kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #168734
[Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04
This bug was fixed in the package linux - 4.4.0-15.31
---------------
linux (4.4.0-15.31) xenial; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1559252
* Xilinx KU3 Capi card does not show up in Ubuntu 16.04 (LP: #1557001)
- SAUCE: (noup) cxl: Allow initialization on timebase sync failures
* policy namespace stacking (LP: #1379535)
- Revert "UBUNTU: SAUCE: Move replacedby allocation into label_alloc"
- Revert "UBUNTU: SAUCE: Fixup: __label_update() still doesn't handle some cases correctly."
- Revert "UBUNTU: SAUCE: fix: audit "no_new_privs" case for exec failure"
- Revert "UBUNTU: SAUCE: fixup: warning about aa_label_vec_find_or_create not being static"
- Revert "UBUNTU: SAUCE: apparmor: fix refcount race when finding a child profile"
- Revert "UBUNTU: SAUCE: fixup: cast poison values to remove warnings"
- Revert "UBUNTU: SAUCE: fixup: get rid of unused var build warning"
- Revert "UBUNTU: SAUCE: fixup: 20/23 locking issue around in __label_update"
- Revert "UBUNTU: SAUCE: fixup: make __share_replacedby private to get rid of build warning"
- Revert "UBUNTU: SAUCE: fix: replacedby forwarding is not being properly update when ns is destroyed"
- Revert "UBUNTU: SAUCE: apparmor: fix log of apparmor audit message when kern_path() fails"
- Revert "UBUNTU: SAUCE: fixup: cleanup return handling of labels"
- Revert "UBUNTU: SAUCE: apparmor: fix: ref count leak when profile sha1 hash is read"
- Revert "UBUNTU: SAUCE: apparmor: Fix: query label file permission"
- Revert "UBUNTU: SAUCE: apparmor: Don't remove label on rcu callback if the label has already been removed"
- Revert "UBUNTU: SAUCE: apparmor: Fix: break circular refcount for label that is directly freed."
- Revert "UBUNTU: SAUCE: apparmor: Fix: refcount bug when inserting label update that transitions ns"
- Revert "UBUNTU: SAUCE: apparmor: Fix: now that insert can force replacement use it instead of remove_and_insert"
- Revert "UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation"
- Revert "UBUNTU: SAUCE: apparmor: ensure that repacedby sharing is done correctly"
- Revert "UBUNTU: SAUCE: apparmor: Fix: update replacedby allocation to take a gfp parameter"
- Revert "UBUNTU: SAUCE: apparmor: Fix: convert replacedby update to be protected by the labelset lock"
- Revert "UBUNTU: SAUCE: apparmor: Fix: add required locking of __aa_update_replacedby on merge path"
- Revert "UBUNTU: SAUCE: apparmor: Fix: deadlock in aa_put_label() call chain"
- Revert "UBUNTU: SAUCE: apparmor: Fix: label_vec_merge insertion"
- Revert "UBUNTU: SAUCE: apparmor: Fix: ensure new labels resulting from merge have a replacedby"
- Revert "UBUNTU: SAUCE: apparmor: Fix: refcount leak in aa_label_merge"
- Revert "UBUNTU: SAUCE: apparmor: Fix: refcount race between locating in labelset and get"
- Revert "UBUNTU: SAUCE: apparmor: Fix: label merge handling of marking unconfined and stale"
- Revert "UBUNTU: SAUCE: apparmor: add underscores to indicate aa_label_next_not_in_set() use needs locking"
- Revert "UBUNTU: SAUCE: apparmor: debug: POISON label and replaceby pointer on free"
- Revert "UBUNTU: SAUCE: apparmor: Fix: ensure aa_get_newest will trip debugging if the replacedby is not setup"
- Revert "UBUNTU: SAUCE: apparmor: Fix: insert race between label_update and label_merge"
- Revert "UBUNTU: SAUCE: apparmor: rework retrieval of the current label in the profile update case"
- Revert "UBUNTU: SAUCE: apparmor: Disallow update of cred when then subjective != the objective cred"
- Revert "UBUNTU: SAUCE: apparmor: Fix: oops do to invalid null ptr deref in label print fns"
- Revert "UBUNTU: SAUCE: fix-up: kern_mount fail path should not be doing put_buffers()"
- Revert "UBUNTU: SAUCE: apparmor: fix sleep from invalid context"
- Revert "UBUNTU: SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown"
- Revert "UBUNTU: SAUCE: (no-up) apparmor: Fix incompatible pointer type warnings"
- Revert "UBUNTU: SAUCE: (no-up) apparmor: fix mount not handling disconnected paths"
- Revert "UBUNTU: SAUCE: (no-up): apparmor: fix mediation of fs unix sockets"
- Revert "UBUNTU: apparmor -- follow change to this_cpu_ptr"
- Revert "UBUNTU: SAUCE: (no-up) fix: bad unix_addr_fs macro"
- Revert "UBUNTU: SAUCE: Revert: fix: only allow a single threaded process to ..."
- Revert "UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot"
- Revert "UBUNTU: SAUCE: (no-up) apparmor: add parameter to control whether policy hashing is used"
- SAUCE: (no-up) apparmor: sync of apparmor3.5-beta1 snapshot
- SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading
* Add arm64 NUMA support (LP: #1558765)
- SAUCE: (noup) efi: ARM/arm64: ignore DT memory nodes instead of removing them
- SAUCE: (noup) Documentation, dt, numa: dt bindings for NUMA.
- [Config] CONFIG_OF_NUMA=y
- SAUCE: (noup) of, numa: Add NUMA of binding implementation.
- SAUCE: (noup) arm64: Move unflatten_device_tree() call earlier.
- [Config] CONFIG_NUMA=y and CONFIG_NODES_SHIFT=2 on arm64
- SAUCE: (noup) arm64, numa: Add NUMA support for arm64 platforms.
- SAUCE: (noup) arm64, mm, numa: Add NUMA balancing support for arm64.
* vivid/linux: total ADT test failures (LP: #1558447)
- Revert "Revert "af_unix: Revert 'lock_interruptible' in stream receive code""
* [Hyper-V] patches to allow kdump crash through NMI (LP: #1558720)
- Drivers: hv: vmbus: Support handling messages on multiple CPUs
- Drivers: hv: vmbus: Support kexec on ws2012 r2 and above
* s390/pci: enforce fmb page boundary rule (LP: #1558625)
- s390/pci: enforce fmb page boundary rule
* s390/pci: backport upstream commits since v4.4 (LP: #1558624)
- s390/pci_dma: fix DMA table corruption with > 4 TB main memory
- page_to_phys() always returns a multiple of PAGE_SIZE
- s390/pci: provide ZPCI_ADDR macro
- s390/pci: improve ZPCI_* macros
- s390/pci: resize iomap
- s390/pci: fix bar check
- s390/pci: set error state for unusable functions
- s390/pci: remove iomap sanity checks
- s390/pci: remove pdev pointer from arch data
- s390/pci: add ioctl interface for CLP
* IMA-appraisal is unusable in Ubuntu 16.04 (LP: #1558553)
- [Config] CONFIG_SYSTEM_EXTRA_CERTIFICATE=y, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
- KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert
- KEYS: Reserve an extra certificate symbol for inserting without recompiling
- SAUCE: (noup) KEYS: Support for inserting a certificate into x86 bzImage
* skb_warn_bad_offload Crash (LP: #1558025)
- ipv4: only create late gso-skb if skb is already set up with CHECKSUM_PARTIAL
* Add PCIe root complex to Cavium arm64 (LP: #1558342)
- [Config] CONFIG_PCI_HOST_COMMON=y
- [Config] CONFIG_PCI_HOST_THUNDER_PEM=y
- [Config] CONFIG_PCI_HOST_THUNDER_ECAM=y
- PCI: generic: Move structure definitions to separate header file
- PCI: generic: Add pci_host_common_probe(), based on gen_pci_probe()
- PCI: generic: Expose pci_host_common_probe() for use by other drivers
- PCI: thunder: Add PCIe host driver for ThunderX processors
- PCI: thunder: Add driver for ThunderX-pass{1,2} on-chip devices
* [Hyper-V] vmbus: Fix a bug in hv_need_to_signal_on_read() (LP: #1556264)
- SAUCE: (noup) Drivers: hv: vmbus: Fix a bug in hv_need_to_signal_on_read()
* Xenial update to v4.4.6 stable release (LP: #1558330)
- arm64: account for sparsemem section alignment when choosing vmemmap offset
- ARM: mvebu: fix overlap of Crypto SRAM with PCIe memory window
- ARM: dts: dra7: do not gate cpsw clock due to errata i877
- ARM: OMAP2+: hwmod: Introduce ti,no-idle dt property
- PCI: Allow a NULL "parent" pointer in pci_bus_assign_domain_nr()
- kvm: cap halt polling at exactly halt_poll_ns
- KVM: VMX: disable PEBS before a guest entry
- KVM: s390: correct fprs on SIGP (STOP AND) STORE STATUS
- KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest exit
- KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo
- KVM: MMU: fix reserved bit check for ept=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0
- s390/dasd: fix diag 0x250 inline assembly
- tracing: Fix check for cpu online when event is disabled
- dmaengine: at_xdmac: fix residue computation
- jffs2: reduce the breakage on recovery from halfway failed rename()
- ncpfs: fix a braino in OOM handling in ncp_fill_cache()
- ASoC: dapm: Fix ctl value accesses in a wrong type
- ASoC: samsung: Use IRQ safe spin lock calls
- ASoC: wm8994: Fix enum ctl accesses in a wrong type
- ASoC: wm8958: Fix enum ctl accesses in a wrong type
- ovl: ignore lower entries when checking purity of non-directory entries
- ovl: fix working on distributed fs as lower layer
- wext: fix message delay/ordering
- cfg80211/wext: fix message ordering
- can: gs_usb: fixed disconnect bug by removing erroneous use of kfree()
- iwlwifi: mvm: inc pending frames counter also when txing non-sta
- mac80211: minstrel: Change expected throughput unit back to Kbps
- mac80211: fix use of uninitialised values in RX aggregation
- mac80211: minstrel_ht: set default tx aggregation timeout to 0
- mac80211: minstrel_ht: fix a logic error in RTS/CTS handling
- mac80211: check PN correctly for GCMP-encrypted fragmented MPDUs
- mac80211: Fix Public Action frame RX in AP mode
- gpu: ipu-v3: Do not bail out on missing optional port nodes
- drm/amdgpu: Fix error handling in amdgpu_flip_work_func.
