← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1677959] Re: change_profile incorrect when using namespaces with a compound stack

 

This bug was fixed in the package linux - 4.10.0-19.21

---------------
linux (4.10.0-19.21) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1680535

  * ADT regressions caused by "audit: fix auditd/kernel connection state
    tracking" (LP: #1680532)
    - SAUCE: Revert "audit: fix auditd/kernel connection state tracking"

  * Miscellaneous Ubuntu changes
    - [Config] updateconfigs to update CONFIG_GENERIC_CSUM for ppc64el
      This cleans up behind a Kconfig change that went undetected.

linux (4.10.0-18.20) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1680168

  * smartpqi driver needed in initram disk and installer (LP: #1680156)
    - UBUNU: [Config] Add smartpqi to d-i

linux (4.10.0-17.19) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1679718

  * Fix CVE-2017-7308 (LP: #1678009)
    - net/packet: fix overflow in check for priv area size
    - net/packet: fix overflow in check for tp_frame_nr
    - net/packet: fix overflow in check for tp_reserve

  * apparmor: oops on boot if parameters set on grub command line (LP: #1678048)
    - SAUCE: apparmor: fix parameters so that the permission test is bypassed at boot

  * apparmor: does not provide a way to detect policy updataes (LP: #1678032)
    - SAUCE: apparmor: add policy revision file interface

  * apparmor does not make support of query data visible (LP: #1678023)
    - SAUCE: apparmor: add label data availability to the feature set

  * apparmor query interface does not make supported query info available
    (LP: #1678030)
    - SAUCE: apparmor: add information about the query inteface to the feature set

  * change_profile incorrect when using namespaces with a compound stack
    (LP: #1677959)
    - SAUCE: apparmor: fix label parse for stacked labels

  * Zesty update to v4.10.8 stable release (LP: #1678930)
    - xfrm: policy: init locks early
    - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
    - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
    - KVM: nVMX: Fix nested VPID vmx exec control
    - KVM: x86: cleanup the page tracking SRCU instance
    - virtio_balloon: init 1st buffer in stats vq
    - pinctrl: qcom: Don't clear status bit on irq_unmask
    - c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
    - h8300/ptrace: Fix incorrect register transfer count
    - mips/ptrace: Preserve previous registers for short regset write
    - sparc/ptrace: Preserve previous registers for short regset write
    - metag/ptrace: Preserve previous registers for short regset write
    - metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
    - metag/ptrace: Reject partial NT_METAG_RPIPE writes
    - qla2xxx: Allow vref count to timeout on vport delete.
    - sched/rt: Add a missing rescheduling point
    - usb: musb: fix possible spinlock deadlock
    - Linux 4.10.8

  * [Hyper-V] pci-hyperv: Use device serial number as PCI domain (LP: #1667527)
    - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs
    - PCI: hv: Use device serial number as PCI domain

  * Miscellaneous Ubuntu changes
    - [Config] flash-kernel should be a Breaks
    - [Config] drop the info directory
    - [Config] drop NOTES as obsolete
    - [Config] drop changelog.historical as obsolete

linux (4.10.0-16.18) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1677697

  * [Feature] ISH (Intel Sensor Hub) support (LP: #1645521)
    - iio: accel: hid-sensor-accel-3d: Add timestamp

  * Zesty update to v4.10.7 stable release (LP: #1677589)
    - net/openvswitch: Set the ipv6 source tunnel key address attribute correctly
    - net: bcmgenet: Do not suspend PHY if Wake-on-LAN is enabled
    - net: properly release sk_frag.page
    - amd-xgbe: Fix jumbo MTU processing on newer hardware
    - openvswitch: Add missing case OVS_TUNNEL_KEY_ATTR_PAD
    - net: unix: properly re-increment inflight counter of GC discarded candidates
    - qmi_wwan: add Dell DW5811e
    - net: vrf: Reset rt6i_idev in local dst after put
    - net/mlx5: Add missing entries for set/query rate limit commands
    - net/mlx5e: Use the proper UAPI values when offloading TC vlan actions
    - net/mlx5: Increase number of max QPs in default profile
    - net/mlx5e: Count GSO packets correctly
    - net/mlx5e: Count LRO packets correctly
    - ipv6: make sure to initialize sockc.tsflags before first use
    - net: bcmgenet: remove bcmgenet_internal_phy_setup()
    - ipv4: provide stronger user input validation in nl_fib_input()
    - socket, bpf: fix sk_filter use after free in sk_clone_lock
    - genetlink: fix counting regression on ctrl_dumpfamily()
    - tcp: initialize icsk_ack.lrcvtime at session start time
    - amd-xgbe: Fix the ECC-related bit position definitions
    - net: solve a NAPI race
    - HID: sony: Fix input device leak when connecting a DS4 twice using USB/BT
    - Input: ALPS - fix V8+ protocol handling (73 03 28)
    - Input: ALPS - fix trackstick button handling on V8 devices
    - Input: elan_i2c - add ASUS EeeBook X205TA special touchpad fw
    - Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000
    - Input: iforce - validate number of endpoints before using them
    - Input: ims-pcu - validate number of endpoints before using them
    - Input: hanwang - validate number of endpoints before using them
    - Input: yealink - validate number of endpoints before using them
    - Input: cm109 - validate number of endpoints before using them
    - Input: kbtab - validate number of endpoints before using them
    - Input: sur40 - validate number of endpoints before using them
    - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
    - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
    - ALSA: hda - Adding a group of pin definition to fix headset problem
    - USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems
    - USB: serial: qcserial: add Dell DW5811e
    - ACM gadget: fix endianness in notifications
    - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval
    - dvb-usb-firmware: don't do DMA on stack
    - usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk
    - USB: uss720: fix NULL-deref at probe
    - USB: lvtest: fix NULL-deref at probe
    - USB: idmouse: fix NULL-deref at probe
    - USB: wusbcore: fix NULL-deref at probe
    - usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
    - usb: hub: Fix crash after failure to read BOS descriptor
    - USB: usbtmc: add missing endpoint sanity check
    - USB: usbtmc: fix probe error path
    - uwb: i1480-dfu: fix NULL-deref at probe
    - uwb: hwa-rc: fix NULL-deref at probe
    - mmc: ushc: fix NULL-deref at probe
    - nl80211: fix dumpit error path RTNL deadlocks
    - mmc: core: Fix access to HS400-ES devices
    - iio: adc: ti_am335x_adc: fix fifo overrun recovery
    - iio: sw-device: Fix config group initialization
    - iio: hid-sensor-trigger: Change get poll value function order to avoid
      sensor properties losing after resume from S3
    - iio: magnetometer: ak8974: remove incorrect __exit markups
    - mei: fix deadlock on mei reset
    - mei: don't wait for os version message reply
    - parport: fix attempt to write duplicate procfiles
    - ppdev: fix registering same device name
    - ext4: mark inode dirty after converting inline directory
    - powerpc/64s: Fix idle wakeup potential to clobber registers
    - audit: fix auditd/kernel connection state tracking
    - mmc: sdhci-of-at91: Support external regulators
    - mmc: sdhci-of-arasan: fix incorrect timeout clock
    - mmc: sdhci: Do not disable interrupts while waiting for clock
    - mmc: sdhci-pci: Do not disable interrupts in sdhci_intel_set_power
    - hwrng: amd - Revert managed API changes
    - hwrng: geode - Revert managed API changes
    - clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module clock
    - clk: sunxi-ng: mp: Adjust parent rate for pre-dividers
    - mwifiex: pcie: don't leak DMA buffers when removing
    - ath10k: fix incorrect wlan_mac_base in qca6174_regs
    - crypto: ccp - Assign DMA commands to the channel's CCP
    - fscrypt: remove broken support for detecting keyring key revocation
    - vfio: Rework group release notifier warning
    - xen/acpi: upload PM state from init-domain to Xen
    - iommu/vt-d: Fix NULL pointer dereference in device_to_iommu
    - iommu/exynos: Block SYSMMU while invalidating FLPD cache
    - iommu/exynos: Workaround FLPD cache flush issues for SYSMMU v5
    - Revert "ARM: at91/dt: sama5d2: Use new compatible for ohci node"
    - ARM: at91: pm: cpu_idle: switch DDR to power-down mode
    - arm64: kaslr: Fix up the kernel image alignment
    - cpufreq: Restore policy min/max limits on CPU online
    - cgroup, net_cls: iterate the fds of only the tasks which are being migrated
    - blk-mq: don't complete un-started request in timeout handler
    - cpsw/netcp: cpts depends on posix_timers
    - drm/amdgpu: reinstate oland workaround for sclk
    - drm/amd/amdgpu: add POLARIS12 PCI ID
    - auxdisplay: img-ascii-lcd: add missing sentinel entry in
      img_ascii_lcd_matches
    - jbd2: don't leak memory if setting up journal fails
    - intel_th: Don't leak module refcount on failure to activate
    - Drivers: hv: vmbus: Don't leak channel ids
    - Drivers: hv: vmbus: Don't leak memory when a channel is rescinded
    - mmc: block: Fix is_waiting_last_req set incorrectly
    - libceph: don't set weight to IN when OSD is destroyed
    - device-dax: fix pmd/pte fault fallback handling
    - scsi: sd: Check for unaligned partial completion
    - cpuidle: Validate cpu_dev in cpuidle_add_sysfs()
    - xen: do not re-use pirq number cached in pci device msi msg data
    - drm: reference count event->completion
    - fbcon: Fix vc attr at deinit
    - crypto: algif_hash - avoid zero-sized array
    - Linux 4.10.7

