stacking to unconfined in a child namespace confuses mediation

Bug #1615890 reported by John Johansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Unassigned

Bug Description

when viewing a stack involving unconfined from across a ns boundary
the mode is reported as mixed.

Eg.
lxc-container-default//&:lxdns1://unconfined (mixed)

This is because the unconfined profile is in the special unconfined
mode. Which will result in a (mixed) mode for any stack with profiles
in enforcing or complain mode.

This can however lead to confusion as to what mode is being used as
mixed is also used for enforcing stacked with complain, and This can
also currently messes up mediation of trusted helpers like dbus.

Since unconfined doesn't affect the stack just special case it.

Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1615890

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Tim Gardner (timg-tpi) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (22.8 KiB)

This bug was fixed in the package linux - 4.4.0-38.57

---------------
linux (4.4.0-38.57) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1620658

  * CIFS client: access problems after updating to kernel 4.4.0-29-generic
    (LP: #1612135)
    - Revert "UBUNTU: SAUCE: (namespace) Bypass sget() capability check for nfs"
    - fs: Call d_automount with the filesystems creds

  * apt-key add fails in overlayfs (LP: #1618572)
    - SAUCE: overlayfs: fix regression in whiteout detection

linux (4.4.0-37.56) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1618040

  * [Feature] Instruction decoder support for new SKX instructions- AVX512
    (LP: #1591655)
    - x86/insn: perf tools: Fix vcvtph2ps instruction decoding
    - x86/insn: Add AVX-512 support to the instruction decoder
    - perf tools: Add AVX-512 support to the instruction decoder used by Intel PT
    - perf tools: Add AVX-512 instructions to the new instructions test

  * [Ubuntu 16.04] FCoE Lun not visible in OS with inbox driver - Issue with
    ioremap() call on 32bit kernel (LP: #1608652)
    - lpfc: Correct issue with ioremap() call on 32bit kernel

  * [Feature] turbostat support for Skylake-SP server (LP: #1591802)
    - tools/power turbostat: decode more CPUID fields
    - tools/power turbostat: CPUID(0x16) leaf shows base, max, and bus frequency
    - tools/power turbostat: decode HWP registers
    - tools/power turbostat: Decode MSR_MISC_PWR_MGMT
    - tools/power turbostat: allow sub-sec intervals
    - tools/power turbostat: Intel Xeon x200: fix erroneous bclk value
    - tools/power turbostat: Intel Xeon x200: fix turbo-ratio decoding
    - tools/power turbostat: re-name "%Busy" field to "Busy%"
    - tools/power turbostat: add --out option for saving output in a file
    - tools/power turbostat: fix compiler warnings
    - tools/power turbostat: make fewer systems calls
    - tools/power turbostat: show IRQs per CPU
    - tools/power turbostat: show GFXMHz
    - tools/power turbostat: show GFX%rc6
    - tools/power turbostat: detect and work around syscall jitter
    - tools/power turbostat: indicate SMX and SGX support
    - tools/power turbostat: call __cpuid() instead of __get_cpuid()
    - tools/power turbostat: correct output for MSR_NHM_SNB_PKG_CST_CFG_CTL dump
    - tools/power turbostat: bugfix: TDP MSRs print bits fixing
    - tools/power turbostat: SGX state should print only if --debug
    - tools/power turbostat: print IRTL MSRs
    - tools/power turbostat: initial BXT support
    - tools/power turbostat: decode BXT TSC frequency via CPUID
    - tools/power turbostat: initial SKX support

  * [BYT] display hotplug doesn't work on console (LP: #1616894)
    - drm/i915/vlv: Make intel_crt_reset() per-encoder
    - drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init()
    - drm/i915/vlv: Disable HPD in valleyview_crt_detect_hotplug()
    - drm/i915: Enable polling when we don't have hpd

  * [Feature]intel_idle enabling on Broxton-P (LP: #1520446)
    - intel_idle: add BXT support

  * [Feature] EDAC: Update driver for SKX-SP (LP: #1591815)
    - [Config] CONFIG_EDAC_SKX=m
    - EDAC, skx_edac: Ad...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package linux - 4.8.0-11.12

---------------
linux (4.8.0-11.12) yakkety; urgency=low

  * change_hat is logging failures during expected hat probing (LP: #1615893)
    - SAUCE: apparmor: Fix auditing behavior for change_hat probing

  * deleted files outside of the namespace are not being treated as
    disconnected
    (LP: #1615892)
    - SAUCE: apparmor: deleted dentries can be disconnected

  * stacking to unconfined in a child namespace confuses mediation
    (LP: #1615890)
    - SAUCE: apparmor: special case unconfined when determining the mode

  * apparmor module parameters can be changed after the policy is locked
    (LP: #1615895)
    - SAUCE: apparmor: fix: parameters can be changed after policy is locked

  * AppArmor profile reloading causes an intermittent kernel BUG (LP:
    #1579135)
    - SAUCE: apparmor: fix vec_unique for vectors larger than 8

  * label vec reductions can result in reference labels instead of direct
    access
    to labels (LP: #1615889)
    - SAUCE: apparmor: reduction of vec to single entry is just that entry

  * profiles from different namespaces can block other namespaces from being
    able to load a profile (LP: #1615887)
    - SAUCE: apparmor: profiles in one ns can affect mediation in another ns

  * The label build for onexec when stacking is wrong (LP: #1615881)
    - SAUCE: apparmor: Fix label build for onexec stacking.

  * The inherit check for new to old label comparison for domain transitions
    is
    wrong (LP: #1615880)
    - SAUCE: apparmor: Fix new to old label comparison for domain transitions

  * warning stack trace while playing with apparmor namespaces (LP: #1593874)
    - SAUCE: apparmor: fix stack trace when removing namespace with profiles

  * __label_update proxy comparison test is wrong (LP: #1615878)
    - SAUCE: apparmor: Fix __label_update proxy comparison test

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
    (LP: #1560583)
    - SAUCE: apparmor: Allow ns_root processes to open profiles file
    - SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * policy namespace stacking (LP: #1379535)
    - SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
    - SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Miscellaneous Ubuntu changes
    - [Debian] Dynamically determine linux udebs package name
    - [Debian] d-i -- fix dtb handling in new kernel-wedge form
    - SAUCE: apparmor: Fix FTBFS due to bad include path
    - SAUCE: apparmor: add data query support
    - [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y

  * Miscellaneous upstream changes
    - fixup backout policy view capable for forward port
    - apparmor: fix: Rework the iter loop for label_update
    - apparmor: add more assertions for updates/merges to help catch errors
    - apparmor: Make pivot root transitions work with stacking
    - apparmor: convert delegating deleted files to mediate deleted files
    - apparmor: add missing parens. not a bug fix but highly recommended
    - apparmor: add a stack_version file to allow detection of bug fixes
    - apparmor: push path looku...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Incomplete → Fix Released
Christian Boltz (cboltz)
tags: added: aa-kernel
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.