Bug #1379535 “policy namespace stacking” : Bugs : apparmor package : Ubuntu

Jamie Strandboge (jdstrand) on 2014-10-10

Changed in apparmor:
assignee:	nobody → John Johansen (jjohansen)
importance:	Undecided → Critical
status:	New → In Progress
Changed in apparmor (Ubuntu):
assignee:	John Johansen (jjohansen) → nobody
status:	In Progress → Triaged
status:	Triaged → Confirmed

Jamie Strandboge (jdstrand) on 2014-10-23

Changed in linux (Ubuntu):
status:	New → Triaged
status:	Triaged → Confirmed
importance:	Undecided → Critical
tags:	added: aa-kernel

penalvch (penalvch) on 2016-01-25

Changed in linux (Ubuntu):
status:	Confirmed → Triaged

John Johansen (jjohansen) on 2016-03-18

summary:

- namespace stacking
+ policy namespace stacking

Tyler Hicks (tyhicks) on 2016-03-18

Changed in apparmor (Ubuntu):
status:	Confirmed → In Progress
assignee:	nobody → Tyler Hicks (tyhicks)

John Johansen (jjohansen) on 2016-03-18

description:

updated

Tim Gardner (timg-tpi) on 2016-03-18

Changed in linux (Ubuntu Xenial):
assignee:	nobody → Tim Gardner (timg-tpi)
status:	Triaged → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-03-21:

#1

Download full text (11.3 KiB)

This bug was fixed in the package linux - 4.4.0-15.31

---------------
linux (4.4.0-15.31) xenial; urgency=low

[ Tim Gardner ]

* Release Tracking Bug
- LP: #1559252

* Xilinx KU3 Capi card does not show up in Ubuntu 16.04 (LP: #1557001)
- SAUCE: (noup) cxl: Allow initialization on timebase sync failures

  * policy namespace stacking (LP: #1379535)
    - Revert "UBUNTU: SAUCE: Move replacedby allocation into label_alloc"
    - Revert "UBUNTU: SAUCE: Fixup: __label_update() still doesn't handle some cases correctly."
    - Revert "UBUNTU: SAUCE: fix: audit "no_new_privs" case for exec failure"
    - Revert "UBUNTU: SAUCE: fixup: warning about aa_label_vec_find_or_create not being static"
    - Revert "UBUNTU: SAUCE: apparmor: fix refcount race when finding a child profile"
    - Revert "UBUNTU: SAUCE: fixup: cast poison values to remove warnings"
    - Revert "UBUNTU: SAUCE: fixup: get rid of unused var build warning"
    - Revert "UBUNTU: SAUCE: fixup: 20/23 locking issue around in __label_update"
    - Revert "UBUNTU: SAUCE: fixup: make __share_replacedby private to get rid of build warning"
    - Revert "UBUNTU: SAUCE: fix: replacedby forwarding is not being properly update when ns is destroyed"
    - Revert "UBUNTU: SAUCE: apparmor: fix log of apparmor audit message when kern_path() fails"
    - Revert "UBUNTU: SAUCE: fixup: cleanup return handling of labels"
    - Revert "UBUNTU: SAUCE: apparmor: fix: ref count leak when profile sha1 hash is read"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: query label file permission"
    - Revert "UBUNTU: SAUCE: apparmor: Don't remove label on rcu callback if the label has already been removed"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: break circular refcount for label that is directly freed."
    - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount bug when inserting label update that transitions ns"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: now that insert can force replacement use it instead of remove_and_insert"
    - Revert "UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation"
    - Revert "UBUNTU: SAUCE: apparmor: ensure that repacedby sharing is done correctly"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: update replacedby allocation to take a gfp parameter"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: convert replacedby update to be protected by the labelset lock"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: add required locking of __aa_update_replacedby on merge path"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: deadlock in aa_put_label() call chain"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: label_vec_merge insertion"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: ensure new labels resulting from merge have a replacedby"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount leak in aa_label_merge"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount race between locating in labelset and get"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: label merge handling of marking unconfined and stale"
    - Revert "UBUNTU: SAUCE: apparmor: add underscores to indicate aa_label_next_not_in_set() use needs locking"
    - Revert "UBUNTU: SAUCE: apparmor: debug: POISON label and replaceby ...

This bug was fixed in the package linux - 4.4.0-15.31

---------------
linux (4.4.0-15.31) xenial; urgency=low

[ Tim Gardner ]

* Release Tracking Bug
    - LP: #1559252

* Xilinx KU3 Capi card does not show up in Ubuntu  16.04 (LP: #1557001)
    - SAUCE: (noup) cxl: Allow initialization on timebase sync failures

* policy namespace stacking (LP: #1379535)
    - Revert "UBUNTU: SAUCE: Move replacedby allocation into label_alloc"
    - Revert "UBUNTU: SAUCE: Fixup: __label_update() still doesn't handle some cases correctly."
    - Revert "UBUNTU: SAUCE: fix: audit "no_new_privs" case for exec failure"
    - Revert "UBUNTU: SAUCE: fixup: warning about aa_label_vec_find_or_create not being static"
    - Revert "UBUNTU: SAUCE: apparmor: fix refcount race when finding a child profile"
    - Revert "UBUNTU: SAUCE: fixup: cast poison values to remove warnings"
    - Revert "UBUNTU: SAUCE: fixup: get rid of unused var build warning"
    - Revert "UBUNTU: SAUCE: fixup: 20/23 locking issue around in __label_update"
    - Revert "UBUNTU: SAUCE: fixup: make __share_replacedby private to get rid of build warning"
    - Revert "UBUNTU: SAUCE: fix: replacedby forwarding is not being properly update when ns is destroyed"
    - Revert "UBUNTU: SAUCE: apparmor: fix log of apparmor audit message when kern_path() fails"
    - Revert "UBUNTU: SAUCE: fixup: cleanup return handling of labels"
    - Revert "UBUNTU: SAUCE: apparmor: fix: ref count leak when profile sha1 hash is read"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: query label file permission"
    - Revert "UBUNTU: SAUCE: apparmor: Don't remove label on rcu callback if the label has already been removed"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: break circular refcount for label that is directly freed."
    - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount bug when inserting label update that transitions ns"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: now that insert can force replacement use it instead of remove_and_insert"
    - Revert "UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation"
    - Revert "UBUNTU: SAUCE: apparmor: ensure that repacedby sharing is done correctly"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: update replacedby allocation to take a gfp parameter"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: convert replacedby update to be protected by the labelset lock"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: add required locking of __aa_update_replacedby on merge path"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: deadlock in aa_put_label() call chain"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: label_vec_merge insertion"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: ensure new labels resulting from merge have a replacedby"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount leak in aa_label_merge"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount race between locating in labelset and get"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: label merge handling of marking unconfined and stale"
    - Revert "UBUNTU: SAUCE: apparmor: add underscores to indicate aa_label_next_not_in_set() use needs locking"
    - Revert "UBUNTU: SAUCE: apparmor: debug: POISON label and replaceby pointer on free"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: ensure aa_get_newest will trip debugging if the replacedby is not setup"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: insert race between label_update and label_merge"
    - Revert "UBUNTU: SAUCE: apparmor: rework retrieval of the current label in the profile update case"
    - Revert "UBUNTU: SAUCE: apparmor: Disallow update of cred when then subjective != the objective cred"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: oops do to invalid null ptr deref in label print fns"
    - Revert "UBUNTU: SAUCE: fix-up: kern_mount fail path should not be doing put_buffers()"
    - Revert "UBUNTU: SAUCE: apparmor: fix sleep from invalid context"
    - Revert "UBUNTU: SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown"
    - Revert "UBUNTU: SAUCE: (no-up) apparmor: Fix incompatible pointer type warnings"
    - Revert "UBUNTU: SAUCE: (no-up) apparmor: fix mount not handling disconnected paths"
    - Revert "UBUNTU: SAUCE: (no-up): apparmor: fix mediation of fs unix sockets"
    - Revert "UBUNTU: apparmor -- follow change to this_cpu_ptr"
    - Revert "UBUNTU: SAUCE: (no-up) fix: bad unix_addr_fs macro"
    - Revert "UBUNTU: SAUCE: Revert: fix: only allow a single threaded process to ..."
    - Revert "UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot"
    - Revert "UBUNTU: SAUCE: (no-up) apparmor: add parameter to control whether policy hashing is used"
    - SAUCE: (no-up) apparmor: sync of apparmor3.5-beta1 snapshot
    - SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

* Add arm64 NUMA support (LP: #1558765)
    - SAUCE: (noup) efi: ARM/arm64: ignore DT memory nodes instead of removing them
    - SAUCE: (noup) Documentation, dt, numa: dt bindings for NUMA.
    - [Config] CONFIG_OF_NUMA=y
    - SAUCE: (noup) of, numa: Add NUMA of binding implementation.
    - SAUCE: (noup) arm64: Move unflatten_device_tree() call earlier.
    - [Config] CONFIG_NUMA=y and CONFIG_NODES_SHIFT=2 on arm64
    - SAUCE: (noup) arm64, numa: Add NUMA support for arm64 platforms.
    - SAUCE: (noup) arm64, mm, numa: Add NUMA balancing support for arm64.

* vivid/linux: total ADT test failures (LP: #1558447)
    - Revert "Revert "af_unix: Revert 'lock_interruptible' in stream receive code""

* [Hyper-V] patches to allow kdump crash through NMI (LP: #1558720)
    - Drivers: hv: vmbus: Support handling messages on multiple CPUs
    - Drivers: hv: vmbus: Support kexec on ws2012 r2 and above

* s390/pci: enforce fmb page boundary rule (LP: #1558625)
    - s390/pci: enforce fmb page boundary rule

* s390/pci: backport upstream commits since v4.4 (LP: #1558624)
    - s390/pci_dma: fix DMA table corruption with > 4 TB main memory
    - page_to_phys() always returns a multiple of PAGE_SIZE
    - s390/pci: provide ZPCI_ADDR macro
    - s390/pci: improve ZPCI_* macros
    - s390/pci: resize iomap
    - s390/pci: fix bar check
    - s390/pci: set error state for unusable functions
    - s390/pci: remove iomap sanity checks
    - s390/pci: remove pdev pointer from arch data
    - s390/pci: add ioctl interface for CLP

* IMA-appraisal is unusable in Ubuntu 16.04 (LP: #1558553)
    - [Config] CONFIG_SYSTEM_EXTRA_CERTIFICATE=y, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
    - KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert
    - KEYS: Reserve an extra certificate symbol for inserting without recompiling
    - SAUCE: (noup) KEYS: Support for inserting a certificate into x86 bzImage

* skb_warn_bad_offload Crash (LP: #1558025)
    - ipv4: only create late gso-skb if skb is already set up with CHECKSUM_PARTIAL

* Add PCIe root complex to Cavium arm64 (LP: #1558342)
    - [Config] CONFIG_PCI_HOST_COMMON=y
    - [Config] CONFIG_PCI_HOST_THUNDER_PEM=y
    - [Config] CONFIG_PCI_HOST_THUNDER_ECAM=y
    - PCI: generic: Move structure definitions to separate header file
    - PCI: generic: Add pci_host_common_probe(), based on gen_pci_probe()
    - PCI: generic: Expose pci_host_common_probe() for use by other drivers
    - PCI: thunder: Add PCIe host driver for ThunderX processors
    - PCI: thunder: Add driver for ThunderX-pass{1,2} on-chip devices

* [Hyper-V] vmbus: Fix a bug in hv_need_to_signal_on_read() (LP: #1556264)
    - SAUCE: (noup) Drivers: hv: vmbus: Fix a bug in hv_need_to_signal_on_read()