  * PS/2 mouse does not work on Dell embedded computer (LP: #1591053)
    - Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000

  * [Zesty] mlx5_core Kernel oops with bonding mode 1 and 6 (LP: #1676786)
    - SAUCE: (no-up) net/mlx5: Avoid dereferencing uninitialized pointer

  * [Hyper-V] Implement Hyper-V PTP Source (LP: #1676635)
    - Revert "hv: don't reset hv_context.tsc_page on crash"
    - Revert "Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()"
    - Revert "hv: allocate synic pages for all present CPUs"
    - Revert "hv: init percpu_list in hv_synic_alloc()"
    - Revert "Drivers: hv: vmbus: Prevent sending data on a rescinded channel"
    - Revert "Drivers: hv: vmbus: Fix a rescind handling bug"
    - Revert "Drivers: hv: util: kvp: Fix a rescind processing issue"
    - Revert "Drivers: hv: util: Fcopy: Fix a rescind processing issue"
    - Revert "Drivers: hv: util: Backup: Fix a rescind processing issue"
    - Revert "drivers: hv: Turn off write permission on the hypercall page"
    - Revert "UBUNTU: SAUCE: (no-up) hv: Supply vendor ID and package ABI"
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    - hv: allocate synic pages for all present CPUs
    - hv: init percpu_list in hv_synic_alloc()
    - hv: don't reset hv_context.tsc_page on crash
    - Drivers: hv: vmbus: Prevent sending data on a rescinded channel
    - hv: switch to cpuhp state machine for synic init/cleanup
    - hv: make CPU offlining prevention fine-grained
    - Drivers: hv: vmbus: Fix a rescind handling bug
    - Drivers: hv: util: kvp: Fix a rescind processing issue
    - Drivers: hv: util: Fcopy: Fix a rescind processing issue
    - Drivers: hv: util: Backup: Fix a rescind processing issue
    - Drivers: hv: vmbus: Move the definition of hv_x64_msr_hypercall_contents
    - Drivers: hv: vmbus: Move the definition of generate_guest_id()
    - Drivers: hv vmbus: Move Hypercall page setup out of common code
    - Drivers: hv: vmbus: Move Hypercall invocation code out of common code
    - Drivers: hv: vmbus: Consolidate all Hyper-V specific clocksource code
    - Drivers: hv: vmbus: Move the extracting of Hypervisor version information
    - Drivers: hv: vmbus: Move the crash notification function
    - Drivers: hv: vmbus: Move the check for hypercall page setup
    - Drivers: hv: vmbus: Move the code to signal end of message
    - Drivers: hv: vmbus: Restructure the clockevents code
    - Drivers: hv: util: Use hv_get_current_tick() to get current tick
    - Drivers: hv: vmbus: Get rid of an unsused variable
    - Drivers: hv: vmbus: Define APIs to manipulate the message page
    - Drivers: hv: vmbus: Define APIs to manipulate the event page
    - Drivers: hv: vmbus: Define APIs to manipulate the synthetic interrupt controller
    - Drivers: hv: vmbus: Define an API to retrieve virtual processor index
    - Drivers: hv: vmbus: Define an APIs to manage interrupt state
    - Drivers: hv: vmbus: Cleanup hyperv_vmbus.h
    - hv_util: switch to using timespec64
    - Drivers: hv: restore hypervcall page cleanup before kexec
    - Drivers: hv: restore TSC page cleanup before kexec
    - Drivers: hv: balloon: add a fall through comment to hv_memory_notifier()
    - Drivers: hv: vmbus: Use all supported IC versions to negotiate
    - Drivers: hv: Log the negotiated IC versions.
    - Drivers: hv: Fix the bug in generating the guest ID
    - hv: export current Hyper-V clocksource
    - hv_utils: implement Hyper-V PTP source
    - SAUCE: (no-up) hv: Supply vendor ID and package ABI
    - drivers: hv: Turn off write permission on the hypercall page

  * Populating Hyper-V MSR for Ubuntu 13.10 (LP: #1193172)
    - SAUCE: (no-up) hv: Supply vendor ID and package ABI

  * Ubuntu 16.10: Network checksum fixes needed for IPoIB for Mellanox CX4/CX5
    card (LP: #1670247)
    - powerpc/64: Fix checksum folding in csum_tcpudp_nofold and ip_fast_csum_nofold
    - powerpc/64: Use optimized checksum routines on little-endian

  * Kernel linux-image-4.4.0-67-generic prevent the boot on Microsoft Hyper-v
    2012r2 Gen2 VM (LP: #1674635)
    - scsi: storvsc: Workaround for virtual DVD SCSI version

  * POWER9 Radix mode KVM (LP: #1675806)
    - Revert "powerpc: Update to new option-vector-5 format for CAS"
    - Revert "powerpc/powernv: Initialise nest mmu"
    - Revert "KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend"
    - KVM: PPC: Book3S: Change interrupt call to reduce scratch space use on HV
    - KVM: PPC: Book3S: Move 64-bit KVM interrupt handler out from alt section
    - KVM: PPC: Book3S: 64-bit CONFIG_RELOCATABLE support for interrupts
    - powerpc/64: More definitions for POWER9
    - powerpc/64: Export pgtable_cache and pgtable_cache_add for KVM
    - powerpc/64: Make type of partition table flush depend on partition type
    - powerpc/64: Allow for relocation-on interrupts from guest to host
    - KVM: PPC: Book3S HV: Add userspace interfaces for POWER9 MMU
    - KVM: PPC: Book3S HV: Set process table for HPT guests on POWER9
    - KVM: PPC: Book3S HV: Use ASDR for HPT guests on POWER9
    - KVM: PPC: Book3S HV: Add basic infrastructure for radix guests
    - KVM: PPC: Book3S HV: Modify guest entry/exit paths to handle radix guests
    - KVM: PPC: Book3S HV: Page table construction and page faults for radix guests
    - KVM: PPC: Book3S HV: MMU notifier callbacks for radix guests
    - KVM: PPC: Book3S HV: Implement dirty page logging for radix guests
    - KVM: PPC: Book3S HV: Make HPT-specific hypercalls return error in radix mode
    - KVM: PPC: Book3S HV: Invalidate TLB on radix guest vcpu movement
    - KVM: PPC: Book3S HV: Allow guest exit path to have MMU on
    - KVM: PPC: Book3S HV: Invalidate ERAT on guest entry/exit for POWER9 DD1
    - KVM: PPC: Book3S HV: Enable radix guest support
    - powerpc/64: CONFIG_RELOCATABLE support for hmi interrupts
    - KVM: PPC: Book3S HV: Fix software walk of guest process page tables
    - KVM: PPC: Book3S HV: Don't use ASDR for real-mode HPT faults on POWER9
    - KVM: PPC: Book3S HV: Don't try to signal cpu -1
    - KVM: PPC: Book 3S: Fix error return in kvm_vm_ioctl_create_spapr_tce()
    - powerpc/64: Invalidate process table caching after setting process table
    - powerpc: Update to new option-vector-5 format for CAS
    - KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend
    - powerpc/powernv: Initialise nest mmu
    - powerpc/powernv: Remove separate entry for OPAL real mode calls

  * [Hyper-V][Mellanox] net/mlx4_core: Avoid delays during VF driver device shutdown (LP: #1672785)
    - net/mlx4_core: Avoid delays during VF driver device shutdown

  * [zesty] mlx4_core OOM with 32 bit arch (LP: #1676858)
    - mlx4: reduce OOM risk on arches with large pages

  * [Feature] GLK Northpeak Enabling (LP: #1645963)
    - intel_th: pci: Add Denverton SOC support
    - intel_th: pci: Add Gemini Lake support

  * [zesty] mlx5e OVS fixes (LP: #1676388)
    - net/mlx5: Fix create autogroup prev initializer
    - net/mlx5e: Avoid supporting udp tunnel port ndo for VF reps
    - net/mlx5e: Avoid wrong identification of rules on deletion
    - devlink: fix the name of eswitch commands
    - devlink: rename devlink_eswitch_fill to devlink_nl_eswitch_fill
    - devlink: use nla_put_failure goto label instead of out
    - devlink: allow to fillup eswitch attrs even if mode_get op does not exist
    - net/mlx5e: Change the TC offload rule add/del code path to be per NIC or E-Switch
    - net/mlx5: E-Switch, Don't allow changing inline mode when flows are configured

  * [ARM64] Support systems where the physical memory footprint exceeds the size
    of the linear mapping. (LP: #1675046)
    - SAUCE: efi: arm-stub: Correct FDT and initrd allocation rules for arm64
    - SAUCE: efi: arm-stub: Round up FDT allocation to mapping size

  * AACRAID Driver: Add 3 patch fixes to Kernel release (LP: #1675872)
    - scsi: aacraid: remove redundant zero check on ret
    - scsi: aacraid: Fix typo in blink status
    - scsi: aacraid: Fix potential null access

  * stress_smoke_test passing and exiting rc=9 (linux 4.9.0-12.13 ADT test
    failure with linux 4.9.0-12.13) (LP: #1658633)
    - ext4: lock the xattr block before checksuming it

