Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Hi again Fabian & release team,
Fabian Grünbichler:
> On Wed, Dec 06, 2017 at 03:28:03PM +0100, intrigeri wrote:
>> > it potentially breaks systems using a custom/backports/newer kernel
>> > and AA profiles requiring features not supported by the pinned 4.9
>> > feature set.
>>
>> In this case, "breaks" == the AppArmor confinement becomes weaker,
>> but the application keeps working.
> not the case for all scenarios unfortunately. LXC containers using the
> upstream profiles (and a kernel supporting the needed features) don't
> start anymore:
> apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=21550 comm="lxc-start" flags="rw, rslave"
Wow, Assuming you're indeed running with the 4.9 feature set I've
uploaded, that's definitely a bug: the 4.9 feature set is supposed to
fully disable mount mediation, so a mount denial should never happen.
At first glance this very much looks like a bug in the custom kernel
you're using.
If you can reproduce this with a pristine 4.13 or 4.14 Debian kernel,
then I'm very sorry and I agree we should revert this s-p-u until this
kernel bug is fixed in mainline; I'll gladly help you report this bug
upstream. If, however, you can't reproduce this bug with a Debian
kernel, well, then it's a bug in the kernel patches you've applied and
I think we should leave s-p-u as-is.
Possibly helpful: can you please share the content of
/etc/apparmor.d/cache/.features on the system that exposes
this problem?
Cheers,
--
intrigeri
Reply to: