Re: regression in 4.14-rc2 caused by apparmor: add base infastructure for socket mediation

From: Vlastimil Babka
Date: Tue Oct 03 2017 - 02:49:00 EST

Next message: Thomas Gleixner: "Re: [patch V2 22/29] lockup_detector: Make watchdog_nmi_reconfigure() two stage"
Previous message: Jürg Billeter: "Re: [RESEND PATCH] prctl: add PR_[GS]ET_PDEATHSIG_PROC"
In reply to: John Johansen: "Re: regression in 4.14-rc2 caused by apparmor: add base infastructure for socket mediation"
Next in thread: John Johansen: "Re: regression in 4.14-rc2 caused by apparmor: add base infastructure for socket mediation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/03/2017 07:15 AM, James Bottomley wrote:
> On Mon, 2017-10-02 at 21:11 -0700, John Johansen wrote:
>> On 10/02/2017 09:02 PM, James Bottomley wrote:
>>>
>>> The specific problem is that dnsmasq refuses to start on openSUSE
>>> Leap 42.2. ÂThe specific cause is that and attempt to open a
>>> PF_LOCAL socket gets EACCES. ÂThis means that networking doesn't
>>> function on a system with a 4.14-rc2 system.
>>>
>>> Reverting commitÂ651e28c5537abb39076d3949fb7618536f1d242e
>>> (apparmor: add base infastructure for socket mediation) causes the
>>> system to function again.
>>>
>>
>> This is not a kernel regression,
>
> Regression means something that worked in a previous version of the
> kernel which is broken now. This problem falls within that definition.

Hm, but if this was because opensuse kernel and apparmor rules relied on
an out-of-tree patch, then it's not an upstream regression?

>> it is becauseÂÂopensuse dnsmasque is starting with policy that
>> doesn't allow access to PF_LOCAL socket
>
> Because there was no co-ordination between their version of the patch
> and yours. ÂIf you're sending in patches that you know might break
> systems because they need a co-ordinated rollout of something in
> userspace then it would be nice if you could co-ordinate it ...
>
> Doing it in the merge window and not in -rc2 would also be helpful
> because I have more expectation of a userspace mismatch from stuff in
> the merge window.

Agree, but with rc2 there's still plenty of time, and running rcX means
some issues can be expected...

>> Christian Boltz the opensuse apparmor maintainer has been working
>> on a policy update for opensuse see bug
>>
>> https://bugzilla.opensuse.org/show_bug.cgi?id=1061195
>
> Well, that looks really encouraging: The line about "To give you an
> impression what "lots of" means - I had to adjust 40 profiles on my
> laptop". ÂThe upshot being apart from a bandaid, openSUSE still has no
> co-ordinated fix for this.

Note that the openSUSE Leap 42.2 kernel is 4.4, so by running 4.14 means
you are unsupported from the distro POV and you can't expect that the
42.2 apparmor profiles will ever be updated. I reported the bug above
for the Tumbleweed rolling distro, which gets new kernels after the
final version is released and passes QA. rcX kernels are packaged for
testing, but you have to add the repo explicitly. So there's still
enough time to co-ordinate fix of profiles and final 4.14 even for
Tumbleweed.

> James
>

Next message: Thomas Gleixner: "Re: [patch V2 22/29] lockup_detector: Make watchdog_nmi_reconfigure() two stage"
Previous message: Jürg Billeter: "Re: [RESEND PATCH] prctl: add PR_[GS]ET_PDEATHSIG_PROC"
In reply to: John Johansen: "Re: regression in 4.14-rc2 caused by apparmor: add base infastructure for socket mediation"
Next in thread: John Johansen: "Re: regression in 4.14-rc2 caused by apparmor: add base infastructure for socket mediation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]