restrictions when a give patch went it made sense. They also
better reflect some of the internal permissions that were being
enforced, ie. while profiles was you needed cap mac admin to actual
see it. It looks
Ignore the request to test the upstream kernel, for the moment.
In this case the apparmor code that is in the trace does not exist upstream.
Instead could you test the kernel in
http://people.canonical.com/~jj/lp1648143/
While listed as being for bug 1648143, it contains several fixes
includin
sudo snap refresh
should refresh the kernel snap. However the suspected fix will not be in
any snap kernel, nor can I atm build you a kernel snap to test with.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs
** Changed in: apparmor
Status: New => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1592547
Title:
vmalloc failure leads to null ptr dereference in aa_dfa_next
Status i
The issue appears to be refcount related, I am still chasing this one
down but for this release we should revert
UBUNTU: SAUCE: apparmor: fix lock ordering for mkdir
UBUNTU: SAUCE: apparmor: fix leak on securityfs pin count
UBUNTU: SAUCE: apparmor: fix reference count leak when
securityfs_setup_d
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1664
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1656
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1660
Please describe the failure, including the logs so I can analyze. Just
because the container fails to start does not mean that the fix is bad.
There can be other issues that result in the failure.
Specifically this bug is for the denial message seen in comment #5 and
not the denied messages (unlin
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1660
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1660
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1660
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1660
** Tags removed: verification-needed-yakkety
** Tags added: verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1660832
Title:
unix domain socket cross permission ch
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1638
The entire apparmor patch series was reverted regardless of whether the
patch had any link to a regression, or security fix.
The majority of the patches will be reapplied and go through the SRU
cycle again.
--
You received this bug notification because you are a member of Kernel
Packages, which
Note: this bug affects more than just lock mediation permissions. It at
a minimum can also affect the mmap executable (m) permission.
Further work is required to resubmit this fix
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in U
Public bug reported:
When a compound label is used as part of a target namespace the change
profile will result in a bad change
a task confined by profile lxd doing
change_profile(&:ns://foo//&unconfined)
results in a change_profile to
:ns://foo
and
unconfined
causing the local system prof
Public bug reported:
gsettings mediation needs to be able to determine if apparmor supports
label data queries. A label data query can be done to test for support
but its failure is indistinguishable from other failures, making it an
unreliable indicator.
Fix by making support of label data queri
Public bug reported:
User space trusted helpers have no way to detect when policy changes
have been loaded into the kernel. This prevents the applications from
being able to cache permission queries. Currently trusted helpers have
not done caching (wish list feature), however the gsetting proxy
re
Public bug reported:
The apparmor query interface does not make available information about
what is currently supported. Add the base set of information for label
queries through the apparmorfs features subtree.
Note: this will be needed to support user space permission caching used
by trusted he
Public bug reported:
When an apparmor parameter is set on the grub kernel line it results in
an oops and failure to boot.
eg. setting
apparmor.audit=noquiet
will cause the kernel to fail to boot.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ub
This is because boot params are processed before apparmor is fully
initialized and policy_view_capable() will oops because the rootns is
not setup.
We should by-pass policy_view_capable() for params being set at boot.
--
You received this bug notification because you are a member of Kernel
Packa
Andres,
can you be more specific about the kernel version of the hwe kernel you
are seeing this on?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1701297
Title:
NTP reload failure (una
>From an apparmor pov those 2 kernels are almost identical, with the 4.4
kernel picking up a couple of backport patches, that just do some simple
remapping and should not affect behavior.
There are however some external changes that could affect apparmor mediation
binfmt_elf change (9f834ec18def
Well that explains it. So we would have seen this issues from release
except for the cloud-init bug.
Now we need to isolate the fix and backport it to the ga kernel.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https:/
There is a xenial test kernel at
http://people.canonical.com/~jj/lp1701297/
I have not had a chance to try it yet. I'll try to get to it in a few
hours after some sleep.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
ht
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
** Changed in: apparmor
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Xenial)
Status: New => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is
There are definitely, several ref count leaks that can lead to memory
leaking during policy replacement. I haven't been able to trace down
every leak yet, but the kernel in
http://people.canonical.com/~jj/lp1656121/
contains several fixes that should help. I need to finish cleaning up
the series
Public bug reported:
When a new label is created, it is created with a proxy in a circular
ref count that is broken by replacement. However if the label is not
used it will never be replaced and the circular ref count will never
be broken resulting in a leak.
**
Public bug reported:
When using nested namespaces policy within the nested namespace is trying
to cross validate with policy outside of the namespace that is not
visible to it. This results the access being denied and with no way to
add a rule to policy that would al
Public bug reported:
@new does not have a reference taken locally and should not have its
reference put locally either.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Aff
Public bug reported:
When an fd is disallowed from being inherited during exec, instead of
closed it is duped to a special apparmor/.null file. This prevents the
fd from being reused by another file in case the application expects
the original file on a give fd (eg
Public bug reported:
Bind mounts can oops when devname lookup fails because the devname is
unintialized and used in auditing the denial.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
** Changed in: apparmor
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1634753
Title:
srcname from mount rule corrupted under load
Status in AppArm
Public bug reported:
The error condition of security_pin_fs() was not being checked which
will result can result in an oops or use after free, due to the fs pin
count not being incremented.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Xenia
Public bug reported:
apparmor is leaking pinfs refcoutn when inode setup fails.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Yakkety)
Importance: Undeci
Public bug reported:
apparmor is leaking the parent ns ref count, by directly returning the
error
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Yakkety)
Public bug reported:
When doing profile removal, the parent ns of the profiles is taken, but
the reference isn't being put, resulting in the ns never being freed
even after it is removed.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Xenial)
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Zesty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a membe
1 - 100 of 4216 matches
Mail list logo