* Xenial update to v4.4.6 stable release (LP: #1558330)
    - arm64: account for sparsemem section alignment when choosing vmemmap offset
    - ARM: mvebu: fix overlap of Crypto SRAM with PCIe memory window
    - ARM: dts: dra7: do not gate cpsw clock due to errata i877
    - ARM: OMAP2+: hwmod: Introduce ti,no-idle dt property
    - PCI: Allow a NULL "parent" pointer in pci_bus_assign_domain_nr()
    - kvm: cap halt polling at exactly halt_poll_ns
    - KVM: VMX: disable PEBS before a guest entry
    - KVM: s390: correct fprs on SIGP (STOP AND) STORE STATUS
    - KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest exit
    - KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo
    - KVM: MMU: fix reserved bit check for ept=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0
    - s390/dasd: fix diag 0x250 inline assembly
    - tracing: Fix check for cpu online when event is disabled
    - dmaengine: at_xdmac: fix residue computation
    - jffs2: reduce the breakage on recovery from halfway failed rename()
    - ncpfs: fix a braino in OOM handling in ncp_fill_cache()
    - ASoC: dapm: Fix ctl value accesses in a wrong type
    - ASoC: samsung: Use IRQ safe spin lock calls
    - ASoC: wm8994: Fix enum ctl accesses in a wrong type
    - ASoC: wm8958: Fix enum ctl accesses in a wrong type
    - ovl: ignore lower entries when checking purity of non-directory entries
    - ovl: fix working on distributed fs as lower layer
    - wext: fix message delay/ordering
    - cfg80211/wext: fix message ordering
    - can: gs_usb: fixed disconnect bug by removing erroneous use of kfree()
    - iwlwifi: mvm: inc pending frames counter also when txing non-sta
    - mac80211: minstrel: Change expected throughput unit back to Kbps
    - mac80211: fix use of uninitialised values in RX aggregation
    - mac80211: minstrel_ht: set default tx aggregation timeout to 0
    - mac80211: minstrel_ht: fix a logic error in RTS/CTS handling
    - mac80211: check PN correctly for GCMP-encrypted fragmented MPDUs
    - mac80211: Fix Public Action frame RX in AP mode
    - gpu: ipu-v3: Do not bail out on missing optional port nodes
    - drm/amdgpu: Fix error handling in amdgpu_flip_work_func.
    - drm/radeon: Fix error handling in radeon_flip_work_func.
    - Revert "drm/radeon/pm: adjust display configuration after powerstate"
    - userfaultfd: don't block on the last VM updates at exit time
    - ovl: fix getcwd() failure after unsuccessful rmdir
    - MIPS: Fix build error when SMP is used without GIC
    - MIPS: smp.c: Fix uninitialised temp_foreign_map
    - block: don't optimize for non-cloned bio in bio_get_last_bvec()
    - target: Drop incorrect ABORT_TASK put for completed commands
    - ld-version: Fix awk regex compile failure
    - Linux 4.4.6

* linux fails to load x.509 built-in certificate (LP: #1557250)
    - lib/mpi: Endianness fix

* s390/kconfig: setting for CONFIG...9P.... (LP: #1557994)
    - [Config] CONFIG_NET_9P=m for s390x

* mlx5_core kernel trace after "ethtool -C eth1 adaptive-rx on" flow
    (LP: #1557950)
    - net/mlx5e: Don't try to modify CQ moderation if it is not supported
    - net/mlx5e: Don't modify CQ before it was created

* [Feature]SD/SDIO/eMMC support for Broxton-P (LP: #1520454)
    - mmc: sdhci: Do not BUG on invalid vdd
    - mmc: enable MMC/SD/SDIO device to suspend/resume asynchronously
    - mmc: It is not an error for the card to be removed while suspended

* s390/kconfig: disable CONFIG_VIRTIO_MMIO (LP: #1557689)
    - [Config] CONFIG_VIRTIO_MMIO=n for s390x

* s390/kconfig: CONFIG_NUMA without CONFIG_NUMA_EMU does not make any sense on s390x (LP: #1557690)
    - [Config] CONFIG_NUMA_EMU=y for s390x

* Miscellaneous Ubuntu changes
    - [Debian] git-ubuntu-log -- prevent bug references being split
    - [Debian] git-ubuntu-log -- git log output is UTF-8

-- Tim Gardner <tim.gardner@canonical.com>  Tue, 15 Mar 2016 13:18:58 -0600

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-11:

#2

Download full text (4.4 KiB)

This bug was fixed in the package apparmor - 2.10.95-0ubuntu1

---------------
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium

  * Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
    - Allow Apache prefork profile to chown(2) files (LP: #1210514)
    - Allow deluge-gtk and deluge-console to handle torrents opened in
      browsers (LP: #1501913)
    - Allow file accesses needed by some programs using libnl-3-200
      (Closes: #810888)
    - Allow file accesses needed on systems that use NetworkManager without
      resolvconf (Closes: #813835)
    - Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
    - Fix aa-logprof(8) crash when operating on files containing multiple
      profiles with certain rules (LP: #1528139)
    - Fix log parsing crashes, in the Python utilities, caused by certain file
      related events (LP: #1525119, LP: #1540562)
    - Fix log parsing crasher, in the Python utilities, caused by certain
      change_hat events (LP: #1523297)
    - Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
      when Python 3 is not available (LP: #1513880)
    - Send aa-easyprof(8) error messages to stderr instead of stdout
      (LP: #1521400)
    - Fix aa-autodep(8) failure when the shebang line of a script contained
      parameters (LP: #1505775)
    - Don't depend on the system logprof.conf when running utils/ build tests
      (LP: #1393979)
    - Fix apparmor_parser(8) bugs when parsing profiles that use policy
      namespaces in the profile declaration or profile transition targets
      (LP: #1540666, LP: #1544387)
    - Regression fix for apparmor_parser(8) bug that resulted in the
      --namespace-string commandline option being ignored causing profiles to
      be loaded into the root policy namespace (LP: #1526085)
    - Fix crasher regression in apparmor_parser(8) when the parser was asked
      to process a directory (LP: #1534405)
    - Fix bug in apparmor_parser(8) to honor the specified bind flags remount
      rules (LP: #1272028)
    - Support tarball generation for Coverity scans and fix a number of issues
      discovered by Coverity
    - Fix regression test failures on s390x systems (LP: #1531325)
    - Adjust expected errno values in changeprofile regression test
      (LP: #1559705)
    - The Python utils gained support for ptrace and signal rules
    - aa-exec(8) received a rewrite in C
    - apparmor_parser(8) gained support for stacking multiple profiles, as
      supported by the Xenial kernel (LP: #1379535)
    - libapparmor gained new public interfaces, aa_stack_profile(2) and
      aa_stack_onexec(2), allowing applications to utilize the new kernel
      stacking support (LP: #1379535)
  * Drop the following patches since they've been incorporated upstream:
    - aa-status-dont_require_python3-apparmor.patch
    - r3209-dnsmasq-allow-dash
    - r3227-locale-indep-capabilities-sorting.patch
    - r3277-update-python-abstraction.patch
    - r3366-networkd.patch,
    - tests-fix_sysctl_test.patch
    - parser-fix-cache-file-mtime-regression.patch
    - parser-verify-cache-file-mtime.patch
    - parser-run-caching-tests-without-apparmorfs.patch
    - pa...

