group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #11422
[Bug 1648903] Re: Permission denied and inconsistent behavior in complain mode with 'ip netns list' command
This bug was fixed in the package linux - 4.8.0-40.43
---------------
linux (4.8.0-40.43) yakkety; urgency=low
* linux: 4.8.0-40.43 -proposed tracker (LP: #1667066)
[ Andy Whitcroft ]
* NFS client : permission denied when trying to access subshare, since kernel
4.4.0-31 (LP: #1649292)
- fs: Better permission checking for submounts
* shaking screen (LP: #1651981)
- drm/radeon: drop verde dpm quirks
* [0bda:0328] Card reader failed after S3 (LP: #1664809)
- usb: hub: Wait for connection to be reestablished after port reset
* linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
4.4.0-63.84~14.04.2 (LP: #1664912)
- SAUCE: apparmor: fix link auditing failure due to, uninitialized var
* In Ubuntu 17.04 : after reboot getting message in console like Unable to
open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
- SAUCE: ima: Downgrade error to warning
* 16.04.2: Extra patches for POWER9 (LP: #1664564)
- powerpc/mm: Fix no execute fault handling on pre-POWER5
- powerpc/mm: Fix spurrious segfaults on radix with autonuma
* ibmvscsis: Add SGL LIMIT (LP: #1662551)
- ibmvscsis: Add SGL limit
* [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
(LP: #1663687)
- scsi: storvsc: Enable tracking of queue depth
- scsi: storvsc: Remove the restriction on max segment size
- scsi: storvsc: Enable multi-queue support
- scsi: storvsc: use tagged SRB requests if supported by the device
- scsi: storvsc: properly handle SRB_ERROR when sense message is present
- scsi: storvsc: properly set residual data length on errors
* Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
caused KVM host hung and all KVM guests down. (LP: #1651248)
- KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
- KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
- KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
- KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
- KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend
* ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
- blk-mq: Avoid memory reclaim when remapping queues
- blk-mq: Fix failed allocation path when mapping queues
- blk-mq: Always schedule hctx->next_cpu
* systemd-udevd hung in blk_mq_freeze_queue_wait testing unpartitioned NVMe
drive (LP: #1662673)
- percpu-refcount: fix reference leak during percpu-atomic transition
* [Yakkety SRU] Enable KEXEC support in ARM64 kernel (LP: #1662554)
- [Config] Enable KEXEC support in ARM64.
* [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
- Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
- Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the host
- Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()
* brd module compiled as built-in (LP: #1593293)
- CONFIG_BLK_DEV_RAM=m
* regession tests failing after stackprofile test is run (LP: #1661030)
- SAUCE: fix regression with domain change in complain mode
* Permission denied and inconsistent behavior in complain mode with 'ip netns
list' command (LP: #1648903)
- SAUCE: fix regression with domain change in complain mode
* flock not mediated by 'k' (LP: #1658219)
- SAUCE: apparmor: flock mediation is not being enforced on cache check
* unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
from a unshared mount namespace (LP: #1656121)
- SAUCE: apparmor: null profiles should inherit parent control flags
* apparmor refcount leak of profile namespace when removing profiles
(LP: #1660849)
- SAUCE: apparmor: fix ns ref count link when removing profiles from policy
* tor in lxd: apparmor="DENIED" operation="change_onexec"
namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
name="system_tor" (LP: #1648143)
- SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
namespaces
* apparmor_parser hangs indefinitely when called by multiple threads
(LP: #1645037)
- SAUCE: apparmor: fix lock ordering for mkdir
* apparmor leaking securityfs pin count (LP: #1660846)
- SAUCE: apparmor: fix leak on securityfs pin count
* apparmor reference count leak when securityfs_setup_d_inode\ () fails
(LP: #1660845)
- SAUCE: apparmor: fix reference count leak when securityfs_setup_d_inode()
fails
* apparmor not checking error if security_pin_fs() fails (LP: #1660842)
- SAUCE: apparmor: fix not handling error case when securityfs_pin_fs() fails
* apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
- SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails
* apparmor auditing denied access of special apparmor .null fi\ le
(LP: #1660836)
- SAUCE: apparmor: Don't audit denied access of special apparmor .null file
* apparmor label leak when new label is unused (LP: #1660834)
- SAUCE: apparmor: fix label leak when new label is unused
* apparmor reference count bug in label_merge_insert() (LP: #1660833)
- SAUCE: apparmor: fix reference count bug in label_merge_insert()
* apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
- SAUCE: apparmor: fix replacement race in reading rawdata
* unix domain socket cross permission check failing with nested namespaces
(LP: #1660832)
- SAUCE: apparmor: fix cross ns perm of unix domain sockets
* Enable CONFIG_NET_DROP_MONITOR=m in Ubuntu Kernel (LP: #1660634)
- [Config] CONFIG_NET_DROP_MONITOR=m
* Linux kernel 4.8 hangs at boot up (LP: #1659340)
- SAUCE: x86/efi: Always map first physical page into EFI pagetables
* s390/kconfig: CONFIG_NUMA without CONFIG_NUMA_EMU does not make any sense on
s390x (LP: #1557690)
- [Config] CONFIG_NUMA_BALANCING=y
- [Config] CONFIG_NUMA=y, CONFIG_NUMA_EMU=y for s390x
-- Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> Wed, 22 Feb
2017 15:03:35 -0300
** Changed in: linux (Ubuntu Yakkety)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648903
Title:
Permission denied and inconsistent behavior in complain mode with 'ip
netns list' command
Status in AppArmor:
In Progress
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Released
Bug description:
On 16.04 with Ubuntu 4.4.0-53.74-generic 4.4.30
With this profile:
#include <tunables/global>
profile test (attach_disconnected,complain) {
#include <abstractions/base>
/{,usr/}{,s}bin/ip ixr, # COMMENT OUT THIS RULE TO SEE WEIRDNESS
capability sys_admin,
capability net_admin,
capability sys_ptrace,
network netlink raw,
ptrace (trace),
/ r,
/run/netns/ rw,
/run/netns/* rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
mount options=(rw, rslave) /,
mount options=(rw, rslave), # LP: #1648245
umount /sys/,
umount /,
/bin/dash ixr,
}
Everything is fine when I do:
$ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p test -- sh -c 'ip netns list'
$
and there are no ALLOWED entries in syslog.
However, if I comment out the '/{,usr/}{,s}bin/ip ixr,' rule, I get a permission denied and a bunch of ALLOWED entries:
$ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p test -- sh -c 'ip netns list'
open("/proc/self/ns/net"): Permission denied
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.862629] audit: type=1400 audit(1481324889.782:469): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="test" pid=4314 comm="apparmor_parser"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870339] audit: type=1400 audit(1481324889.790:470): apparmor="ALLOWED" operation="exec" profile="test" name="/bin/ip" pid=4317 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="test//null-/bin/ip"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870559] audit: type=1400 audit(1481324889.790:471): apparmor="ALLOWED" operation="open" profile="test//null-/bin/ip" name="/etc/ld.so.cache" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870628] audit: type=1400 audit(1481324889.790:472): apparmor="ALLOWED" operation="open" profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libdl-2.23.so" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870703] audit: type=1400 audit(1481324889.790:473): apparmor="ALLOWED" operation="open" profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870861] audit: type=1400 audit(1481324889.790:474): apparmor="ALLOWED" operation="file_mprotect" profile="test//null-/bin/ip" name="/bin/ip" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870913] audit: type=1400 audit(1481324889.790:475): apparmor="ALLOWED" operation="file_mprotect" profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871019] audit: type=1400 audit(1481324889.790:476): apparmor="ALLOWED" operation="create" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871066] audit: type=1400 audit(1481324889.790:477): apparmor="ALLOWED" operation="setsockopt" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871099] audit: type=1400 audit(1481324889.790:478): apparmor="ALLOWED" operation="setsockopt" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871128] audit: type=1400 audit(1481324889.790:479): apparmor="ALLOWED" operation="bind" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="bind" denied_mask="bind"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871672] audit: type=1400 audit(1481324889.794:480): apparmor="ALLOWED" operation="getsockname" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="getattr" denied_mask="getattr"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871770] audit: type=1400 audit(1481324889.794:481): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="test//null-/bin/ip" name="" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1648903/+subscriptions
