Bug #2012136 “LSM stacking and AppArmor refresh for 6.2 kernel” : Bugs : linux package : Ubuntu

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-03-18: Missing required logs.

#1

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 2012136

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-04-04:

#2

Download full text (7.8 KiB)

This bug was fixed in the package linux - 6.2.0-19.19

---------------
linux (6.2.0-19.19) lunar; urgency=medium

* lunar/linux: 6.2.0-19.19 -proposed tracker (LP: #2012488)

* Neuter signing tarballs (LP: #2012776)
- [Packaging] neuter the signing tarball

  * LSM stacking and AppArmor refresh for 6.2 kernel (LP: #2012136)
    - Revert "UBUNTU: [Config] define CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS"
    - Revert "UBUNTU: SAUCE: apparmor: add user namespace creation mediation"
    - Revert "UBUNTU: SAUCE: apparmor: Add fine grained mediation of posix
      mqueues"
    - Revert "UBUNTU: SAUCE: Revert "apparmor: make __aa_path_perm() static""
    - Revert "UBUNTU: SAUCE: LSM: Specify which LSM to display (using struct cred
      as input)"
    - Revert "UBUNTU: SAUCE: apparmor: Fix build error, make sk parameter const"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in smk_netlbl_mls()"
    - Revert "UBUNTU: SAUCE: LSM: change ima_read_file() to use lsmblob"
    - Revert "UBUNTU: SAUCE: apparmor: rename kzfree() to kfree_sensitive()"
    - Revert "UBUNTU: SAUCE: AppArmor: Remove the exclusive flag"
    - Revert "UBUNTU: SAUCE: LSM: Add /proc attr entry for full LSM context"
    - Revert "UBUNTU: SAUCE: Audit: Fix incorrect static inline function
      declration."
    - Revert "UBUNTU: SAUCE: Audit: Fix for missing NULL check"
    - Revert "UBUNTU: SAUCE: Audit: Add a new record for multiple object LSM
      attributes"
    - Revert "UBUNTU: SAUCE: Audit: Add new record for multiple process LSM
      attributes"
    - Revert "UBUNTU: SAUCE: NET: Store LSM netlabel data in a lsmblob"
    - Revert "UBUNTU: SAUCE: LSM: security_secid_to_secctx in netlink netfilter"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmcontext in security_inode_getsecctx"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmcontext in security_secid_to_secctx"
    - Revert "UBUNTU: SAUCE: LSM: Ensure the correct LSM context releaser"
    - Revert "UBUNTU: SAUCE: LSM: Specify which LSM to display"
    - Revert "UBUNTU: SAUCE: IMA: Change internal interfaces to use lsmblobs"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_cred_getsecid"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_inode_getsecid"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_task_getsecid"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_ipc_getsecid"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_secid_to_secctx"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_secctx_to_secid"
    - Revert "UBUNTU: SAUCE: net: Prepare UDS for security module stacking"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_kernel_act_as"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_audit_rule_match"
    - Revert "UBUNTU: SAUCE: LSM: Create and manage the lsmblob data structure."
    - Revert "UBUNTU: SAUCE: LSM: Infrastructure management of the sock security"
    - Revert "UBUNTU: SAUCE: apparmor: LSM stacking: switch from SK_CTX() to
      aa_sock()"
    - Revert "UBUNTU: SAUCE: apparmor: rename aa_sock() to aa_unix_sk()"
    - Revert "UBUNTU: SAUCE: apparmor: disable showing the mode as part of a secid
      to secctx"
    - Revert "UBUNTU: SAUCE: app...

This bug was fixed in the package linux - 6.2.0-19.19

---------------
linux (6.2.0-19.19) lunar; urgency=medium

* lunar/linux: 6.2.0-19.19 -proposed tracker (LP: #2012488)

* Neuter signing tarballs (LP: #2012776)
    - [Packaging] neuter the signing tarball

* LSM stacking and AppArmor refresh for 6.2 kernel (LP: #2012136)
    - Revert "UBUNTU: [Config] define CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS"
    - Revert "UBUNTU: SAUCE: apparmor: add user namespace creation mediation"
    - Revert "UBUNTU: SAUCE: apparmor: Add fine grained mediation of posix
      mqueues"
    - Revert "UBUNTU: SAUCE: Revert "apparmor: make __aa_path_perm() static""
    - Revert "UBUNTU: SAUCE: LSM: Specify which LSM to display (using struct cred
      as input)"
    - Revert "UBUNTU: SAUCE: apparmor: Fix build error, make sk parameter const"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in smk_netlbl_mls()"
    - Revert "UBUNTU: SAUCE: LSM: change ima_read_file() to use lsmblob"
    - Revert "UBUNTU: SAUCE: apparmor: rename kzfree() to kfree_sensitive()"
    - Revert "UBUNTU: SAUCE: AppArmor: Remove the exclusive flag"
    - Revert "UBUNTU: SAUCE: LSM: Add /proc attr entry for full LSM context"
    - Revert "UBUNTU: SAUCE: Audit: Fix incorrect static inline function
      declration."
    - Revert "UBUNTU: SAUCE: Audit: Fix for missing NULL check"
    - Revert "UBUNTU: SAUCE: Audit: Add a new record for multiple object LSM
      attributes"
    - Revert "UBUNTU: SAUCE: Audit: Add new record for multiple process LSM
      attributes"
    - Revert "UBUNTU: SAUCE: NET: Store LSM netlabel data in a lsmblob"
    - Revert "UBUNTU: SAUCE: LSM: security_secid_to_secctx in netlink netfilter"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmcontext in security_inode_getsecctx"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmcontext in security_secid_to_secctx"
    - Revert "UBUNTU: SAUCE: LSM: Ensure the correct LSM context releaser"
    - Revert "UBUNTU: SAUCE: LSM: Specify which LSM to display"
    - Revert "UBUNTU: SAUCE: IMA: Change internal interfaces to use lsmblobs"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_cred_getsecid"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_inode_getsecid"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_task_getsecid"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_ipc_getsecid"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_secid_to_secctx"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_secctx_to_secid"
    - Revert "UBUNTU: SAUCE: net: Prepare UDS for security module stacking"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_kernel_act_as"
    - Revert "UBUNTU: SAUCE: LSM: Use lsmblob in security_audit_rule_match"
    - Revert "UBUNTU: SAUCE: LSM: Create and manage the lsmblob data structure."
    - Revert "UBUNTU: SAUCE: LSM: Infrastructure management of the sock security"
    - Revert "UBUNTU: SAUCE: apparmor: LSM stacking: switch from SK_CTX() to
      aa_sock()"
    - Revert "UBUNTU: SAUCE: apparmor: rename aa_sock() to aa_unix_sk()"
    - Revert "UBUNTU: SAUCE: apparmor: disable showing the mode as part of a secid
      to secctx"
    - Revert "UBUNTU: SAUCE: apparmor: fix use after free in sk_peer_label"
    - Revert "UBUNTU: SAUCE: apparmor: af_unix mediation"
    - Revert "UBUNTU: SAUCE: apparmor: patch to provide compatibility with v2.x
      net rules"
    - Revert "UBUNTU: SAUCE: apparmor: add/use fns to print hash string hex value"
    - SAUCE: apparmor: rename SK_CTX() to aa_sock and make it an inline fn
    - SAUCE: apparmor: Add sysctls for additional controls of unpriv userns
      restrictions
    - SAUCE: Stacking v38: LSM: Identify modules by more than name
    - SAUCE: Stacking v38: LSM: Add an LSM identifier for external use
    - SAUCE: Stacking v38: LSM: Identify the process attributes for each module
    - SAUCE: Stacking v38: LSM: Maintain a table of LSM attribute data
    - SAUCE: Stacking v38: proc: Use lsmids instead of lsm names for attrs
    - SAUCE: Stacking v38: integrity: disassociate ima_filter_rule from
      security_audit_rule
    - SAUCE: Stacking v38: LSM: Infrastructure management of the sock security
    - SAUCE: Stacking v38: LSM: Add the lsmblob data structure.
    - SAUCE: Stacking v38: LSM: provide lsm name and id slot mappings
    - SAUCE: Stacking v38: IMA: avoid label collisions with stacked LSMs
    - SAUCE: Stacking v38: LSM: Use lsmblob in security_audit_rule_match
    - SAUCE: Stacking v38: LSM: Use lsmblob in security_kernel_act_as
    - SAUCE: Stacking v38: LSM: Use lsmblob in security_secctx_to_secid
    - SAUCE: Stacking v38: LSM: Use lsmblob in security_secid_to_secctx
    - SAUCE: Stacking v38: LSM: Use lsmblob in security_ipc_getsecid
    - SAUCE: Stacking v38: LSM: Use lsmblob in security_current_getsecid
    - SAUCE: Stacking v38: LSM: Use lsmblob in security_inode_getsecid
    - SAUCE: Stacking v38: LSM: Use lsmblob in security_cred_getsecid
    - SAUCE: Stacking v38: LSM: Specify which LSM to display
    - SAUCE: Stacking v38: LSM: Ensure the correct LSM context releaser
    - SAUCE: Stacking v38: LSM: Use lsmcontext in security_secid_to_secctx
    - SAUCE: Stacking v38: LSM: Use lsmcontext in security_inode_getsecctx
    - SAUCE: Stacking v38: Use lsmcontext in security_dentry_init_security
    - SAUCE: Stacking v38: LSM: security_secid_to_secctx in netlink netfilter
    - SAUCE: Stacking v38: NET: Store LSM netlabel data in a lsmblob
    - SAUCE: Stacking v38: binder: Pass LSM identifier for confirmation
    - SAUCE: Stacking v38: LSM: security_secid_to_secctx module selection
    - SAUCE: Stacking v38: Audit: Keep multiple LSM data in audit_names
    - SAUCE: Stacking v38: Audit: Create audit_stamp structure
    - SAUCE: Stacking v38: LSM: Add a function to report multiple LSMs
    - SAUCE: Stacking v38: Audit: Allow multiple records in an audit_buffer
    - SAUCE: Stacking v38: Audit: Add record for multiple task security contexts
    - SAUCE: Stacking v38: audit: multiple subject lsm values for netlabel
    - SAUCE: Stacking v38: Audit: Add record for multiple object contexts
    - SAUCE: Stacking v38: netlabel: Use a struct lsmblob in audit data
    - SAUCE: Stacking v38: LSM: Removed scaffolding function lsmcontext_init
    - SAUCE: Stacking v38: AppArmor: Remove the exclusive flag
    - SAUCE: apparmor: combine common_audit_data and apparmor_audit_data
    - SAUCE: apparmor: setup slab cache for audit data
    - SAUCE: apparmor: rename audit_data->label to audit_data->subj_label
    - SAUCE: apparmor: pass cred through to audit info.
    - SAUCE: apparmor: Improve debug print infrastructure
    - SAUCE: apparmor: add the ability for profiles to have a learning cache
    - SAUCE: apparmor: enable userspace upcall for mediation
    - SAUCE: apparmor: cache buffers on percpu list if there is lock contention
    - SAUCE: apparmor: fix policy_compat permission remap with extended
      permissions
    - SAUCE: apparmor: advertise availability of exended perms
    - [Config] define CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS

* kinetic: apply new apparmor and LSM stacking patch set (LP: #1989983) // LSM
    stacking and AppArmor refresh for 6.2 kernel (LP: #2012136)
    - SAUCE: apparmor: add/use fns to print hash string hex value
    - SAUCE: apparmor: patch to provide compatibility with v2.x net rules
    - SAUCE: apparmor: add user namespace creation mediation
    - SAUCE: apparmor: af_unix mediation
    - SAUCE: apparmor: Add fine grained mediation of posix mqueues

* devlink_port_split from ubuntu_kernel_selftests.net fails on hirsute
    (KeyError: 'flavour') (LP: #1937133)
    - selftests: net: devlink_port_split.py: skip test if no suitable device
      available

* NFS deathlock with last Kernel 5.4.0-144.161 and 5.15.0-67.74 (LP: #2009325)
    - NFS: Correct timing for assigning access cache timestamp

-- Andrea Righi <andrea.righi@canonical.com>  Sat, 25 Mar 2023 07:37:30 +0100

Changed in linux (Ubuntu Lunar):
status:	Incomplete → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-07-19:

#3

This bug is awaiting verification that the linux-azure/6.2.0-1009.9 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-lunar-linux-azure verification-needed-lunar

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned
	Lunar	Fix Released	Undecided	Unassigned

Ubuntu
linux package

LSM stacking and AppArmor refresh for 6.2 kernel

Bug Description

Other bug subscribers

Remote bug watches

Ubuntulinux package

LSM stacking and AppArmor refresh for 6.2 kernel

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
linux package