kernel-packages team mailing list archive

[Brad Figg <brad.figg@xxxxxxxxxxxxx>]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
saucy' to 'verification-done-saucy'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-saucy

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1236455

Title:
  Running tasks are not subject to reloaded policies

Status in AppArmor Linux application security framework:
  Fix Released
Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux” source package in Saucy:
  Fix Committed
Status in “linux” source package in Trusty:
  Fix Released

Bug description:
  As of saucy, if you start /usr/bin/foo under an existing policy defined
  in /etc/apparmor.d/usr.bin.foo, then reload /etc/apparmor.d/usr.bin.foo
  with updated permissions, then the running tasks is not subject to the
  new permissions.

  A testcase is at http://people.canonical.com/~serge/aa_exec.tgz .  This
  passes in precise, and fails in saucy.

  This came up in the libvirt regression testsuite.  When it tries to
  virsh attach-device, then the existing libvirt task's policy must be
  updated to allow it to access the new device image file.  The test fails
  with EACCESS trying to open the image file after loading the new policy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1236455/+subscriptions