  * ARM arch_timer erratum (LP: #1675509)
    - arm64: ptrace: add XZR-safe regs accessors
    - SAUCE: arm64: Allow checking of a CPU-local erratum
    - SAUCE: arm64: Add CNTVCT_EL0 trap handler
    - SAUCE: arm64: Define Cortex-A73 MIDR
    - SAUCE: arm64: cpu_errata: Allow an erratum to be match for all revisions of a core
    - SAUCE: arm64: cpu_errata: Add capability to advertise Cortex-A73 erratum 858921
    - SAUCE: arm64: arch_timer: Add infrastructure for multiple erratum detection methods
    - SAUCE: arm64: arch_timer: Add erratum handler for globally defined capability
    - SAUCE: arm64: arch_timer: Add erratum handler for CPU-specific capability
    - SAUCE: arm64: arch_timer: Move arch_timer_reg_read/write around
    - SAUCE: arm64: arch_timer: Get rid of erratum_workaround_set_sne
    - SAUCE: arm64: arch_timer: Rework the set_next_event workarounds
    - SAUCE: arm64: arch_timer: Make workaround methods optional
    - SAUCE: arm64: arch_timer: Allows a CPU-specific erratum to only affect a subset of CPUs
    - SAUCE: arm64: arch_timer: Move clocksource_counter and co around
    - SAUCE: arm64: arch_timer: Enable CNTVCT_EL0 trap if workaround is enabled
    - SAUCE: arm64: arch_timer: Workaround for Cortex-A73 erratum 858921
    - SAUCE: arm64: arch_timer: Allow erratum matching with ACPI OEM information
    - SAUCE: arm64: arch_timer: Add HISILICON_ERRATUM_161010101 ACPI matching data
    - SAUCE: arm64: arch_timer: Add check for unknown erratum

  * Zesty update to v4.10.6 stable release (LP: #1676429)
    - give up on gcc ilog2() constant optimizations
    - qla2xxx: Fix memory leak for abts processing
    - qla2xxx: Fix request queue corruption.
    - parisc: Optimize flush_kernel_vmap_range and invalidate_kernel_vmap_range
    - parisc: support R_PARISC_SECREL32 relocation in modules
    - parisc: Fix system shutdown halt
    - perf/core: Fix use-after-free in perf_release()
    - perf/core: Fix event inheritance on fork()
    - md/r5cache: fix set_syndrome_sources() for data in cache
    - xprtrdma: Squelch kbuild sparse complaint
    - NFS prevent double free in async nfs4_exchange_id
    - cpufreq: Fix and clean up show_cpuinfo_cur_freq()
    - powerpc/boot: Fix zImage TOC alignment
    - hwrng: omap - write registers after enabling the clock
    - hwrng: omap - use devm_clk_get() instead of of_clk_get()
    - hwrng: omap - Do not access INTMASK_REG on EIP76
    - md/raid1/10: fix potential deadlock
    - target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export
    - scsi: lpfc: Add shutdown method for kexec
    - scsi: libiscsi: add lock around task lists to fix list corruption regression
    - scsi: mpt3sas: Avoid sleeping in interrupt context
    - target: Fix VERIFY_16 handling in sbc_parse_cdb
    - isdn/gigaset: fix NULL-deref at probe
    - gfs2: Avoid alignment hole in struct lm_lockname
    - percpu: acquire pcpu_lock when updating pcpu_nr_empty_pop_pages
    - cgroup/pids: remove spurious suspicious RCU usage warning
    - drm/amdgpu/si: add dpm quirk for Oland
    - Linux 4.10.6

  * Miscellaneous Ubuntu changes
    - [Config] CONFIG_ARM64_ERRATUM_858921=y
    - [Debian] add rprovides for spl-modules and zfs-modules

 -- Tim Gardner <tim.gardner@xxxxxxxxxxxxx>  Thu, 06 Apr 2017 17:28:49
+0100

** Changed in: linux (Ubuntu Zesty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-7308

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1677959

Title:
  change_profile incorrect when using namespaces with a compound stack

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Confirmed
Status in linux source package in Yakkety:
  Confirmed
Status in linux source package in Zesty:
  Fix Released

Bug description:
  When a compound label is used as part of a target namespace the change
  profile will result in a bad change

  a task confined by profile lxd doing
  change_profile(&:ns://foo//&unconfined)

  results in a change_profile to

    :ns://foo
  and
    unconfined

  causing the local system profile to change instead of setting up a stack in the sub namespace
  ie.
    unconfined//&:ns://foo
  instead of the expected
    lxd//&:ns://foo//&:ns://unconfined

  https://github.com/lxc/lxd/issues/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1677959/+subscriptions