[apparmor] Bug#883703: apparmor: Feature pinning breaks mount
intrigeri
intrigeri at debian.org
Sat Jan 6 15:50:44 UTC 2018
Hi John,
John Johansen:
> Attached is the patch for the kernel that is currently in testing
> From 1aa96ec6d0fce613e06fa4d073c8cf3e183989da Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen at canonical.com>
> Date: Thu, 7 Dec 2017 00:28:27 -0800
> Subject: [PATCH] apparmor: fix regression in mount mediation when feature set
> is pinned
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> When the mount code was refactored for Labels it was not correctly
> updated to check whether policy supported mediation of the mount
> class. This causes a regression when the kernel feature set is
> reported as supporting mount and policy is pinned to a feature set
> that does not support mount mediation.
What's the status of this patch?
Context & meta: I'd like to pin the feature set to 4.9's in Debian
Stretch (and Tails) ASAP but if I do this now, I'll break "mount"
operations for all confined software. I appreciate the work you're
putting into the longer term, nicer solution (policy versioning); I'm
confident it will make things better for future stable releases of our
distros; but sadly it won't fix the problems we currently have in the
already released LTS distros that won't backport big kernel patch sets
to their stable kernel, so on the short term what we need, at least in
Debian and Tails, is bugfixes in the feature set pinning facility.
Cheers!
More information about the AppArmor
mailing list