This bug was fixed in the package apparmor - 2.10.95-0ubuntu1

---------------
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium

* Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
    - Allow Apache prefork profile to chown(2) files (LP: #1210514)
    - Allow deluge-gtk and deluge-console to handle torrents opened in
      browsers (LP: #1501913)
    - Allow file accesses needed by some programs using libnl-3-200
      (Closes: #810888)
    - Allow file accesses needed on systems that use NetworkManager without
      resolvconf (Closes: #813835)
    - Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
    - Fix aa-logprof(8) crash when operating on files containing multiple
      profiles with certain rules (LP: #1528139)
    - Fix log parsing crashes, in the Python utilities, caused by certain file
      related events (LP: #1525119, LP: #1540562)
    - Fix log parsing crasher, in the Python utilities, caused by certain
      change_hat events (LP: #1523297)
    - Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
      when Python 3 is not available (LP: #1513880)
    - Send aa-easyprof(8) error messages to stderr instead of stdout
      (LP: #1521400)
    - Fix aa-autodep(8) failure when the shebang line of a script contained
      parameters (LP: #1505775)
    - Don't depend on the system logprof.conf when running utils/ build tests
      (LP: #1393979)
    - Fix apparmor_parser(8) bugs when parsing profiles that use policy
      namespaces in the profile declaration or profile transition targets
      (LP: #1540666, LP: #1544387)
    - Regression fix for apparmor_parser(8) bug that resulted in the
      --namespace-string commandline option being ignored causing profiles to
      be loaded into the root policy namespace (LP: #1526085)
    - Fix crasher regression in apparmor_parser(8) when the parser was asked
      to process a directory (LP: #1534405)
    - Fix bug in apparmor_parser(8) to honor the specified bind flags remount
      rules (LP: #1272028)
    - Support tarball generation for Coverity scans and fix a number of issues
      discovered by Coverity
    - Fix regression test failures on s390x systems (LP: #1531325)
    - Adjust expected errno values in changeprofile regression test
      (LP: #1559705)
    - The Python utils gained support for ptrace and signal rules
    - aa-exec(8) received a rewrite in C
    - apparmor_parser(8) gained support for stacking multiple profiles, as
      supported by the Xenial kernel (LP: #1379535)
    - libapparmor gained new public interfaces, aa_stack_profile(2) and
      aa_stack_onexec(2), allowing applications to utilize the new kernel
      stacking support (LP: #1379535)
  * Drop the following patches since they've been incorporated upstream:
    - aa-status-dont_require_python3-apparmor.patch
    - r3209-dnsmasq-allow-dash
    - r3227-locale-indep-capabilities-sorting.patch
    - r3277-update-python-abstraction.patch
    - r3366-networkd.patch,
    - tests-fix_sysctl_test.patch
    - parser-fix-cache-file-mtime-regression.patch
    - parser-verify-cache-file-mtime.patch
    - parser-run-caching-tests-without-apparmorfs.patch
    - parser-do-cleanup-when-test-was-skipped.patch
    - parser-allow-unspec-in-network-rules.patch
  * debian/rules, debian/apparmor.install, debian/apparmor.manpages: Update
    for new upstream binutils directory and aa-enabled binary
    - Continue installing aa-exec into /usr/sbin/ for now since
      click-apparmor's aa-exec-click autopkgtest expects it to be there
  * debian/libapparmor-dev.manpages: Include the new aa_stack_profile.2 man
    page
  * debian/patches/r3424-nscd-profile-allow-paranoia-mode.patch: Allow file
    access needed for nscd's paranoia mode
  * debian/patches/r3425-adjust-stacking-tests-version-check.patch: Adjust the
    regression test build time checks, for libapparmor stacking support, to
    look for the 2.10.95 versioning rather than 2.11
  * debian/patches/r3426-allow-debugedit-to-work-on-apparmor-parser.patch:
    Remove extra slash in the parser Makefile so that debugedit(8) can work on
    apparmor_parser(8) (LP: #1561939)
  * debian/patches/allow-stacking-tests-to-use-system.patch: Adjust the file
    rules of the new stacking tests so that the generated profiles allow the
    system binaries and libraries to be tested
  * debian/libapparmor1.symbols: update symbols file for added symbols
    in libapparmor

-- Tyler Hicks <tyhicks@canonical.com>  Sat, 09 Apr 2016 01:35:25 -0500

Changed in apparmor (Ubuntu Xenial):
status:	In Progress → Fix Released

Revision history for this message

intrigeri (intrigeri) wrote on 2022-02-12:

#3

I see this is "Fix Released" everywhere but on the upstream AppArmor project. I understand this has made its way upstream and works with mainline kernel, e.g. for LXC. If my understanding is incorrect, please clarify what's left to do here (or perhaps track it on a finer-grained follow-up bug :)

Changed in apparmor:
status:	In Progress → Fix Released

Revision history for this message

John Johansen (jjohansen) wrote on 2022-02-12:

#4

This is indeed upstream, and works as far as it goes. There are currently issues when crossing system namespace boundaries but those are being treated as separate issues. The stacking it self works policy when crossing ns boundaries has to be aware of it and more relaxed than we would like.

Ubuntu
apparmor package

policy namespace stacking

Bug Description

Related branches

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
AppArmor	Fix Released	Critical	John Johansen
apparmor (Ubuntu)	Fix Released	Critical	Tyler Hicks
Xenial	Fix Released	Critical	Tyler Hicks
linux (Ubuntu)	Fix Released	Critical	Tim Gardner
Xenial	Fix Released	Critical	Tim Gardner

Ubuntuapparmor package

policy namespace stacking

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
apparmor package