This bug was fixed in the package linux - 5.0.0-15.16
---------------
linux (5.0.0-15.16) disco; urgency=medium
* CVE-2019-11683
- udp: fix GRO reception in case of length mismatch
- udp: fix GRO packet of death
* CVE-2018-12126 // CVE-2018-12127 // CVE-2018-12130
- x86/msr-index: Cleanup bit defines
- x86/speculation: Consolidate CPU whitelists
- x86/speculation/mds: Add basic bug infrastructure for MDS
- x86/speculation/mds: Add BUG_MSBDS_ONLY
- x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
- x86/speculation/mds: Add mds_clear_cpu_buffers()
- x86/speculation/mds: Clear CPU buffers on exit to user
- x86/kvm/vmx: Add MDS protection when L1D Flush is not active
- x86/speculation/mds: Conditionally clear CPU buffers on idle entry
- x86/speculation/mds: Add mitigation control for MDS
- x86/speculation/mds: Add sysfs reporting for MDS
- x86/speculation/mds: Add mitigation mode VMWERV
- Documentation: Move L1TF to separate directory
- Documentation: Add MDS vulnerability documentation
- x86/speculation/mds: Add mds=full,nosmt cmdline option
- x86/speculation: Move arch_smt_update() call to after mitigation decisions
- x86/speculation/mds: Add SMT warning message
- x86/speculation/mds: Fix comment
- x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
- x86/speculation/mds: Add 'mitigations=' support for MDS
* CVE-2017-5715 // CVE-2017-5753
- s390/speculation: Support 'mitigations=' cmdline option
* CVE-2017-5715 // CVE-2017-5753 // CVE-2017-5754 // CVE-2018-3639
- powerpc/speculation: Support 'mitigations=' cmdline option
* CVE-2017-5715 // CVE-2017-5754 // CVE-2018-3620 // CVE-2018-3639 //
CVE-2018-3646
- cpu/speculation: Add 'mitigations=' cmdline option
- x86/speculation: Support 'mitigations=' cmdline option
* Packaging resync (LP: #1786013)
- [Packaging] resync git-ubuntu-log
linux (5.0.0-14.15) disco; urgency=medium
* linux: 5.0.0-14.15 -proposed tracker (LP: #1826150)
* [SRU] Please sync vbox modules from virtualbox 6.0.6 on next kernel update
(LP: #1825210)
- vbox-update: updates for renamed makefiles
- ubuntu: vbox -- update to 6.0.6-dfsg-1
* Intel I210 Ethernet card not working after hotplug [8086:1533]
(LP: #1818490)
- igb: Fix WARN_ONCE on runtime suspend
* [regression][snd_hda_codec_realtek] repeating crackling noise after 19.04
upgrade (LP: #1821663)
- ALSA: hda - Add two more machines to the power_save_blacklist
* CVE-2019-9500
- brcmfmac: assure SSID length from firmware is limited
* CVE-2019-9503
- brcmfmac: add subtype check for event handling in data path
* CVE-2019-3882
- vfio/type1: Limit DMA mappings per container
* autofs kernel module missing (LP: #1824333)
- [Config] Update autofs4 path in inclusion list
* The Realtek card reader does not enter PCIe 1.1/1.2 (LP: #1825487)
- misc: rtsx: Enable OCP for rts522a rts524a rts525a rts5260
- SAUCE: misc: rtsx: Fixed rts5260 power saving parameter and sd glitch
* headset-mic doesn't work on two Dell laptops. (LP: #1825272)
- ALSA: hda/realtek - add two more pin configuration sets to quirk table
* CVE-2019-3887
- KVM: x86: nVMX: close leak of L0's x2APIC MSRs (CVE-2019-3887)
- KVM: x86: nVMX: fix x2APIC VTPR read intercept
* CVE-2019-3874
- sctp: implement memory accounting on tx path
- sctp: implement memory accounting on rx path
* CVE-2019-1999
- binder: fix race between munmap() and direct reclaim
* apparmor does not start in Disco LXD containers (LP: #1824812)
- SAUCE: shiftfs: use separate llseek method for directories
-- Stefan Bader <stefan.ba...@canonical.com> Mon, 06 May 2019 17:33:15
+0200
** Changed in: linux (Ubuntu Disco)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12126
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12127
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12130
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3620
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3639
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3646
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11683
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-1999
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3874
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3882
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3887
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9500
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9503
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1824812
Title:
apparmor does not start in Disco LXD containers
Status in AppArmor:
Triaged
Status in apparmor package in Ubuntu:
Fix Released
Status in libvirt package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Disco:
Fix Released
Bug description:
In LXD apparmor now skips starting.
Steps to reproduce:
1. start LXD container
$ lxc launch ubuntu-daily:d d-testapparmor
(disco to trigger the issue, cosmic as reference)
2. check the default profiles loaded
$ aa-status
=> This will in cosmic and up to recently disco list plenty of profiles
active even in the default install.
Cosmic:
25 profiles are loaded.
25 profiles are in enforce mode.
Disco:
15 profiles are loaded.
15 profiles are in enforce mode.
All those 15 remaining are from snaps.
The service of apparmor.service actually states that it refuses to start.
$ systemctl status apparmor
...
Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor
in container
I can get those profiles (the default installed ones) loaded, for example:
$ sudo apparmor_parser -r /etc/apparmor.d/sbin.dhclient
makes it appear
22 profiles are in enforce mode.
/sbin/dhclient
I was wondering as in my case I found my guest with no (=0) profiles loaded.
But as shown above after "apparmor_parser -r" and package install profiles
seemed fine. Then the puzzle was solved, on package install they
will call apparmor_parser via the dh_apparmor snippet and it is fine.
To fully disable all of them:
$ lxc stop <container>
$ lxc start <container>
$ lxc exec d-testapparmor aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
That would match the service doing an early exit as shown in systemctl
status output above. The package install or manual load works, but
none are loaded by the service automatically e.g. on container
restart.
--- --- ---
This bug started as:
Migrations to Disco trigger "Unable to find security driver for model
apparmor"
This most likely is related to my KVM-in-LXD setup but it worked fine
for years and I'd like to sort out what broke. I have migrated to
Disco's qemu 3.1 already which makes me doubts generic issues in qemu
3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all
those chains fail at mirgating to Disco now with:
$ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live
kvmguest-bionic-normal
qemu+ssh://10.21.151.207/system
error: unsupported configuration: Unable to find security driver for model
apparmor
I need to analyze what changed
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1824812/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
