update AppArmor rules of interfaces for flock for new 4.4 SRU kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
High
|
Unassigned |
Bug Description
The 4.4 kernel now has landed the fix for bug #1658219. However, it causes flock calls of interfaces blocked. Because they don't declare 'k' flag in their rules. For example, the network-manager interface declare this:
/run/
Previously, network-manager can lock /run/resolvconf
The testing environment is an armhf device with Ubuntu Core 16 and network-manager 1.2.2-22. The new kernel is a derivative kernel based on 4.4.0-160.188.
In core snap, /sbin/resolvconf will use /run/resolvconf
A workaround is to update the rule in /var/lib/
I suppose we need to update these kind of interfaces/rules, otherwise, once the series of kernel released, there will be more this kind of issues happen.
Also, I would like to know when we update the rules in snapd, will it update/re-generate all existing rules? My concern is that we need to find ways to update the existing profiles of running devices.
here are snippets of strace output. They were captured on a armhf device with 4.4.0-168.188 based kernel.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
nm-strace.
description: | updated |
summary: |
- Need updating AppArmor rules of interfaces for flock + update AppArmor rules of interfaces for flock for new 4.4 SRU kernel |
Changed in snapd: | |
status: | In Progress → Fix Committed |
milestone: | none → 2.41 |
Changed in snapd: | |
status: | Fix Committed → Fix Released |
Hello.
I would like to note, that when Linux kernel has been updated to 4.4.0-160.188 version[1] (with, among others, patches for LP:#1658219 and LP:#1838090), I've had to update a few profiles (such as Audacious, Parole, Xorg, Logrotate etc.), because of a lot of "DENIED" entries in system log files. If it's about access controls (vide 'requested{ denied} _mask') : most new rules required 'm' (memory map as executable), but some of them needed 'k' (file locking) etc.)
However, it seems everything is okay now and I hope, that there will be no such issues anymore. Anyway, Mr Tyler Hicks was right: "users with custom policy have some reasonable expectation that upgrading to the new Ubuntu release or kernel version will require them to update their custom policy".
By the way; what is an impact of these changes? (I mean LP:#1658219 and LP:#1838090 patches). Does it means, that now, use of 'm' and 'k' access is correctly secured/ restricted/ checked by AppArmor and kernel?
Thanks, best regards. _______ _______ /launchpad. net/ubuntu/ +source/ linux/4. 4.0-160. 188
_______
[1] https:/