locking sockets broken due to missing AppArmor socket mediation patches
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Invalid
|
Critical
|
Unassigned | ||
Xenial |
Invalid
|
Critical
|
Unassigned | ||
Bionic |
Invalid
|
Critical
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Critical
|
John Johansen | ||
Xenial |
Fix Released
|
Critical
|
John Johansen | ||
Bionic |
Fix Released
|
Critical
|
John Johansen |
Bug Description
Hey,
Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2].
If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases.
The socket mediation patchset is available here:
https:/
[1]: https:/
[2]: https:/
Thanks!
Christian
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
Changed in linux (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in linux (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in linux (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → High |
tags: | added: bionic kernel-da-key xenial |
Changed in linux (Ubuntu): | |
importance: | High → Critical |
tags: | added: block-proposed |
Changed in linux (Ubuntu): | |
status: | Triaged → Invalid |
Changed in linux (Ubuntu Xenial): | |
status: | Triaged → Invalid |
Changed in linux (Ubuntu Bionic): | |
status: | Triaged → Invalid |
Changed in apparmor (Ubuntu): | |
status: | New → Triaged |
Changed in apparmor (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in apparmor (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → Critical |
Changed in apparmor (Ubuntu Xenial): | |
importance: | Undecided → Critical |
Changed in apparmor (Ubuntu Bionic): | |
importance: | Undecided → Critical |
Changed in linux (Ubuntu): | |
importance: | Critical → Undecided |
Changed in linux (Ubuntu Xenial): | |
importance: | High → Undecided |
Changed in linux (Ubuntu Bionic): | |
importance: | High → Undecided |
Changed in apparmor (Ubuntu): | |
assignee: | nobody → John Johansen (jjohansen) |
Changed in apparmor (Ubuntu Xenial): | |
assignee: | nobody → John Johansen (jjohansen) |
Changed in apparmor (Ubuntu Bionic): | |
assignee: | nobody → John Johansen (jjohansen) |
tags: | added: patch |
Changed in linux (Ubuntu Xenial): | |
status: | Triaged → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | Triaged → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Triaged → Fix Committed |
tags: |
added: verification-done-xenial removed: verification-needed-bionic verification-needed-xenial |
tags: | added: verification-done-bionic |
tags: | added: cscc |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1780227
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.