2017-09-16 19:22:47 |
Andre Tomt |
bug |
|
|
added bug |
2017-09-18 15:04:47 |
Christian Boltz |
bug task added |
|
apparmor |
|
2017-09-18 15:04:59 |
Christian Boltz |
tags |
|
aa-policy |
|
2017-09-30 12:32:25 |
Vincas Dargis |
branch linked |
|
lp:~talkless/apparmor/seven_digit_pid |
|
2017-10-26 06:36:40 |
Steve Beattie |
apparmor (Ubuntu): status |
New |
Fix Committed |
|
2017-10-26 06:36:51 |
Steve Beattie |
apparmor (Ubuntu): status |
Fix Committed |
Confirmed |
|
2017-10-26 06:36:56 |
Steve Beattie |
apparmor: status |
New |
Fix Committed |
|
2017-10-26 06:37:01 |
Steve Beattie |
apparmor: milestone |
|
2.12 |
|
2017-10-26 10:32:58 |
Christian Boltz |
nominated for series |
|
apparmor/2.11 |
|
2017-10-26 10:32:58 |
Christian Boltz |
bug task added |
|
apparmor/2.11 |
|
2017-10-26 10:33:06 |
Christian Boltz |
apparmor/2.11: status |
New |
Fix Committed |
|
2017-10-26 10:33:13 |
Christian Boltz |
apparmor/2.11: milestone |
|
2.11.2 |
|
2017-12-25 16:04:57 |
Yoshi Kadokawa |
bug |
|
|
added subscriber Yoshi Kadokawa |
2018-01-08 16:02:42 |
Seyeong Kim |
nominated for series |
|
Ubuntu Artful |
|
2018-01-08 16:02:42 |
Seyeong Kim |
nominated for series |
|
Ubuntu Trusty |
|
2018-01-08 16:02:42 |
Seyeong Kim |
nominated for series |
|
Ubuntu Bionic |
|
2018-01-08 16:02:42 |
Seyeong Kim |
nominated for series |
|
Ubuntu Xenial |
|
2018-01-08 16:02:42 |
Seyeong Kim |
nominated for series |
|
Ubuntu Zesty |
|
2018-01-08 16:03:27 |
Seyeong Kim |
attachment added |
|
lp1717714_trusty.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032828/+files/lp1717714_trusty.debdiff |
|
2018-01-08 16:03:41 |
Seyeong Kim |
attachment added |
|
lp1717714_xenial.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032829/+files/lp1717714_xenial.debdiff |
|
2018-01-08 16:04:09 |
Seyeong Kim |
attachment added |
|
lp1717714_zesty.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032830/+files/lp1717714_zesty.debdiff |
|
2018-01-08 16:05:07 |
Seyeong Kim |
attachment added |
|
lp1717714_artful.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032831/+files/lp1717714_artful.debdiff |
|
2018-01-08 16:05:19 |
Seyeong Kim |
attachment added |
|
lp1717714_bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032832/+files/lp1717714_bionic.debdiff |
|
2018-01-08 16:19:55 |
Ubuntu Foundations Team Bug Bot |
tags |
aa-policy |
aa-policy patch |
|
2018-01-08 16:20:02 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2018-01-09 01:00:05 |
Seyeong Kim |
description |
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
revision : http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
|
2018-01-09 01:00:16 |
Seyeong Kim |
tags |
aa-policy patch |
aa-policy sts-sru-needed |
|
2018-01-09 01:00:34 |
Seyeong Kim |
bug |
|
|
added subscriber STS Sponsors |
2018-01-09 01:00:45 |
Seyeong Kim |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-01-09 01:00:59 |
Seyeong Kim |
apparmor (Ubuntu): assignee |
|
Seyeong Kim (xtrusia) |
|
2018-01-09 04:13:45 |
Eric Desrochers |
bug task added |
|
apparmor (Ubuntu Artful) |
|
2018-01-09 04:13:55 |
Eric Desrochers |
bug task added |
|
apparmor (Ubuntu Trusty) |
|
2018-01-09 04:14:01 |
Eric Desrochers |
bug task added |
|
apparmor (Ubuntu Xenial) |
|
2018-01-09 04:14:07 |
Eric Desrochers |
bug task added |
|
apparmor (Ubuntu Zesty) |
|
2018-01-09 04:14:12 |
Eric Desrochers |
bug task added |
|
apparmor (Ubuntu Bionic) |
|
2018-01-09 04:22:52 |
Eric Desrochers |
description |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
revision : http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZA
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
|
2018-01-09 04:59:29 |
Eric Desrochers |
tags |
aa-policy sts-sru-needed |
aa-policy sts-sponsor-slashd sts-sru-needed |
|
2018-01-09 05:07:52 |
Eric Desrochers |
description |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZA
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZA
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
|
2018-01-09 05:08:16 |
Eric Desrochers |
description |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZA
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
|
2018-01-09 09:55:32 |
Seyeong Kim |
attachment removed |
lp1717714_trusty.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032828/+files/lp1717714_trusty.debdiff |
|
|
2018-01-09 09:55:40 |
Seyeong Kim |
attachment removed |
lp1717714_xenial.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032829/+files/lp1717714_xenial.debdiff |
|
|
2018-01-09 09:55:47 |
Seyeong Kim |
attachment removed |
lp1717714_zesty.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032830/+files/lp1717714_zesty.debdiff |
|
|
2018-01-09 09:55:54 |
Seyeong Kim |
attachment removed |
lp1717714_artful.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032831/+files/lp1717714_artful.debdiff |
|
|
2018-01-09 09:56:03 |
Seyeong Kim |
attachment removed |
lp1717714_bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5032832/+files/lp1717714_bionic.debdiff |
|
|
2018-01-09 09:56:35 |
Seyeong Kim |
attachment added |
|
lp1717714_trusty.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5033298/+files/lp1717714_trusty.debdiff |
|
2018-01-09 09:56:51 |
Seyeong Kim |
attachment added |
|
lp1717714_xenial.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5033299/+files/lp1717714_xenial.debdiff |
|
2018-01-09 09:57:04 |
Seyeong Kim |
attachment added |
|
lp1717714_zesty.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5033300/+files/lp1717714_zesty.debdiff |
|
2018-01-09 09:57:18 |
Seyeong Kim |
attachment added |
|
lp1717714_artful.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5033301/+files/lp1717714_artful.debdiff |
|
2018-01-09 09:57:29 |
Seyeong Kim |
attachment added |
|
lp1717714_bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5033302/+files/lp1717714_bionic.debdiff |
|
2018-01-09 13:32:41 |
Eric Desrochers |
apparmor (Ubuntu Trusty): assignee |
|
Seyeong Kim (xtrusia) |
|
2018-01-09 13:32:49 |
Eric Desrochers |
apparmor (Ubuntu Xenial): assignee |
|
Seyeong Kim (xtrusia) |
|
2018-01-09 13:32:57 |
Eric Desrochers |
apparmor (Ubuntu Zesty): assignee |
|
Seyeong Kim (xtrusia) |
|
2018-01-09 13:33:03 |
Eric Desrochers |
apparmor (Ubuntu Artful): assignee |
|
Seyeong Kim (xtrusia) |
|
2018-01-09 13:33:06 |
Eric Desrochers |
apparmor (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2018-01-09 13:33:08 |
Eric Desrochers |
apparmor (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2018-01-09 13:33:09 |
Eric Desrochers |
apparmor (Ubuntu Zesty): importance |
Undecided |
Medium |
|
2018-01-09 13:33:11 |
Eric Desrochers |
apparmor (Ubuntu Artful): importance |
Undecided |
Medium |
|
2018-01-09 13:33:13 |
Eric Desrochers |
apparmor (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2018-01-12 07:21:06 |
Seyeong Kim |
description |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
- i used touch command to do it
2. snap install canonical-livepatch ( just picked this pkg )
you can see denied msg as original description
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..1000000}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change back to original kernelvars, and restart snapd
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
|
2018-01-12 12:35:45 |
Eric Desrochers |
description |
[Impact]
If PID is larger than 6 digits.
apparmor denies process.
this fix is committed, but not released. so all supporting version are affected.
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..1000000}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change back to original kernelvars, and restart snapd
[Regression]
this fix changes regex only, i don't think there is severe regression. also if there is regression, we can revert manually temporarily.
denied services need to be restarted after fixing this.
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
* Revision :
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
[Impact]
If PID is larger than 6 digits apparmor denies process which only affect 64-bit systems[1] where the PID_MAX_LIMIT can be generated up to 7 digits at the maximum.
This fix is committed, but not released. so all supporting version are affected.
[1] - man 5 proc
--------------------------------------------------------------------------
/proc/sys/kernel/pid_max (since Linux 2.5.34)
This file specifies the value at which PIDs wrap around (i.e., the value in this file is one greater than the maximum PID). PIDs greater than this value are not allocated; thus, the value in this file also acts as a system-wide limit on the total number of processes and threads. The default value for this file, 32768, results in the same range of PIDs as on ear‐lier kernels. On 32-bit platforms, 32768 is the maximum value for pid_max. On 64-bit systems, pid_max can be set to any value up to 2^22 (PID_MAX_LIMIT, approximately 4 million).
--------------------------------------------------------------------------
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..1000000}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change back to original kernelvars, and restart snapd
[Regression]
* This is a minor/trivial fix which changes the pid regex only, allowing 7 digits PID instead of only 6 digits PID, we don't think there is any potential regression.
* If a regression arise, which we highly doubt, one can quickly revert the change manually and restart the service by modifying "/etc/apparmor.d/tunables/kernelvars" file to its original state (before this SRU).
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
|
2018-01-12 12:54:16 |
Eric Desrochers |
description |
[Impact]
If PID is larger than 6 digits apparmor denies process which only affect 64-bit systems[1] where the PID_MAX_LIMIT can be generated up to 7 digits at the maximum.
This fix is committed, but not released. so all supporting version are affected.
[1] - man 5 proc
--------------------------------------------------------------------------
/proc/sys/kernel/pid_max (since Linux 2.5.34)
This file specifies the value at which PIDs wrap around (i.e., the value in this file is one greater than the maximum PID). PIDs greater than this value are not allocated; thus, the value in this file also acts as a system-wide limit on the total number of processes and threads. The default value for this file, 32768, results in the same range of PIDs as on ear‐lier kernels. On 32-bit platforms, 32768 is the maximum value for pid_max. On 64-bit systems, pid_max can be set to any value up to 2^22 (PID_MAX_LIMIT, approximately 4 million).
--------------------------------------------------------------------------
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..1000000}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change back to original kernelvars, and restart snapd
[Regression]
* This is a minor/trivial fix which changes the pid regex only, allowing 7 digits PID instead of only 6 digits PID, we don't think there is any potential regression.
* If a regression arise, which we highly doubt, one can quickly revert the change manually and restart the service by modifying "/etc/apparmor.d/tunables/kernelvars" file to its original state (before this SRU).
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
[Impact]
If PID is larger than 6 digits apparmor denies process which only affect 64-bit systems[1] where the PID_MAX_LIMIT can be generated up to 7 digits at the maximum.
This fix is committed, but not released. so all supporting version are affected.
[1] - man 5 proc
--------------------------------------------------------------------------
/proc/sys/kernel/pid_max (since Linux 2.5.34)
This file specifies the value at which PIDs wrap around (i.e., the value in this file is one greater than the maximum PID). PIDs greater than this value are not allocated; thus, the value in this file also acts as a system-wide limit on the total number of processes and threads. The default value for this file, 32768, results in the same range of PIDs as on ear‐lier kernels. On 32-bit platforms, 32768 is the maximum value for pid_max. On 64-bit systems, pid_max can be set to any value up to 2^22 (PID_MAX_LIMIT, approximately 4 million).
--------------------------------------------------------------------------
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..1000000}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change back to original kernelvars, and restart snapd
[Regression]
* This is a minor/trivial fix which changes the pid regex only, allowing 7 digits PID instead of only 6 digits PID, we don't think there is any potential regression.
* If a regression arise, which we highly doubt, one can quickly revert the change manually and restart the service by modifying "/etc/apparmor.d/tunables/kernelvars" file to its original state (before this SRU).
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886732
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
|
2018-01-12 12:54:33 |
Eric Desrochers |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886732 |
|
2018-01-12 12:54:33 |
Eric Desrochers |
bug task added |
|
apparmor (Debian) |
|
2018-01-12 13:23:03 |
Eric Desrochers |
attachment added |
|
lp1717714_bionic_V2.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5035841/+files/lp1717714_bionic_V2.debdiff |
|
2018-01-12 13:36:10 |
Eric Desrochers |
apparmor (Ubuntu Bionic): status |
Confirmed |
In Progress |
|
2018-01-12 13:36:22 |
Eric Desrochers |
bug |
|
|
added subscriber SRU Verification |
2018-01-12 13:44:43 |
Łukasz Zemczak |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2018-01-12 14:06:26 |
Eric Desrochers |
description |
[Impact]
If PID is larger than 6 digits apparmor denies process which only affect 64-bit systems[1] where the PID_MAX_LIMIT can be generated up to 7 digits at the maximum.
This fix is committed, but not released. so all supporting version are affected.
[1] - man 5 proc
--------------------------------------------------------------------------
/proc/sys/kernel/pid_max (since Linux 2.5.34)
This file specifies the value at which PIDs wrap around (i.e., the value in this file is one greater than the maximum PID). PIDs greater than this value are not allocated; thus, the value in this file also acts as a system-wide limit on the total number of processes and threads. The default value for this file, 32768, results in the same range of PIDs as on ear‐lier kernels. On 32-bit platforms, 32768 is the maximum value for pid_max. On 64-bit systems, pid_max can be set to any value up to 2^22 (PID_MAX_LIMIT, approximately 4 million).
--------------------------------------------------------------------------
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..1000000}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change back to original kernelvars, and restart snapd
[Regression]
* This is a minor/trivial fix which changes the pid regex only, allowing 7 digits PID instead of only 6 digits PID, we don't think there is any potential regression.
* If a regression arise, which we highly doubt, one can quickly revert the change manually and restart the service by modifying "/etc/apparmor.d/tunables/kernelvars" file to its original state (before this SRU).
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886732
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
[Impact]
If PID is larger than 6 digits apparmor denies process which only affect 64-bit systems[1] where the PID_MAX_LIMIT can be generated up to 7 digits at the maximum.
This fix is committed, but not released. so all supporting version are affected.
[1] - man 5 proc
--------------------------------------------------------------------------
/proc/sys/kernel/pid_max (since Linux 2.5.34)
This file specifies the value at which PIDs wrap around (i.e., the value in this file is one greater than the maximum PID). PIDs greater than this value are not allocated; thus, the value in this file also acts as a system-wide limit on the total number of processes and threads. The default value for this file, 32768, results in the same range of PIDs as on ear‐lier kernels. On 32-bit platforms, 32768 is the maximum value for pid_max. On 64-bit systems, pid_max can be set to any value up to 2^22 (PID_MAX_LIMIT, approximately 4 million).
--------------------------------------------------------------------------
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..1000000}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change back to original kernelvars, and restart snapd
OR
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/comments/29
[Regression]
* This is a minor/trivial fix which changes the pid regex only, allowing 7 digits PID instead of only 6 digits PID, we don't think there is any potential regression.
* If a regression arise, which we highly doubt, one can quickly revert the change manually and restart the service by modifying "/etc/apparmor.d/tunables/kernelvars" file to its original state (before this SRU).
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886732
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
|
2018-01-12 14:34:18 |
Bug Watch Updater |
apparmor (Debian): status |
Unknown |
Confirmed |
|
2018-01-12 14:40:34 |
Eric Desrochers |
description |
[Impact]
If PID is larger than 6 digits apparmor denies process which only affect 64-bit systems[1] where the PID_MAX_LIMIT can be generated up to 7 digits at the maximum.
This fix is committed, but not released. so all supporting version are affected.
[1] - man 5 proc
--------------------------------------------------------------------------
/proc/sys/kernel/pid_max (since Linux 2.5.34)
This file specifies the value at which PIDs wrap around (i.e., the value in this file is one greater than the maximum PID). PIDs greater than this value are not allocated; thus, the value in this file also acts as a system-wide limit on the total number of processes and threads. The default value for this file, 32768, results in the same range of PIDs as on ear‐lier kernels. On 32-bit platforms, 32768 is the maximum value for pid_max. On 64-bit systems, pid_max can be set to any value up to 2^22 (PID_MAX_LIMIT, approximately 4 million).
--------------------------------------------------------------------------
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..1000000}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change back to original kernelvars, and restart snapd
OR
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/comments/29
[Regression]
* This is a minor/trivial fix which changes the pid regex only, allowing 7 digits PID instead of only 6 digits PID, we don't think there is any potential regression.
* If a regression arise, which we highly doubt, one can quickly revert the change manually and restart the service by modifying "/etc/apparmor.d/tunables/kernelvars" file to its original state (before this SRU).
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886732
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
[Impact]
If PID is larger than 6 digits apparmor denies process which only affect 64-bit systems[1] where the PID_MAX_LIMIT can be generated up to 7 digits at the maximum.
This fix is committed, but not released. so all supporting version are affected.
[1] - man 5 proc
--------------------------------------------------------------------------
/proc/sys/kernel/pid_max (since Linux 2.5.34)
This file specifies the value at which PIDs wrap around (i.e., the value in this file is one greater than the maximum PID). PIDs greater than this value are not allocated; thus, the value in this file also acts as a system-wide limit on the total number of processes and threads. The default value for this file, 32768, results in the same range of PIDs as on ear‐lier kernels. On 32-bit platforms, 32768 is the maximum value for pid_max. On 64-bit systems, pid_max can be set to any value up to 2^22 (PID_MAX_LIMIT, approximately 4 million).
--------------------------------------------------------------------------
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..1000000}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core 16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change back to original kernelvars, and restart snapd
OR
instead of Seyeong's touch approach, things can be manually change to 7 digits range via sysctl as long as the values are below approximately 4 millions :
Example:
$ sysctl -w kernel.pid_max=3000000
$ sysctl -w kernel.ns_last_pid=1000000
[Regression]
* This is a minor/trivial fix which changes the pid regex only, allowing 7 digits PID instead of only 6 digits PID, we don't think there is any potential regression.
* If a regression arise, which we highly doubt, one can quickly revert the change manually and restart the service by modifying "/etc/apparmor.d/tunables/kernelvars" file to its original state (before this SRU).
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886732
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis <vindrg@gmail.com>
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--------------------------------------------------------------------------
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4 | zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--------------------------------------------------------------------------
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work. |
|
2018-01-14 22:25:25 |
Bug Watch Updater |
apparmor (Debian): status |
Confirmed |
Fix Released |
|
2018-01-16 01:13:56 |
Eric Desrochers |
apparmor (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2018-01-16 21:41:01 |
Eric Desrochers |
bug task deleted |
apparmor (Ubuntu Zesty) |
|
|
2018-01-29 15:54:29 |
Launchpad Janitor |
apparmor (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2018-01-29 17:04:20 |
Eric Desrochers |
apparmor (Ubuntu Artful): status |
New |
In Progress |
|
2018-01-29 17:04:23 |
Eric Desrochers |
apparmor (Ubuntu Xenial): status |
New |
In Progress |
|
2018-01-29 17:04:25 |
Eric Desrochers |
apparmor (Ubuntu Trusty): status |
New |
In Progress |
|
2018-01-29 17:30:51 |
Eric Desrochers |
tags |
aa-policy sts-sponsor-slashd sts-sru-needed |
aa-policy sts-sponsor-slashd-done sts-sru-needed |
|
2018-02-01 12:32:41 |
Łukasz Zemczak |
apparmor (Ubuntu Artful): status |
In Progress |
Fix Committed |
|
2018-02-01 12:32:46 |
Łukasz Zemczak |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-needed verification-needed-artful |
|
2018-02-01 12:36:07 |
Łukasz Zemczak |
apparmor (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2018-02-01 12:36:14 |
Łukasz Zemczak |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-needed verification-needed-artful |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-needed verification-needed-artful verification-needed-xenial |
|
2018-02-01 12:41:20 |
Łukasz Zemczak |
apparmor (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2018-02-01 12:41:27 |
Łukasz Zemczak |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-needed verification-needed-artful verification-needed-xenial |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-needed verification-needed-artful verification-needed-trusty verification-needed-xenial |
|
2018-02-02 03:34:36 |
Seyeong Kim |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-needed verification-needed-artful verification-needed-trusty verification-needed-xenial |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-xenial verification-needed verification-needed-artful verification-needed-trusty |
|
2018-02-02 06:21:47 |
Seyeong Kim |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-xenial verification-needed verification-needed-artful verification-needed-trusty |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-needed verification-needed-trusty |
|
2018-02-02 08:26:51 |
Seyeong Kim |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-needed verification-needed-trusty |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-failed-trusty verification-needed |
|
2018-02-02 15:46:07 |
Eric Desrochers |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-failed-trusty verification-needed |
aa-policy regression-proposed-trusty sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-failed-trusty verification-needed |
|
2018-02-02 15:46:35 |
Eric Desrochers |
tags |
aa-policy regression-proposed-trusty sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-failed-trusty verification-needed |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-failed-trusty verification-needed |
|
2018-02-02 16:20:35 |
Eric Desrochers |
attachment added |
|
profile-14.04-trusty-lp1717714.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5047667/+files/profile-14.04-trusty-lp1717714.debdiff |
|
2018-02-02 16:39:19 |
Eric Desrochers |
attachment added |
|
profile-14.04-trusty-lp1717714_V2.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+attachment/5047668/+files/profile-14.04-trusty-lp1717714_V2.debdiff |
|
2018-02-02 18:15:41 |
Eric Desrochers |
apparmor (Ubuntu Trusty): status |
Fix Committed |
In Progress |
|
2018-02-02 18:15:46 |
Eric Desrochers |
apparmor (Ubuntu Trusty): assignee |
Seyeong Kim (xtrusia) |
Eric Desrochers (slashd) |
|
2018-02-02 18:54:18 |
Łukasz Zemczak |
apparmor (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2018-02-02 18:54:25 |
Łukasz Zemczak |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-failed-trusty verification-needed |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-needed verification-needed-trusty |
|
2018-02-03 00:11:37 |
Seyeong Kim |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-xenial verification-needed verification-needed-trusty |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-trusty verification-done-xenial verification-needed |
|
2018-02-06 13:43:28 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
2018-02-06 13:43:32 |
Eric Desrochers |
removed subscriber STS Sponsors |
|
|
|
2018-02-08 12:03:26 |
Launchpad Janitor |
apparmor (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2018-02-08 12:03:30 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2018-02-08 12:03:44 |
Launchpad Janitor |
apparmor (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2018-02-12 08:57:35 |
Launchpad Janitor |
apparmor (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2018-04-22 11:31:29 |
Christian Boltz |
apparmor: status |
Fix Committed |
Fix Released |
|
2018-11-27 03:15:15 |
Mathew Hodson |
apparmor/2.11: status |
Fix Committed |
Fix Released |
|
2018-11-27 03:15:48 |
Mathew Hodson |
tags |
aa-policy sts-sponsor-slashd-done sts-sru-needed verification-done-artful verification-done-trusty verification-done-xenial verification-needed |
aa-policy sts-sponsor-slashd-done verification-done-artful verification-done-trusty verification-done-xenial |
|