apparmor abi-feature pinning not working with Disco and Eoan kernels
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Incomplete
|
Undecided
|
John Johansen |
Bug Description
When setting a features-file in /etc/apparmor/
This occurs for example when running an Ubuntu kernel with Debian Buster apparmor.
Steps for reproducing:
* Starting from a minimal Buster VM (apparmor 2.13.2-10)
* Install unbound (one example) - apparmor confinement works as expected
* Install a kernel from Ubuntu (tested with: 5.0.0-25.26 from disco and 5.2.0-15.16 from eoan)
* Reboot - unbound fails to start - the following messages are in `dmesg`:
```
[ 3.109740] audit: type=1400 audit(156752703
[ 3.113969] audit: type=1400 audit(156752703
[ 5.322119] audit: type=1400 audit(156752703
[ 5.324621] audit: type=1400 audit(156752703
[ 5.326335] audit: type=1400 audit(156752703
```
The problem does not occur when:
* booting the corresponding mainline kernels (5.0.18 and 5.29)
* booting debian kernels (5.2.9-2 from testing+sid and 4.19.0-5-amd64 from buster)
* the features-file is changed to reflect the features present in Ubuntu kernels
* the features-file option is removed (commented out) in /etc/apparmor/
Opening the bug against linux and not apparmor, because it looks to me like the issue might be in
the Ubuntu patches.
Glad to provide further information and help testing!
Thanks for all your great work!
Changed in linux (Ubuntu): | |
assignee: | nobody → John Johansen (jjohansen) |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1842459
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.