[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1050256: AppArmor breaks locking non-fs Unix sockets

Hi John,

On Wed, Dec 06, 2023 at 10:47:45PM +0100, Salvatore Bonaccorso wrote:
> Hi Paul,
> 
> On Wed, Dec 06, 2023 at 10:21:02PM +0100, Paul Gevers wrote:
> > Hi,
> > 
> > On Mon, 18 Sep 2023 20:54:17 +0200 Paul Gevers <elbrus@debian.org> wrote:
> > > On 09-09-2023 13:06, Paul Gevers wrote:
> > > > All ci.d.n workers (except riscv64) now run the kernel from >
> > > bookworm-backports. systemd passes it's autopkgtest again in unstable, >
> > > testing and stable.
> > > 
> > > We're having issues [1] with the (backports and) unstable kernel on our
> > > main amd64 host, so we reverted back to the stable kernel for amd64.
> > > 
> > > Paul
> > > 
> > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052130
> > 
> > We're having issues [2] with the backports kernel on arm64 so our arm64,
> > armhf and armel hosts are back to the previous backports (arm64) kernel.
> > 
> > I'm slightly wondering if the next point release (on Saturday) will bring us
> > a fixed kernel for this issue? Given that this is the second time in 3
> > months we experience an issue with backports kernels, I think we'll have to
> > revert our hosts back to stable kernels for maintainability reasons.
> 
> TTBOMK, a backport of 1cf26c3d2c4c ("apparmor: fix apparmor mediating
> locking non-fs unix sockets") for the 6.1.y stable series has not
> landed yet so it's not included in the 6.1.64-1 update of the upcoming
> point release next weekend.
> 
> John, as it was said you are working on having the fix backpored to
> linux-6.1.y, is this still WIP?

John, did you had a chance to work on this backport for 6.1.y stable
upstream so we could pick it downstream in Debian in one of the next
stable imports? Cherry-picking 1cf26c3d2c4c ("apparmor: fix apparmor
mediating locking non-fs unix sockets") does not work, if not
havinging the work around e2967ede2297 ("apparmor: compute policydb
permission on profile load") AFAICS, so that needs a 6.1.y specific
backport submitted to stable@vger.kernel.org ?

I think we could have people from this bug as well providing a
Tested-by when necessary. I'm not feeling confident enough to be able
to provide myself such a patch to sent to stable (and you only giving
an Acked-by/Reviewed-by), so if you can help out here with your
upstream hat on that would be more than appreciated and welcome :)

Thanks a lot for your work!

Regards,
Salvatore
Reply to: