[pkg-apparmor] Bug#883703: apparmor: Feature pinning breaks mount
John Johansen
john.johansen at canonical.com
Mon Jan 8 09:46:54 UTC 2018
On 01/06/2018 07:50 AM, intrigeri wrote:
> Hi John,
>
> John Johansen:
>> Attached is the patch for the kernel that is currently in testing
>
>> From 1aa96ec6d0fce613e06fa4d073c8cf3e183989da Mon Sep 17 00:00:00 2001
>> From: John Johansen <john.johansen at canonical.com>
>> Date: Thu, 7 Dec 2017 00:28:27 -0800
>> Subject: [PATCH] apparmor: fix regression in mount mediation when feature set
>> is pinned
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset=UTF-8
>> Content-Transfer-Encoding: 8bit
>
>> When the mount code was refactored for Labels it was not correctly
>> updated to check whether policy supported mediation of the mount
>> class. This causes a regression when the kernel feature set is
>> reported as supporting mount and policy is pinned to a feature set
>> that does not support mount mediation.
>
> What's the status of this patch?
>
it is in 4.15-rc7, and has started working its way into the 4.14 stable
tree, I expect it will be in the 4.14.13 stable release.
> Context & meta: I'd like to pin the feature set to 4.9's in Debian
> Stretch (and Tails) ASAP but if I do this now, I'll break "mount"
> operations for all confined software. I appreciate the work you're
> putting into the longer term, nicer solution (policy versioning); I'm
> confident it will make things better for future stable releases of our
> distros; but sadly it won't fix the problems we currently have in the
> already released LTS distros that won't backport big kernel patch sets
> to their stable kernel, so on the short term what we need, at least in
> Debian and Tails, is bugfixes in the feature set pinning facility.
>
More information about the pkg-apparmor-team
mailing list