[pkg-apparmor] Bug#805002: Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled
John Johansen
john.johansen at canonical.com
Sun Jul 31 10:40:48 UTC 2016
On 07/30/2016 07:54 AM, intrigeri wrote:
> Hi,
>
> Christian Boltz:
>> I think you are misreading the documentation here ;-)
>
> I suspect it might be easier to improve the documentation,
> than to fix all people who would "misread" it.
>
> (Sorry I did not find this funny.)
>
>> OTOH, if you already have a profile loaded, start a process and then
>> reload the modified profile, it will be applied instantly.
>
> Thanks!
>
>> Note that there were bugs both in apparmor_parser and the kernel that
>> broke reload and could cause the problem you described. So please check
>> if Debian has the fixes in apparmor_parser (likely, because this was fixed
>> a while ago) and the kernel (less likely because that patch is quite
>> new). If in doubt, John should be able to point you to the relevant
>> patches.
>
> Good to know! Indeed, I have no clue what kernel patch you're
> referring to ⇒ John, can you please point me to it? Is it part of the
> pull request for 4.8? Thanks in advance!
>
Yes, and also available in the 4.8 fixes backports I did for 4.4 - 4.7 (I
haven't had time to backport further yet).
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
v4.4-aa2.8-out-of-tree
v4.5-aa2.8-out-of-tree
v4.6-aa2.8-out-of-tree
v4.7-aa2.8-out-of-tree
once the 4.8 request gets merged I can look at submitting to stable.
the specific patch for this issue is
In linux security/next
ec34fa2 apparmor: fix replacement bug that adds new child to old parent
v4.4-aa2.8-out-of-tree
b02fdc2 apparmor: fix replacement bug that adds new child to old parent
The kernel side messes up in the specific case of a profile already existing
and the replacement adds new hats.
The userspace fix is rev 3440 in the userspace main branch (lp:apparmor)
More information about the pkg-apparmor-team
mailing list