tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined" name="system_tor"

Bug #1648143 reported by Gaétan QUENTIN on 2016-12-07
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
linux (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
tor (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

Environment:
----------------

    Distribution: ubuntu
    Distribution version: 16.10
    lxc info:
    apiextensions:

    storage_zfs_remove_snapshots
    container_host_shutdown_timeout
    container_syscall_filtering
    auth_pki
    container_last_used_at
    etag
    patch
    usb_devices
    https_allowed_credentials
    image_compression_algorithm
    directory_manipulation
    container_cpu_time
    storage_zfs_use_refquota
    storage_lvm_mount_options
    network
    profile_usedby
    container_push
    apistatus: stable
    apiversion: "1.0"
    auth: trusted
    environment:
    addresses:
        163.172.48.149:8443
        172.20.10.1:8443
        172.20.11.1:8443
        172.20.12.1:8443
        172.20.22.1:8443
        172.20.21.1:8443
        10.8.0.1:8443
        architectures:
        x86_64
        i686
        certificate: |
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----
        certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b
        driver: lxc
        driverversion: 2.0.5
        kernel: Linux
        kernelarchitecture: x86_64
        kernelversion: 4.8.0-27-generic
        server: lxd
        serverpid: 32694
        serverversion: 2.4.1
        storage: btrfs
        storageversion: 4.7.3
        config:
        core.https_address: '[::]:8443'
        core.trust_password: true

Container: ubuntu 16.10

Issue description
------------------

tor can't start in a non privileged container

Logs from the container:
-------------------------

Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
Dec 7 15:03:00 anonymous systemd[303]: <email address hidden>: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Main process exited, code=exited, status=231/APPARMOR
Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP.
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Unit entered failed state.
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Failed with result 'exit-code'.
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Service hold-off time over, scheduling restart.
Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP.
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Failed to reset devices.list: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /<email address hidden>: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /<email address hidden>: Operation not permitted]
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /<email address hidden>: Operation not permitted

Logs from the host
--------------------

audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor"
pid=12164 comm="(tor)"

Steps to reproduce
---------------------

    install ubuntu container 16.10 on a ubuntu 16.10 host
    install tor in the container
    Launch tor

CVE References

John Johansen (jjohansen) wrote :

using
  lxc launch images:ubuntu/yakkety torcontainer
to create the container

the installing tor into the container and starting it I can replicate the error. However this is due to the container not having apparmor installed. The container is not booting with apparmor or loading the tor profile.

Once apparmor is installed the container reports a different error.

[103975.623545] audit: type=1400 audit(1481284511.494:2807): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-tor_<var-lib-lxd>" profile="unconfined" name="system_tor" pid=18593 comm="(tor)" target="system_tor"

Which upon investigation is an error in the change_profile check around seccomp no_new_privs when policy is stacked.

John Johansen (jjohansen) wrote :

To clarify the container is missing the minimum requirements of the apparmor_parser and the apparmor init service.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in tor (Ubuntu):
status: New → Confirmed
Stefan Heijnen (stfn) wrote :

I have exactly the same issue on 16.04:

[172512.094995] audit: type=1400 audit(1482614869.625:1439): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-torelay_<var-lib-lxd>" profile="unconfined" name="system_tor" pid=128522 comm="(tor)" target="system_tor"

John Johansen (jjohansen) wrote :

This occurs in a stacked policy situation, where there is a system policy is being applied but within the container namespace, the policy is unconfined.

The special casing for unconfined with no-new-privs is not properly detecting this case. I will have a test kernel with a fix for this issue early next week.

Stefan Heijnen (stfn) wrote :

Let me know if I you need somebody else to test your kernel.

John Johansen (jjohansen) wrote :

sorry this took longer than expected. I have placed amd64 test kernels at
  http://people.canonical.com/~jj/lp1648143/

please let me know if this works for you

Stefan Heijnen (stfn) wrote :
Download full text (13.8 KiB)

No problem, it is the holiday season.

I get the following errors on 16.04:

[ 0.511712] audit: initializing netlink subsys (disabled)
[ 0.511802] audit: type=2000 audit(1483302109.500:1): initialized
[ 7.355509] audit: type=1400 audit(1483302117.275:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=1248 comm="apparmor_parser"
[ 7.355514] audit: type=1400 audit(1483302117.275:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=1248 comm="apparmor_parser"
[ 7.355517] audit: type=1400 audit(1483302117.275:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=1248 comm="apparmor_parser"
[ 7.355519] audit: type=1400 audit(1483302117.275:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=1248 comm="apparmor_parser"
[ 7.356597] audit: type=1400 audit(1483302117.275:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="system_tor" pid=1250 comm="apparmor_parser"
[ 7.357507] audit: type=1400 audit(1483302117.279:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1249 comm="apparmor_parser"
[ 7.357511] audit: type=1400 audit(1483302117.279:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1249 comm="apparmor_parser"
[ 7.357514] audit: type=1400 audit(1483302117.279:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1249 comm="apparmor_parser"
[ 7.357517] audit: type=1400 audit(1483302117.279:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1249 comm="apparmor_parser"
[ 7.357701] audit: type=1400 audit(1483302117.279:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=1254 comm="apparmor_parser"
[ 13.742946] audit_printk_skb: 57 callbacks suppressed
[ 13.742948] audit: type=1400 audit(1483302123.663:31): apparmor="DENIED" operation="unlink" profile="/usr/sbin/ntpd" name="/var/lib/openntpd/run/ntpd.sock" pid=2764 comm="ntpd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
[ 14.590740] audit: type=1400 audit(1483302124.511:32): apparmor="DENIED" operation="unlink" profile="/usr/sbin/ntpd" name="/var/lib/openntpd/run/ntpd.sock" pid=2818 comm="ntpd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
[ 17.359442] audit: type=1400 audit(1483302127.279:33): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-mysql_</var/lib/lxd>" pid=3054 comm="apparmor_parser"
[ 19.061796] audit: type=1400 audit(1483302128.983:34): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-torelay_</var/lib/lxd>" pid=3535 comm="apparmor_parser"
[ 20.960218] audit: type=1400 audit(1483302130.879:35): apparmor="DENIED" operation="unlink" profile="/usr/sbin/ntpd" name="/var/lib/openntpd/run/ntpd.sock" pid=3848 comm="ntpd" requested_mask="d" denied_mas...

Stefan Heijnen (stfn) wrote :

My /etc/apparmor.d/system_tor:

# Last Modified: Sun Jan 1 21:47:33 2017
#include <tunables/global>

# vim:syntax=apparmor

profile system_tor flags=(attach_disconnected) {
  #include <abstractions/tor>

  /run/systemd/journal/stdout rw,
  /usr/bin/tor mr,
  owner /var/lib/tor/ r,
  owner /var/lib/tor/** wk,
  /var/lib/tor/** r,
  owner /var/log/tor/* w,
  /{,var/}run/systemd/notify w,
  /{,var/}run/tor/ r,
  /{,var/}run/tor/control w,
  /{,var/}run/tor/control.authcookie w,
  /{,var/}run/tor/control.authcookie.tmp rw,
  /{,var/}run/tor/socks w,
  /{,var/}run/tor/tor.pid w,

}

John Johansen (jjohansen) wrote :

Okay, that looks like the kernel is working for you and you are now past the original

[103975.623545] audit: type=1400 audit(1481284511.494:2807): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-tor_<var-lib-lxd>" profile="unconfined" name="system_tor" pid=18593 comm="(tor)" target="system_tor"

The new unlink denials will need the rule
  /var/lib/openntpd/run/ntpd.sock w,

added to the ntpd profile in /etc/apparmor.d/usr.sbin.ntpd

no longer affects: tor (Ubuntu)

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1648143

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Yakkety):
status: New → Fix Committed
Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
tags: added: verification-needed-yakkety
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'. If the problem still exists, change the tag 'verification-needed-yakkety' to 'verification-failed-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Launchpad Janitor (janitor) wrote :
Download full text (6.0 KiB)

This bug was fixed in the package linux - 4.8.0-40.43

---------------
linux (4.8.0-40.43) yakkety; urgency=low

  * linux: 4.8.0-40.43 -proposed tracker (LP: #1667066)

  [ Andy Whitcroft ]
  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * shaking screen (LP: #1651981)
    - drm/radeon: drop verde dpm quirks

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * In Ubuntu 17.04 : after reboot getting message in console like Unable to
    open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
    - SAUCE: ima: Downgrade error to warning

  * 16.04.2: Extra patches for POWER9 (LP: #1664564)
    - powerpc/mm: Fix no execute fault handling on pre-POWER5
    - powerpc/mm: Fix spurrious segfaults on radix with autonuma

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the restriction on max segment size
    - scsi: storvsc: Enable multi-queue support
    - scsi: storvsc: use tagged SRB requests if supported by the device
    - scsi: storvsc: properly handle SRB_ERROR when sense message is present
    - scsi: storvsc: properly set residual data length on errors

  * Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
    caused KVM host hung and all KVM guests down. (LP: #1651248)
    - KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
    - KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
    - KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
    - KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
    - KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend

  * ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
    - blk-mq: Avoid memory reclaim when remapping queues
    - blk-mq: Fix failed allocation path when mapping queues
    - blk-mq: Always schedule hctx->next_cpu

  * systemd-udevd hung in blk_mq_freeze_queue_wait testing unpartitioned NVMe
    drive (LP: #1662673)
    - percpu-refcount: fix reference leak during percpu-atomic transition

  * [Yakkety SRU] Enable KEXEC support in ARM64 kernel (LP: #1662554)
    - [Config] Enable KEXEC support in ARM64.

  * [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
    - Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()

  * brd module compiled as built-in (LP: #1593293)
    - CONFIG_BLK_DEV_RAM=m

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in compla...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (14.5 KiB)

This bug was fixed in the package linux - 4.4.0-65.86

---------------
linux (4.4.0-65.86) xenial; urgency=low

  * linux: 4.4.0-65.86 -proposed tracker (LP: #1667052)

  [ Stefan Bader ]
  * Upgrade Redpine RS9113 driver to support AP mode (LP: #1665211)
    - SAUCE: Redpine driver to support Host AP mode

  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * [Hyper-V] SAUCE: pci-hyperv fixes for SR-IOV on Azure (LP: #1665097)
    - SAUCE: PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
    - SAUCE: pci-hyperv: properly handle pci bus remove
    - SAUCE: pci-hyperv: lock pci bus on device eject

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

  * Xenial update to v4.4.49 stable release (LP: #1664960)
    - ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
    - selinux: fix off-by-one in setprocattr
    - Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
    - cpumask: use nr_cpumask_bits for parsing functions
    - hns: avoid stack overflow with CONFIG_KASAN
    - ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
    - target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
    - target: Use correct SCSI status during EXTENDED_COPY exception
    - target: Fix early transport_generic_handle_tmr abort scenario
    - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
    - ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
    - mac80211: Fix adding of mesh vendor IEs
    - netvsc: Set maximum GSO size in the right place
    - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed
      send
    - scsi: aacraid: Fix INTx/MSI-x issue with older controllers
    - scsi: mpt3sas: disable ASPM for MPI2 controllers
    - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
    - ALSA: seq: Fix race at creating a queue
    - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
    - drm/i915: fix use-after-free in page_flip_completed()
    - Linux 4.4.49

  * NFS client : kernel 4.4.0-57 crash with nfsv4 enries in /etc/fstab
    (LP: #1650336)
    - SUNRPC: fix refcounting problems with auth_gss messages.

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the ...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Robie Basak (racb) wrote :

I tried running tor in a Zesty container on a Xenial VM.

With 4.4.0.64.68 it fails as described (tor@default fails to start). With 4.4.0.65.69 (following a reboot) it works correctly.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Robie Basak (racb) wrote :

I tried running tor in a Zesty container on a Yakkety VM.

With 4.8.0.39.50 it fails as described (tor@default fails to start). With 4.8.0.40.51 (following a reboot) it *still* fails as described. AFAICT, 4.8.0.40.51 does not fix the problem on Yakkety.

tags: added: verification-failed-yakkety
removed: verification-needed-yakkety
Robie Basak (racb) wrote :

I tried running tor in a Zesty container on a Zesty VM.

With the current 4.10.0.8.10 it fails as described (tor@default fails to start). AFAICT, the bug still exists on Zesty.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Changed in linux (Ubuntu Yakkety):
status: Fix Released → Confirmed
John Johansen (jjohansen) wrote :

Please describe the failure, including the logs so I can analyze. Just because the container fails to start does not mean that the fix is bad. There can be other issues that result in the failure.

Specifically this bug is for the denial message seen in comment #5 and not the denied messages (unlink) in comment #9, which are a separate issue.

It appears to be working for me, with yakkety and zesty

Robie Basak (racb) wrote :

Sorry, you're right. "systemctl status tor@default" still shows the service as not running, but now the reason is different.

Changed in linux (Ubuntu):
status: Confirmed → Fix Released
Changed in linux (Ubuntu Yakkety):
status: Confirmed → Fix Committed
tags: added: verification-done-yakkety
removed: verification-failed-yakkety
Robie Basak (racb) wrote :

So this particular bug is Invalid for the tor package in Ubuntu, since the bug was in the kernel and we've verified that with fixes in proposed. tor still doesn't work on Zesty, but I'll file a separate bug for that.

Changed in tor (Ubuntu):
status: New → Invalid
Changed in tor (Ubuntu Xenial):
status: New → Invalid
Changed in tor (Ubuntu Yakkety):
status: New → Invalid
Robie Basak (racb) wrote :

I filed bug 1670408 to track the further issues in tor's AppArmor profile that stop it from starting on Zesty.

Launchpad Janitor (janitor) wrote :
Download full text (6.4 KiB)

This bug was fixed in the package linux - 4.8.0-42.45

---------------
linux (4.8.0-42.45) yakkety; urgency=low

  * linux: 4.8.0-42.45 -proposed tracker (LP: #1671176)

  * Regression in 4.4.0-65-generic causes very frequent system crashes
    (LP: #1669611)
    - Revert "UBUNTU: SAUCE: apparmor: fix lock ordering for mkdir"
    - Revert "UBUNTU: SAUCE: apparmor: fix leak on securityfs pin count"
    - Revert "UBUNTU: SAUCE: apparmor: fix reference count leak when
      securityfs_setup_d_inode() fails"
    - Revert "UBUNTU: SAUCE: apparmor: fix not handling error case when
      securityfs_pin_fs() fails"

  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * shaking screen (LP: #1651981)
    - drm/radeon: drop verde dpm quirks

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * In Ubuntu 17.04 : after reboot getting message in console like Unable to
    open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
    - SAUCE: ima: Downgrade error to warning

  * 16.04.2: Extra patches for POWER9 (LP: #1664564)
    - powerpc/mm: Fix no execute fault handling on pre-POWER5
    - powerpc/mm: Fix spurrious segfaults on radix with autonuma

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the restriction on max segment size
    - scsi: storvsc: Enable multi-queue support
    - scsi: storvsc: use tagged SRB requests if supported by the device
    - scsi: storvsc: properly handle SRB_ERROR when sense message is present
    - scsi: storvsc: properly set residual data length on errors

  * Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
    caused KVM host hung and all KVM guests down. (LP: #1651248)
    - KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
    - KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
    - KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
    - KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
    - KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend

  * ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
    - blk-mq: Avoid memory reclaim when remapping queues
    - blk-mq: Fix failed allocation path when mapping queues
    - blk-mq: Always schedule hctx->next_cpu

  * systemd-udevd hung in blk_mq_freeze_queue_wait testing unpartitioned NVMe
    drive (LP: #1662673)
    - percpu-refcount: fix reference leak during percpu-atomic transition

  * [Yakkety SRU] Enable KEXEC support in ARM64 kernel (LP: #1662554)
    - [Config] Enable KEXEC support in ARM64.

  * [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
    - Dri...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Stefan Bader (smb) wrote :

Not fixed because we had to revert the commits due to various regressions.

Changed in linux (Ubuntu Xenial):
status: Fix Released → Triaged
Changed in linux (Ubuntu Yakkety):
status: Fix Released → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.8.0-45.48

---------------
linux (4.8.0-45.48) yakkety; urgency=low

  * CVE-2017-7184
    - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
    - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder

 -- Stefan Bader <email address hidden> Fri, 24 Mar 2017 12:03:39 +0100

Changed in linux (Ubuntu Yakkety):
status: Triaged → Fix Released
Robie Basak (racb) wrote :

00:27 <rbasak> smb: is https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/comments/26 correct? Wrong bug?

00:28 <stgraber> yeah, looked odd to me to, I don't see the link between that security fix and this bug

00:29 <rbasak> Let's reopen for now. If it's wrong, smb can re-close it perhaps?

Changed in linux (Ubuntu Yakkety):
status: Fix Released → Triaged
John Johansen (jjohansen) wrote :

The entire apparmor patch series was reverted regardless of whether the patch had any link to a regression, or security fix.

The majority of the patches will be reapplied and go through the SRU cycle again.

Changed in linux (Ubuntu Xenial):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (29.1 KiB)

This bug was fixed in the package linux - 4.4.0-75.96

---------------
linux (4.4.0-75.96) xenial; urgency=low

  * linux: 4.4.0-75.96 -proposed tracker (LP: #1684441)

  * [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
    (LP: #1682561)
    - Drivers: hv: util: move waiting for release to hv_utils_transport itself

linux (4.4.0-74.95) xenial; urgency=low

  * linux: 4.4.0-74.95 -proposed tracker (LP: #1682041)

  * [Hyper-V] hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    (LP: #1681893)
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

linux (4.4.0-73.94) xenial; urgency=low

  * linux: 4.4.0-73.94 -proposed tracker (LP: #1680416)

  * CVE-2017-6353
    - sctp: deny peeloff operation on asocs with threads sleeping on it

  * vfat: missing iso8859-1 charset (LP: #1677230)
    - [Config] NLS_ISO8859_1=y

  * Regression: KVM modules should be on main kernel package (LP: #1678099)
    - [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in complain mode

  * Permission denied and inconsistent behavior in complain mode with 'ip netns
    list' command (LP: #1648903)
    - SAUCE: fix regression with domain change in complain mode

  * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
    from a unshared mount namespace (LP: #1656121)
    - SAUCE: apparmor: null profiles should inherit parent control flags

  * apparmor refcount leak of profile namespace when removing profiles
    (LP: #1660849)
    - SAUCE: apparmor: fix ns ref count link when removing profiles from policy

  * tor in lxd: apparmor="DENIED" operation="change_onexec"
    namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
    name="system_tor" (LP: #1648143)
    - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
      namespaces

  * apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
    - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

  * apparmor auditing denied access of special apparmor .null fi\ le
    (LP: #1660836)
    - SAUCE: apparmor: Don't audit denied access of special apparmor .null file

  * apparmor label leak when new label is unused (LP: #1660834)
    - SAUCE: apparmor: fix label leak when new label is unused

  * apparmor reference count bug in label_merge_insert() (LP: #1660833)
    - SAUCE: apparmor: fix reference count bug in label_merge_insert()

  * apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
    - SAUCE: apparmor: fix replacement race in reading rawdata

  * unix domain socket cross permission check failing with nested namespaces
    (LP: #1660832)
    - SAUCE: apparmor: fix cross ns perm of unix domain sockets

  * Xenial update to v4.4.59 stable release (LP: #1678960)
    - xfrm: policy: init locks early
    - virtio_balloon: init ...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (14.5 KiB)

This bug was fixed in the package linux - 4.8.0-49.52

---------------
linux (4.8.0-49.52) yakkety; urgency=low

  * linux: 4.8.0-49.52 -proposed tracker (LP: #1684427)

  * [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
    (LP: #1682561)
    - Drivers: hv: util: move waiting for release to hv_utils_transport itself

linux (4.8.0-48.51) yakkety; urgency=low

  * linux: 4.8.0-48.51 -proposed tracker (LP: #1682034)

  * [Hyper-V] hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    (LP: #1681893)
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

linux (4.8.0-47.50) yakkety; urgency=low

  * linux: 4.8.0-47.50 -proposed tracker (LP: #1679678)

  * CVE-2017-6353
    - sctp: deny peeloff operation on asocs with threads sleeping on it

  * CVE-2017-5986
    - sctp: avoid BUG_ON on sctp_wait_for_sndbuf

  * vfat: missing iso8859-1 charset (LP: #1677230)
    - [Config] NLS_ISO8859_1=y

  * [Hyper-V] pci-hyperv: Use device serial number as PCI domain (LP: #1667527)
    - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs

  * Regression: KVM modules should be on main kernel package (LP: #1678099)
    - [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in complain mode

  * Permission denied and inconsistent behavior in complain mode with 'ip netns
    list' command (LP: #1648903)
    - SAUCE: fix regression with domain change in complain mode

  * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
    from a unshared mount namespace (LP: #1656121)
    - SAUCE: apparmor: null profiles should inherit parent control flags

  * apparmor refcount leak of profile namespace when removing profiles
    (LP: #1660849)
    - SAUCE: apparmor: fix ns ref count link when removing profiles from policy

  * tor in lxd: apparmor="DENIED" operation="change_onexec"
    namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
    name="system_tor" (LP: #1648143)
    - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
      namespaces

  * apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
    - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

  * apparmor auditing denied access of special apparmor .null fi\ le
    (LP: #1660836)
    - SAUCE: apparmor: Don't audit denied access of special apparmor .null file

  * apparmor label leak when new label is unused (LP: #1660834)
    - SAUCE: apparmor: fix label leak when new label is unused

  * apparmor reference count bug in label_merge_insert() (LP: #1660833)
    - SAUCE: apparmor: fix reference count bug in label_merge_insert()

  * apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
    - SAUCE: apparmor: fix replacement race in reading rawdata

  * unix domain socket cross permission check failing with n...

Changed in linux (Ubuntu Yakkety):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers