apparmor restricts read access of user namespace mediation sysctls to root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Mantic |
Fix Committed
|
Undecided
|
John Johansen |
Bug Description
lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something like
unshare true
to test if the restrictions are being enforced.
Ideally access to this information would be restricted so that any
unknown access would be logged, but lxc/d currently aren't ready for
this so in order to _not_ force lxc/d to probe whether enforcement is
enabled, open up read access to the sysctls for unprivileged user
namespace mediation.
https:/
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs. | #1 |
Changed in linux (Ubuntu): | |
status: | New → Incomplete |
Changed in linux (Ubuntu Mantic): | |
status: | New → Incomplete |
Alex Murray (alexmurray) wrote : | #2 |
Could the LXD team instead just read /sys/kernel/
Changed in linux (Ubuntu): | |
status: | Incomplete → Invalid |
Changed in linux (Ubuntu Mantic): | |
status: | Incomplete → Fix Committed |
assignee: | nobody → John Johansen (jjohansen) |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #3 |
This bug is awaiting verification that the linux/6.5.0-12.12 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux |
John Johansen (jjohansen) wrote : | #4 |
Tested: the sysctl values can now be read by a non-root user.
tags: |
added: verification-done-mantic-linux removed: verification-needed-mantic-linux |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #5 |
This bug is awaiting verification that the linux-lowlatenc
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-mantic-linux-lowlatency-v2 verification-needed-mantic-linux-lowlatency |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #6 |
This bug is awaiting verification that the linux-laptop/
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-mantic-linux-laptop-v2 verification-needed-mantic-linux-laptop |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #7 |
This bug is awaiting verification that the linux-azure/
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-mantic-linux-azure-v2 verification-needed-mantic-linux-azure |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #8 |
This bug is awaiting verification that the linux-gcp/
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-mantic-linux-gcp-v2 verification-needed-mantic-linux-gcp |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #9 |
This bug is awaiting verification that the linux-hwe-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-jammy-linux-hwe-6.5-v2 verification-needed-jammy-linux-hwe-6.5 |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #10 |
This bug is awaiting verification that the linux-nvidia-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-jammy-linux-nvidia-6.5-v2 verification-needed-jammy-linux-nvidia-6.5 |
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package linux - 6.6.0-14.14
---------------
linux (6.6.0-14.14) noble; urgency=medium
* noble/linux: 6.6.0-14.14 -proposed tracker (LP: #2045243)
* Noble update: v6.6.3 upstream stable release (LP: #2045244)
- locking/
- btrfs: abort transaction on generation mismatch when marking eb as dirty
- lib/generic-
- x86/retpoline: Make sure there are no unconverted return thunks due to KCSAN
- perf/core: Bail out early if the request AUX area is out of bound
- srcu: Fix srcu_struct node grpmask overflow on 64-bit systems
- selftests/lkdtm: Disable CONFIG_UBSAN_TRAP in test config
- clocksource/
- clocksource/
- srcu: Only accelerate on enqueue time
- smp,csd: Throw an error if a CSD lock is stuck for too long
- cpu/hotplug: Don't offline the last non-isolated CPU
- workqueue: Provide one lock class key per work_on_cpu() callsite
- x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
- wifi: plfxlc: fix clang-specific fortify warning
- wifi: ath12k: Ignore fragments from uninitialized peer in dp
- wifi: mac80211_hwsim: fix clang-specific fortify warning
- wifi: mac80211: don't return unset power in ieee80211_
- atl1c: Work around the DMA RX overflow issue
- bpf: Detect IP == ksym.end as part of BPF program
- wifi: ath9k: fix clang-specific fortify warnings
- wifi: ath12k: fix possible out-of-bound read in ath12k_
- wifi: ath10k: fix clang-specific fortify warning
- wifi: ath12k: fix possible out-of-bound write in
ath12k_
- ACPI: APEI: Fix AER info corruption when error status data has multiple
sections
- net: sfp: add quirk for Fiberstone GPON-ONU-34-20BI
- wifi: mt76: mt7921e: Support MT7992 IP in Xiaomi Redmibook 15 Pro (2023)
- wifi: mt76: fix clang-specific fortify warnings
- net: annotate data-races around sk->sk_
- net: annotate data-races around sk->sk_
- wifi: ath12k: mhi: fix potential memory leak in ath12k_
- wifi: ath10k: Don't touch the CE interrupt registers after power up
- net: sfp: add quirk for FS's 2.5G copper SFP
- vsock: read from socket's error queue
- bpf: Ensure proper register state printing for cond jumps
- wifi: iwlwifi: mvm: fix size check for fw_link_id
- Bluetooth: btusb: Add date->evt_skb is NULL check
- Bluetooth: Fix double free in hci_conn_cleanup
- ACPI: EC: Add quirk for HP 250 G7 Notebook PC
- tsnep: Fix tsnep_request_irq() format-overflow warning
- gpiolib: acpi: Add a ignore interrupt quirk for Peaq C1010
- platform/chrome: kunit: initialize lock for fake ec_dev
- of: address: Fix address translation when address-size is greater than 2
- platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
- drm/gma500: Fix call trace when psb_gem_mm_init() fails
- drm/amdkfd: rateli...
Changed in linux (Ubuntu): | |
status: | Invalid → Fix Released |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #12 |
This bug is awaiting verification that the linux-lowlatenc
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-jammy-linux-lowlatency-hwe-6.5-v2 verification-needed-jammy-linux-lowlatency-hwe-6.5 |
Georgia Garcia (georgiag) wrote : | #13 |
Verification passed for linux azure. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/
georgia@
Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@
-rw------- 1 root root 0 Jan 12 13:55 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:54 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:54 /proc/sys/
-rw------- 1 root root 0 Jan 12 13:55 /proc/sys/
-rw------- 1 root root 0 Jan 12 13:55 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:55 /proc/sys/
-rw------- 1 root root 0 Jan 12 13:55 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:54 /proc/sys/
georgia@
.....
-------
Ran 62 tests in 1300.394s
OK (skipped=3)
tags: |
added: verification-done-mantic-linux-azure removed: verification-needed-mantic-linux-azure |
Georgia Garcia (georgiag) wrote : | #14 |
Verification passed for linux gcp. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/
georgia@
Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@
-rw------- 1 root root 0 Jan 12 13:59 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:59 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:58 /proc/sys/
-rw------- 1 root root 0 Jan 12 13:59 /proc/sys/
-rw------- 1 root root 0 Jan 12 13:59 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:59 /proc/sys/
-rw------- 1 root root 0 Jan 12 13:59 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:58 /proc/sys/
georgia@
.....
-------
Ran 62 tests in 1325.124s
OK (skipped=3)
tags: |
added: verification-done-mantic-linux-gcp removed: verification-needed-mantic-linux-gcp |
Georgia Garcia (georgiag) wrote : | #15 |
Verification passed for jammy-linux-
georgia@
Linux sec-jammy-amd64 6.5.0-14-lowlatency #14.1~22.
georgia@
-rw------- 1 root root 0 Jan 12 13:47 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:47 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:35 /proc/sys/
-rw------- 1 root root 0 Jan 12 13:47 /proc/sys/
-rw------- 1 root root 0 Jan 12 13:47 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:47 /proc/sys/
-rw------- 1 root root 0 Jan 12 13:47 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 13:33 /proc/sys/
georgia@
.....
-------
Ran 62 tests in 1366.317s
OK (skipped=2)
tags: |
added: verification-done-jammy-linux-lowlatency-hwe-6.5 removed: verification-needed-jammy-linux-lowlatency-hwe-6.5 |
Georgia Garcia (georgiag) wrote : | #16 |
Verification passed for jammy-linux-
georgia@
Linux sec-jammy-amd64 6.5.0-14-generic #14~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 20 18:15:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
georgia@
-rw------- 1 root root 0 Jan 12 14:07 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:07 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:07 /proc/sys/
-rw------- 1 root root 0 Jan 12 14:07 /proc/sys/
-rw------- 1 root root 0 Jan 12 14:07 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:07 /proc/sys/
-rw------- 1 root root 0 Jan 12 14:07 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:06 /proc/sys/
georgia@
.....
-------
Ran 62 tests in 1360.734s
OK (skipped=2)
tags: |
added: verification-done-jammy-linux-hwe-6.5 removed: verification-needed-jammy-linux-hwe-6.5 |
Georgia Garcia (georgiag) wrote : | #17 |
Verification passed for jammy-linux-
georgia@
Linux sec-jammy-amd64 6.5.0-1007-nvidia #7-Ubuntu SMP PREEMPT_DYNAMIC Wed Dec 6 01:27:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@
-rw------- 1 root root 0 Jan 12 14:11 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/
-rw------- 1 root root 0 Jan 12 14:11 /proc/sys/
-rw------- 1 root root 0 Jan 12 14:11 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:11 /proc/sys/
-rw------- 1 root root 0 Jan 12 14:11 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:09 /proc/sys/
georgia@
.....
-------
Ran 62 tests in 1435.853s
OK (skipped=2)
tags: |
added: verification-done-jammy-linux-nvidia-6.5 removed: verification-needed-jammy-linux-nvidia-6.5 |
Georgia Garcia (georgiag) wrote : | #18 |
Verification passed for mantic-
georgia@
Linux sec-mantic-amd64 6.5.0-14-lowlatency #14.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 20 13:01:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@
-rw------- 1 root root 0 Jan 12 14:22 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:19 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:19 /proc/sys/
-rw------- 1 root root 0 Jan 12 14:22 /proc/sys/
-rw------- 1 root root 0 Jan 12 14:22 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:22 /proc/sys/
-rw------- 1 root root 0 Jan 12 14:22 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 14:19 /proc/sys/
georgia@
.....
-------
Ran 62 tests in 1745.243s
OK (skipped=3)
tags: |
added: verification-done-mantic-linux-lowlatency removed: verification-needed-mantic-linux-lowlatency |
Georgia Garcia (georgiag) wrote : | #19 |
Verification passed for mantic-
georgia@
Linux sec-mantic-arm64 6.5.0-1007-laptop #10-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov
22 20:27:28 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
georgia@
-rw------- 1 root root 0 Jan 12 18:38 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 18:36 /proc/sys/
-rw------- 1 root root 0 Jan 12 18:38 /proc/sys/
-rw------- 1 root root 0 Jan 12 18:38 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/
-rw------- 1 root root 0 Jan 12 18:38 /proc/sys/
-rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/
georgia@
ERROR: test_dbus (__main_
Test dbus apparmor activation from dbus-tests
-------
Traceback (most recent call last):
File "/home/
rc, report = testlib.
File "/home/
out, outerr = sp.communicate(
File "/usr/lib/
stdout, stderr = self._communica
File "/usr/lib/
self.
File "/usr/lib/
raise TimeoutExpired(
subprocess.
-------
running attach_disconnected
Fatal Error (unix_fd_server): Unable to run test sub-executable
PASSED: aa_exec access at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_so...
tags: |
added: verification-done-mantic-linux-laptop removed: verification-needed-mantic-linux-laptop |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 2040194
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.