kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #168750
[Bug 1379535] Re: policy namespace stacking
This bug was fixed in the package linux - 4.4.0-15.31
---------------
linux (4.4.0-15.31) xenial; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1559252
* Xilinx KU3 Capi card does not show up in Ubuntu 16.04 (LP: #1557001)
- SAUCE: (noup) cxl: Allow initialization on timebase sync failures
* policy namespace stacking (LP: #1379535)
- Revert "UBUNTU: SAUCE: Move replacedby allocation into label_alloc"
- Revert "UBUNTU: SAUCE: Fixup: __label_update() still doesn't handle some cases correctly."
- Revert "UBUNTU: SAUCE: fix: audit "no_new_privs" case for exec failure"
- Revert "UBUNTU: SAUCE: fixup: warning about aa_label_vec_find_or_create not being static"
- Revert "UBUNTU: SAUCE: apparmor: fix refcount race when finding a child profile"
- Revert "UBUNTU: SAUCE: fixup: cast poison values to remove warnings"
- Revert "UBUNTU: SAUCE: fixup: get rid of unused var build warning"
- Revert "UBUNTU: SAUCE: fixup: 20/23 locking issue around in __label_update"
- Revert "UBUNTU: SAUCE: fixup: make __share_replacedby private to get rid of build warning"
- Revert "UBUNTU: SAUCE: fix: replacedby forwarding is not being properly update when ns is destroyed"
- Revert "UBUNTU: SAUCE: apparmor: fix log of apparmor audit message when kern_path() fails"
- Revert "UBUNTU: SAUCE: fixup: cleanup return handling of labels"
- Revert "UBUNTU: SAUCE: apparmor: fix: ref count leak when profile sha1 hash is read"
- Revert "UBUNTU: SAUCE: apparmor: Fix: query label file permission"
- Revert "UBUNTU: SAUCE: apparmor: Don't remove label on rcu callback if the label has already been removed"
- Revert "UBUNTU: SAUCE: apparmor: Fix: break circular refcount for label that is directly freed."
- Revert "UBUNTU: SAUCE: apparmor: Fix: refcount bug when inserting label update that transitions ns"
- Revert "UBUNTU: SAUCE: apparmor: Fix: now that insert can force replacement use it instead of remove_and_insert"
- Revert "UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation"
- Revert "UBUNTU: SAUCE: apparmor: ensure that repacedby sharing is done correctly"
- Revert "UBUNTU: SAUCE: apparmor: Fix: update replacedby allocation to take a gfp parameter"
- Revert "UBUNTU: SAUCE: apparmor: Fix: convert replacedby update to be protected by the labelset lock"
- Revert "UBUNTU: SAUCE: apparmor: Fix: add required locking of __aa_update_replacedby on merge path"
- Revert "UBUNTU: SAUCE: apparmor: Fix: deadlock in aa_put_label() call chain"
- Revert "UBUNTU: SAUCE: apparmor: Fix: label_vec_merge insertion"
- Revert "UBUNTU: SAUCE: apparmor: Fix: ensure new labels resulting from merge have a replacedby"
- Revert "UBUNTU: SAUCE: apparmor: Fix: refcount leak in aa_label_merge"
- Revert "UBUNTU: SAUCE: apparmor: Fix: refcount race between locating in labelset and get"
- Revert "UBUNTU: SAUCE: apparmor: Fix: label merge handling of marking unconfined and stale"
- Revert "UBUNTU: SAUCE: apparmor: add underscores to indicate aa_label_next_not_in_set() use needs locking"
- Revert "UBUNTU: SAUCE: apparmor: debug: POISON label and replaceby pointer on free"
- Revert "UBUNTU: SAUCE: apparmor: Fix: ensure aa_get_newest will trip debugging if the replacedby is not setup"
- Revert "UBUNTU: SAUCE: apparmor: Fix: insert race between label_update and label_merge"
- Revert "UBUNTU: SAUCE: apparmor: rework retrieval of the current label in the profile update case"
- Revert "UBUNTU: SAUCE: apparmor: Disallow update of cred when then subjective != the objective cred"
- Revert "UBUNTU: SAUCE: apparmor: Fix: oops do to invalid null ptr deref in label print fns"
- Revert "UBUNTU: SAUCE: fix-up: kern_mount fail path should not be doing put_buffers()"
- Revert "UBUNTU: SAUCE: apparmor: fix sleep from invalid context"
- Revert "UBUNTU: SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown"
- Revert "UBUNTU: SAUCE: (no-up) apparmor: Fix incompatible pointer type warnings"
- Revert "UBUNTU: SAUCE: (no-up) apparmor: fix mount not handling disconnected paths"
- Revert "UBUNTU: SAUCE: (no-up): apparmor: fix mediation of fs unix sockets"
- Revert "UBUNTU: apparmor -- follow change to this_cpu_ptr"
- Revert "UBUNTU: SAUCE: (no-up) fix: bad unix_addr_fs macro"
- Revert "UBUNTU: SAUCE: Revert: fix: only allow a single threaded process to ..."
- Revert "UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot"
- Revert "UBUNTU: SAUCE: (no-up) apparmor: add parameter to control whether policy hashing is used"
- SAUCE: (no-up) apparmor: sync of apparmor3.5-beta1 snapshot
- SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading
* Add arm64 NUMA support (LP: #1558765)
- SAUCE: (noup) efi: ARM/arm64: ignore DT memory nodes instead of removing them
- SAUCE: (noup) Documentation, dt, numa: dt bindings for NUMA.
- [Config] CONFIG_OF_NUMA=y
- SAUCE: (noup) of, numa: Add NUMA of binding implementation.
- SAUCE: (noup) arm64: Move unflatten_device_tree() call earlier.
- [Config] CONFIG_NUMA=y and CONFIG_NODES_SHIFT=2 on arm64
- SAUCE: (noup) arm64, numa: Add NUMA support for arm64 platforms.
- SAUCE: (noup) arm64, mm, numa: Add NUMA balancing support for arm64.
* vivid/linux: total ADT test failures (LP: #1558447)
- Revert "Revert "af_unix: Revert 'lock_interruptible' in stream receive code""
* [Hyper-V] patches to allow kdump crash through NMI (LP: #1558720)
- Drivers: hv: vmbus: Support handling messages on multiple CPUs
- Drivers: hv: vmbus: Support kexec on ws2012 r2 and above
* s390/pci: enforce fmb page boundary rule (LP: #1558625)
- s390/pci: enforce fmb page boundary rule
* s390/pci: backport upstream commits since v4.4 (LP: #1558624)
- s390/pci_dma: fix DMA table corruption with > 4 TB main memory
- page_to_phys() always returns a multiple of PAGE_SIZE
- s390/pci: provide ZPCI_ADDR macro
- s390/pci: improve ZPCI_* macros
- s390/pci: resize iomap
- s390/pci: fix bar check
- s390/pci: set error state for unusable functions
- s390/pci: remove iomap sanity checks
- s390/pci: remove pdev pointer from arch data
- s390/pci: add ioctl interface for CLP
* IMA-appraisal is unusable in Ubuntu 16.04 (LP: #1558553)
- [Config] CONFIG_SYSTEM_EXTRA_CERTIFICATE=y, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
- KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert
- KEYS: Reserve an extra certificate symbol for inserting without recompiling
- SAUCE: (noup) KEYS: Support for inserting a certificate into x86 bzImage
* skb_warn_bad_offload Crash (LP: #1558025)
- ipv4: only create late gso-skb if skb is already set up with CHECKSUM_PARTIAL
* Add PCIe root complex to Cavium arm64 (LP: #1558342)
- [Config] CONFIG_PCI_HOST_COMMON=y
- [Config] CONFIG_PCI_HOST_THUNDER_PEM=y
- [Config] CONFIG_PCI_HOST_THUNDER_ECAM=y
- PCI: generic: Move structure definitions to separate header file
- PCI: generic: Add pci_host_common_probe(), based on gen_pci_probe()
- PCI: generic: Expose pci_host_common_probe() for use by other drivers
- PCI: thunder: Add PCIe host driver for ThunderX processors
- PCI: thunder: Add driver for ThunderX-pass{1,2} on-chip devices
* [Hyper-V] vmbus: Fix a bug in hv_need_to_signal_on_read() (LP: #1556264)
- SAUCE: (noup) Drivers: hv: vmbus: Fix a bug in hv_need_to_signal_on_read()
* Xenial update to v4.4.6 stable release (LP: #1558330)
- arm64: account for sparsemem section alignment when choosing vmemmap offset
- ARM: mvebu: fix overlap of Crypto SRAM with PCIe memory window
- ARM: dts: dra7: do not gate cpsw clock due to errata i877
- ARM: OMAP2+: hwmod: Introduce ti,no-idle dt property
- PCI: Allow a NULL "parent" pointer in pci_bus_assign_domain_nr()
- kvm: cap halt polling at exactly halt_poll_ns
- KVM: VMX: disable PEBS before a guest entry
- KVM: s390: correct fprs on SIGP (STOP AND) STORE STATUS
- KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest exit
- KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo
- KVM: MMU: fix reserved bit check for ept=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0
- s390/dasd: fix diag 0x250 inline assembly
- tracing: Fix check for cpu online when event is disabled
- dmaengine: at_xdmac: fix residue computation
- jffs2: reduce the breakage on recovery from halfway failed rename()
- ncpfs: fix a braino in OOM handling in ncp_fill_cache()
- ASoC: dapm: Fix ctl value accesses in a wrong type
- ASoC: samsung: Use IRQ safe spin lock calls
- ASoC: wm8994: Fix enum ctl accesses in a wrong type
- ASoC: wm8958: Fix enum ctl accesses in a wrong type
- ovl: ignore lower entries when checking purity of non-directory entries
- ovl: fix working on distributed fs as lower layer
- wext: fix message delay/ordering
- cfg80211/wext: fix message ordering
- can: gs_usb: fixed disconnect bug by removing erroneous use of kfree()
- iwlwifi: mvm: inc pending frames counter also when txing non-sta
- mac80211: minstrel: Change expected throughput unit back to Kbps
- mac80211: fix use of uninitialised values in RX aggregation
- mac80211: minstrel_ht: set default tx aggregation timeout to 0
- mac80211: minstrel_ht: fix a logic error in RTS/CTS handling
- mac80211: check PN correctly for GCMP-encrypted fragmented MPDUs
- mac80211: Fix Public Action frame RX in AP mode
- gpu: ipu-v3: Do not bail out on missing optional port nodes
- drm/amdgpu: Fix error handling in amdgpu_flip_work_func.
- drm/radeon: Fix error handling in radeon_flip_work_func.
- Revert "drm/radeon/pm: adjust display configuration after powerstate"
- userfaultfd: don't block on the last VM updates at exit time
- ovl: fix getcwd() failure after unsuccessful rmdir
- MIPS: Fix build error when SMP is used without GIC
- MIPS: smp.c: Fix uninitialised temp_foreign_map
- block: don't optimize for non-cloned bio in bio_get_last_bvec()
- target: Drop incorrect ABORT_TASK put for completed commands
- ld-version: Fix awk regex compile failure
- Linux 4.4.6
* linux fails to load x.509 built-in certificate (LP: #1557250)
- lib/mpi: Endianness fix
* s390/kconfig: setting for CONFIG...9P.... (LP: #1557994)
- [Config] CONFIG_NET_9P=m for s390x
* mlx5_core kernel trace after "ethtool -C eth1 adaptive-rx on" flow
(LP: #1557950)
- net/mlx5e: Don't try to modify CQ moderation if it is not supported
- net/mlx5e: Don't modify CQ before it was created
* [Feature]SD/SDIO/eMMC support for Broxton-P (LP: #1520454)
- mmc: sdhci: Do not BUG on invalid vdd
- mmc: enable MMC/SD/SDIO device to suspend/resume asynchronously
- mmc: It is not an error for the card to be removed while suspended
* s390/kconfig: disable CONFIG_VIRTIO_MMIO (LP: #1557689)
- [Config] CONFIG_VIRTIO_MMIO=n for s390x
* s390/kconfig: CONFIG_NUMA without CONFIG_NUMA_EMU does not make any sense on s390x (LP: #1557690)
- [Config] CONFIG_NUMA_EMU=y for s390x
* Miscellaneous Ubuntu changes
- [Debian] git-ubuntu-log -- prevent bug references being split
- [Debian] git-ubuntu-log -- git log output is UTF-8
-- Tim Gardner <tim.gardner@xxxxxxxxxxxxx> Tue, 15 Mar 2016 13:18:58
-0600
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1379535
Title:
policy namespace stacking
Status in AppArmor:
In Progress
Status in apparmor package in Ubuntu:
In Progress
Status in linux package in Ubuntu:
Fix Released
Status in apparmor source package in Xenial:
In Progress
Status in linux source package in Xenial:
Fix Released
Bug description:
Tracking bug for supporting stacked policy namesapaces (ie, different
profiles on host, container, container in a container, etc)
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1379535/+subscriptions