apparmor notification files verification
- Mantic (23.10)
- Bug #2040250
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Mantic |
Won't Fix
|
Undecided
|
John Johansen |
Bug Description
apparmor notifications on the 6.5 kernel are failing verification between the header size and the returned size.
When strings are appended to the notification the header size should
be updated to reflect the correct size. While the size is also
directly returned as part of delivering the notification, the header
should also be update to conform to specification and allow for
verification.
If verification is enabled and the notification contains appended
strings then notifications fail verification and won't be delivered.
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs. | #1 |
Changed in linux (Ubuntu): | |
status: | New → Incomplete |
Changed in linux (Ubuntu Mantic): | |
status: | New → Incomplete |
Changed in linux (Ubuntu Mantic): | |
status: | Incomplete → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Incomplete → Invalid |
Changed in linux (Ubuntu Mantic): | |
assignee: | nobody → John Johansen (jjohansen) |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #2 |
This bug is awaiting verification that the linux/6.5.0-12.12 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux |
John Johansen (jjohansen) wrote : | #3 |
Notifications now work as expected, not triggering the verification failure
tags: |
added: verification-done-mantic-linux removed: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #4 |
This bug is awaiting verification that the linux/6.5.0-12.12 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: |
added: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux removed: verification-done-mantic-linux |
tags: |
added: verification-done-mantic-linux removed: verification-needed-mantic-linux |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #5 |
This bug is awaiting verification that the linux-laptop/
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-mantic-linux-laptop-v2 verification-needed-mantic-linux-laptop |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #6 |
This bug is awaiting verification that the linux-lowlatenc
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #7 |
This bug is awaiting verification that the linux-azure/
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-mantic-linux-azure-v2 verification-needed-mantic-linux-azure |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #8 |
This bug is awaiting verification that the linux-gcp/
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-mantic-linux-gcp-v2 verification-needed-mantic-linux-gcp |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #9 |
This bug is awaiting verification that the linux-hwe-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-jammy-linux-hwe-6.5-v2 verification-needed-jammy-linux-hwe-6.5 |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #10 |
This bug is awaiting verification that the linux-nvidia-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-jammy-linux-nvidia-6.5-v2 verification-needed-jammy-linux-nvidia-6.5 |
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package linux - 6.6.0-14.14
---------------
linux (6.6.0-14.14) noble; urgency=medium
* noble/linux: 6.6.0-14.14 -proposed tracker (LP: #2045243)
* Noble update: v6.6.3 upstream stable release (LP: #2045244)
- locking/
- btrfs: abort transaction on generation mismatch when marking eb as dirty
- lib/generic-
- x86/retpoline: Make sure there are no unconverted return thunks due to KCSAN
- perf/core: Bail out early if the request AUX area is out of bound
- srcu: Fix srcu_struct node grpmask overflow on 64-bit systems
- selftests/lkdtm: Disable CONFIG_UBSAN_TRAP in test config
- clocksource/
- clocksource/
- srcu: Only accelerate on enqueue time
- smp,csd: Throw an error if a CSD lock is stuck for too long
- cpu/hotplug: Don't offline the last non-isolated CPU
- workqueue: Provide one lock class key per work_on_cpu() callsite
- x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
- wifi: plfxlc: fix clang-specific fortify warning
- wifi: ath12k: Ignore fragments from uninitialized peer in dp
- wifi: mac80211_hwsim: fix clang-specific fortify warning
- wifi: mac80211: don't return unset power in ieee80211_
- atl1c: Work around the DMA RX overflow issue
- bpf: Detect IP == ksym.end as part of BPF program
- wifi: ath9k: fix clang-specific fortify warnings
- wifi: ath12k: fix possible out-of-bound read in ath12k_
- wifi: ath10k: fix clang-specific fortify warning
- wifi: ath12k: fix possible out-of-bound write in
ath12k_
- ACPI: APEI: Fix AER info corruption when error status data has multiple
sections
- net: sfp: add quirk for Fiberstone GPON-ONU-34-20BI
- wifi: mt76: mt7921e: Support MT7992 IP in Xiaomi Redmibook 15 Pro (2023)
- wifi: mt76: fix clang-specific fortify warnings
- net: annotate data-races around sk->sk_
- net: annotate data-races around sk->sk_
- wifi: ath12k: mhi: fix potential memory leak in ath12k_
- wifi: ath10k: Don't touch the CE interrupt registers after power up
- net: sfp: add quirk for FS's 2.5G copper SFP
- vsock: read from socket's error queue
- bpf: Ensure proper register state printing for cond jumps
- wifi: iwlwifi: mvm: fix size check for fw_link_id
- Bluetooth: btusb: Add date->evt_skb is NULL check
- Bluetooth: Fix double free in hci_conn_cleanup
- ACPI: EC: Add quirk for HP 250 G7 Notebook PC
- tsnep: Fix tsnep_request_irq() format-overflow warning
- gpiolib: acpi: Add a ignore interrupt quirk for Peaq C1010
- platform/chrome: kunit: initialize lock for fake ec_dev
- of: address: Fix address translation when address-size is greater than 2
- platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
- drm/gma500: Fix call trace when psb_gem_mm_init() fails
- drm/amdkfd: rateli...
Changed in linux (Ubuntu): | |
status: | Invalid → Fix Released |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #12 |
This bug is awaiting verification that the linux-lowlatenc
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-jammy-linux-lowlatency-hwe-6.5-v2 verification-needed-jammy-linux-lowlatency-hwe-6.5 |
Georgia Garcia (georgiag) wrote : | #13 |
Verification passed for linux gcp. I ran the AppArmor QA Regression Tests [1] and specific prompting tests [2].
georgia@
Linux sec-mantic-amd64 6.5.0-1010-gcp #10-Ubuntu SMP Fri Nov 17 21:33:36 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@
.....
-------
Ran 62 tests in 1325.124s
OK (skipped=3)
[1] https:/
[2] https:/
tags: |
added: verification-done-mantic-linux-gcp removed: verification-needed-mantic-linux-gcp |
Georgia Garcia (georgiag) wrote : | #14 |
Verification passed for linux azure. I ran the AppArmor QA Regression Tests [1] and specific prompting tests [2].
georgia@
Linux sec-mantic-amd64 6.5.0-1010-azure #10-Ubuntu SMP Mon Nov 20 20:14:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@
.....
-------
Ran 62 tests in 1300.394s
OK (skipped=3)
[1] https:/
[2] https:/
tags: |
added: verification-done-mantic-linux-azure removed: verification-needed-mantic-linux-azure |
Georgia Garcia (georgiag) wrote : | #15 |
Verification passed for jammy-linux-
georgia@
Linux sec-jammy-amd64 6.5.0-1007-nvidia #7-Ubuntu SMP PREEMPT_DYNAMIC Wed Dec 6 01:27:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@
.....
-------
Ran 62 tests in 1435.853s
OK (skipped=2)
[1] https:/
[2] https:/
tags: |
added: verification-done-jammy-linux-nvidia-6.5 removed: verification-needed-jammy-linux-nvidia-6.5 |
Georgia Garcia (georgiag) wrote : | #16 |
Verification passed for jammy-linux-
georgia@
Linux sec-jammy-amd64 6.5.0-14-lowlatency #14.1~22.
georgia@
[sudo] password for georgia:
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@
.....
-------
Ran 62 tests in 1366.317s
OK (skipped=2)
[1] https:/
[2] https:/
tags: |
added: verification-done-jammy-linux-lowlatency-hwe-6.5 removed: verification-needed-jammy-linux-lowlatency-hwe-6.5 |
Georgia Garcia (georgiag) wrote : | #17 |
Verification passed for jammy-linux-
georgia@
Linux sec-jammy-amd64 6.5.0-14-generic #14~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 20 18:15:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
georgia@
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@
.....
-------
Ran 62 tests in 1360.734s
OK (skipped=2)
[1] https:/
[2] https:/
tags: |
added: verification-done-jammy-linux-hwe-6.5 removed: verification-needed-jammy-linux-hwe-6.5 |
Georgia Garcia (georgiag) wrote : | #18 |
Verification passed for mantic-
georgia@
Linux sec-mantic-arm64 6.5.0-1007-laptop #10-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov
22 20:27:28 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
georgia@
xpass: PROMPT (allow (rule link file l)) - root
xpass: PROMPT (allow (flag link file l)) - root
xpass: PROMPT (allow (rule mmap_exec file rwm)) - root
xpass: PROMPT (allow (flag mmap_exec file rwm)) - root
xpass: PROMPT (allow (rule lock file rwk)) - root
xpass: PROMPT (allow (flag lock file rwk)) - root
xpass: PROMPT (allow (rule exec file rix)) - root
xpass: PROMPT (allow (flag exec file rix)) - root
xpass: PROMPT (allow (rule exec file ux)) - root
xpass: PROMPT (allow (flag exec file ux)) - root
georgia@
ERROR: test_dbus (__main_
Test dbus apparmor activation from dbus-tests
-------
Traceback (most recent call last):
File "/home/
rc, report = testlib.
File "/home/
out, outerr = sp.communicate(
File "/usr/lib/
stdout, stderr = self._communica
File "/usr/lib/
self.
File "/usr/lib/
raise TimeoutExpired(
subprocess.
-------
running attach_disconnected
Fatal Error (unix_fd_server): Unable to run test sub-executable
PASSED: aa_exec access at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_socket_
tags: |
added: verification-done-mantic-linux-laptop removed: verification-needed-mantic-linux-laptop |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #19 |
This bug is awaiting verification that the linux-nvidia-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-jammy-linux-nvidia-6.8-v2 verification-needed-jammy-linux-nvidia-6.8 |
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : | #20 |
This bug is awaiting verification that the linux-gke/
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: kernel-spammed-noble-linux-gke-v2 verification-needed-noble-linux-gke |
tags: |
added: verification-done-jammy-linux-nvidia-6.8 verification-done-noble-linux-gke removed: verification-needed-jammy-linux-nvidia-6.8 verification-needed-noble-linux-gke |
Brian Murray (brian-murray) wrote : | #21 |
Ubuntu 23.10 (Mantic Minotaur) has reached end of life, so this bug will not be fixed for that specific release.
Changed in linux (Ubuntu Mantic): | |
status: | Fix Committed → Won't Fix |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 2040250
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.