- drm/radeon: Fix error handling in radeon_flip_work_func.
- Revert "drm/radeon/pm: adjust display configuration after powerstate"
- userfaultfd: don't block on the last VM updates at exit time
- ovl: fix getcwd() failure after unsuccessful rmdir
- MIPS: Fix build error when SMP is used without GIC
- MIPS: smp.c: Fix uninitialised temp_foreign_map
- block: don't optimize for non-cloned bio in bio_get_last_bvec()
- target: Drop incorrect ABORT_TASK put for completed commands
- ld-version: Fix awk regex compile failure
- Linux 4.4.6
* linux fails to load x.509 built-in certificate (LP: #1557250)
- lib/mpi: Endianness fix
* s390/kconfig: setting for CONFIG...9P.... (LP: #1557994)
- [Config] CONFIG_NET_9P=m for s390x
* mlx5_core kernel trace after "ethtool -C eth1 adaptive-rx on" flow
(LP: #1557950)
- net/mlx5e: Don't try to modify CQ moderation if it is not supported
- net/mlx5e: Don't modify CQ before it was created
* [Feature]SD/SDIO/eMMC support for Broxton-P (LP: #1520454)
- mmc: sdhci: Do not BUG on invalid vdd
- mmc: enable MMC/SD/SDIO device to suspend/resume asynchronously
- mmc: It is not an error for the card to be removed while suspended
* s390/kconfig: disable CONFIG_VIRTIO_MMIO (LP: #1557689)
- [Config] CONFIG_VIRTIO_MMIO=n for s390x
* s390/kconfig: CONFIG_NUMA without CONFIG_NUMA_EMU does not make any sense on s390x (LP: #1557690)
- [Config] CONFIG_NUMA_EMU=y for s390x
* Miscellaneous Ubuntu changes
- [Debian] git-ubuntu-log -- prevent bug references being split
- [Debian] git-ubuntu-log -- git log output is UTF-8
-- Tim Gardner <tim.gardner@xxxxxxxxxxxxx> Tue, 15 Mar 2016 13:18:58
-0600
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1558553
Title:
IMA-appraisal is unusable in Ubuntu 16.04
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Released
Bug description:
At some point, the IMA keyring changed from _ima to a trusted .ima
keyring. At that point, we couldn't add keys to the IMA keyring.
Other distros import UEFI keys onto the system keyring. Another
method of loading keys on the system keyring is needed, which doesn't
require the UEFI keys or rebuilding the kernel.
To resolve this problem, the kernel should be built so that
certificate memory is reserved and randomized. Two patches are being
upstreamed in this open window (linux-4.6):
8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert
c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling
We need to include these Kconfig options to reserve the memory:
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
An additional patch, which will be upstreamed, is needed to fill the
reserved memory with random data before it is compressed. (The patch
is attached.) After compiling the kernel with the reserved memory,
the following build step is required:
scripts/insert-sys-cert -b vmlinux -c /dev/null
If you want to add a cert, the following command will unpack a
bzImage, install the cert (DER format) in the vmlinuz, and repack the
bzImage.
scripts/insert-sys-cert -s <System.map> -z <bzImage> -c <certfile>
Contact Information = George Wilson <gcwilson@xxxxxxxxxx> / Mimi Zohar
<zohar@xxxxxxxxxx>
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions