group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #25210
[Bug 1780227] Re: locking sockets broken due to missing AppArmor socket mediation patches
Per discussion above:
- Closing the kernel tasks
- Raising priority on apparmor tasks to Critical (to match what kernel had)
- Assigning to jjohansen as the AppArmor maintainer
As we care about xenial, bionic and cosmic, we need point releases (or cherry-pick) for:
- AppArmor 2.10 (2.10.95 in xenial)
- AppArmor 2.12 (2.12 in bionic and cosmic)
John: Any ETA for those two point releases or pointer to a commit which
we could SRU on its own?
For now our focus is obviously on getting this resolved in Ubuntu as
soon as possible, since it's breaking a number of systemd services that
are now (18.04) shipping with more confinement than in the past. The
same issue is also currently preventing us from starting newer Fedora
and Arch containers on Ubuntu.
Our standard response so far has been to tell users to turn off AppArmor
for those containers, but it's obviously not an answer we like to give
(I'm sure you'll agree).
** Changed in: linux (Ubuntu)
Status: Triaged => Invalid
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => Invalid
** Changed in: linux (Ubuntu Bionic)
Status: Triaged => Invalid
** Changed in: apparmor (Ubuntu)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Xenial)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Bionic)
Status: New => Triaged
** Changed in: apparmor (Ubuntu)
Importance: Undecided => Critical
** Changed in: apparmor (Ubuntu Xenial)
Importance: Undecided => Critical
** Changed in: apparmor (Ubuntu Bionic)
Importance: Undecided => Critical
** Changed in: linux (Ubuntu)
Importance: Critical => Undecided
** Changed in: linux (Ubuntu Xenial)
Importance: High => Undecided
** Changed in: linux (Ubuntu Bionic)
Importance: High => Undecided
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: apparmor (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: apparmor (Ubuntu Bionic)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1780227
Title:
locking sockets broken due to missing AppArmor socket mediation
patches
Status in apparmor package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
Invalid
Status in apparmor source package in Xenial:
Triaged
Status in linux source package in Xenial:
Invalid
Status in apparmor source package in Bionic:
Triaged
Status in linux source package in Bionic:
Invalid
Bug description:
Hey,
Newer systemd makes use of locks placed on AF_UNIX sockets created
with the socketpair() syscall to synchronize various bits and pieces
when isolating services. On kernels prior to 4.18 that do not have
backported the AppArmor socket mediation patchset this will cause the
locks to be denied with EACCESS. This causes systemd to be broken in
LXC and LXD containers that do not run unconfined which is a pretty
big deal. We have seen various bug reports related to this. See for
example [1] and [2].
If feasible it would be excellent if we could backport the socket
mediation patchset to all LTS kernels. Afaict, this should be 4.4 and
4.15. This will unbreak a whole range of use-cases.
The socket mediation patchset is available here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4
[1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779
[2]: https://github.com/systemd/systemd/issues/9493
Thanks!
Christian
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1780227/+subscriptions