AppArmor profiles missing in kernel 5.15.0-1051+ release
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
livecd-rootfs (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
After the kernel roll to linux-gcp-5.15 to version 5.15.0-
This test checks the output of `snap debug seeding` to assert `seed-completion` is present and not empty.
``
❯ snap debug seeding
seeded: true
preseeded: true
image-preseeding: 39.367s
seed-completion: 1.335s
```
If `/var/lib/
With the recent kernel update this test is failing which indicates a kernel feature mismatch between
the running kernel and the feature set hard-coded in livecd-rootfs for this image.
Boot will be slowed by ~200ms until this is resolved in livecd-rootfs.
This solution is to add a 5.15 apparmor configuration to the focal branch of livecd-rootfs
The issue is also present with the recent 5.15 kernels in Jammy.
Related bugs LP: #2031943 and LP: #2045384
[ Impact ]
Boot will be slowed by ~200ms until this is resolved in livecd-rootfs
[ Test Plan ]
* for focal build any cloud image with preseeded snaps with HWE 5.15 kernel
* for jammy build any cloud image with preseeded snaps with up to date 5.15 kernel
* boot
* run `snap debug seeding`
* assert the test described above passes
[ Where problems could occur ]
* Similar patches already exist for later releases 6.2, 6.5 kernel etc. and have been used on other private customer kernels and all kernels released after 22.04, so there is already a good track record for this patchset and it shouldn't create any issues.
[ Other Info ]
* This is a time-sensitive issue for a paying customer
Related branches
- Canonical Foundations Team: Pending requested
-
Diff: 1974 lines (+1042/-17) (has conflicts)76 files modifieddebian/changelog (+314/-3)
debian/control (+3/-0)
live-build/apparmor/5.19/capability (+1/-0)
live-build/apparmor/5.19/caps/mask (+1/-0)
live-build/apparmor/5.19/dbus/mask (+1/-0)
live-build/apparmor/5.19/domain/attach_conditions/xattr (+1/-0)
live-build/apparmor/5.19/domain/change_hat (+1/-0)
live-build/apparmor/5.19/domain/change_hatv (+1/-0)
live-build/apparmor/5.19/domain/change_onexec (+1/-0)
live-build/apparmor/5.19/domain/change_profile (+1/-0)
live-build/apparmor/5.19/domain/computed_longest_left (+1/-0)
live-build/apparmor/5.19/domain/fix_binfmt_elf_mmap (+1/-0)
live-build/apparmor/5.19/domain/post_nnp_subset (+1/-0)
live-build/apparmor/5.19/domain/stack (+1/-0)
live-build/apparmor/5.19/domain/version (+1/-0)
live-build/apparmor/5.19/file/mask (+1/-0)
live-build/apparmor/5.19/ipc/posix_mqueue (+1/-0)
live-build/apparmor/5.19/mount/mask (+1/-0)
live-build/apparmor/5.19/namespaces/pivot_root (+1/-0)
live-build/apparmor/5.19/namespaces/profile (+1/-0)
live-build/apparmor/5.19/network/af_mask (+1/-0)
live-build/apparmor/5.19/network/af_unix (+1/-0)
live-build/apparmor/5.19/network_v8/af_mask (+1/-0)
live-build/apparmor/5.19/policy/set_load (+1/-0)
live-build/apparmor/5.19/policy/versions/v5 (+1/-0)
live-build/apparmor/5.19/policy/versions/v6 (+1/-0)
live-build/apparmor/5.19/policy/versions/v7 (+1/-0)
live-build/apparmor/5.19/policy/versions/v8 (+1/-0)
live-build/apparmor/5.19/ptrace/mask (+1/-0)
live-build/apparmor/5.19/query/label/data (+1/-0)
live-build/apparmor/5.19/query/label/multi_transaction (+1/-0)
live-build/apparmor/5.19/query/label/perms (+1/-0)
live-build/apparmor/5.19/rlimit/mask (+1/-0)
live-build/apparmor/5.19/signal/mask (+1/-0)
live-build/apparmor/6.2/capability (+1/-0)
live-build/apparmor/6.2/caps/mask (+1/-0)
live-build/apparmor/6.2/dbus/mask (+1/-0)
live-build/apparmor/6.2/domain/attach_conditions/xattr (+1/-0)
live-build/apparmor/6.2/domain/change_hat (+1/-0)
live-build/apparmor/6.2/domain/change_hatv (+1/-0)
live-build/apparmor/6.2/domain/change_onexec (+1/-0)
live-build/apparmor/6.2/domain/change_profile (+1/-0)
live-build/apparmor/6.2/domain/computed_longest_left (+1/-0)
live-build/apparmor/6.2/domain/fix_binfmt_elf_mmap (+1/-0)
live-build/apparmor/6.2/domain/post_nnp_subset (+1/-0)
live-build/apparmor/6.2/domain/stack (+1/-0)
live-build/apparmor/6.2/domain/version (+1/-0)
live-build/apparmor/6.2/file/mask (+1/-0)
live-build/apparmor/6.2/ipc/posix_mqueue (+1/-0)
live-build/apparmor/6.2/mount/mask (+1/-0)
live-build/apparmor/6.2/namespaces/pivot_root (+1/-0)
live-build/apparmor/6.2/namespaces/profile (+1/-0)
live-build/apparmor/6.2/network/af_mask (+1/-0)
live-build/apparmor/6.2/network/af_unix (+1/-0)
live-build/apparmor/6.2/network_v8/af_mask (+1/-0)
live-build/apparmor/6.2/policy/set_load (+1/-0)
live-build/apparmor/6.2/policy/versions/v5 (+1/-0)
live-build/apparmor/6.2/policy/versions/v6 (+1/-0)
live-build/apparmor/6.2/policy/versions/v7 (+1/-0)
live-build/apparmor/6.2/policy/versions/v8 (+1/-0)
live-build/apparmor/6.2/ptrace/mask (+1/-0)
live-build/apparmor/6.2/query/label/data (+1/-0)
live-build/apparmor/6.2/query/label/multi_transaction (+1/-0)
live-build/apparmor/6.2/query/label/perms (+1/-0)
live-build/apparmor/6.2/rlimit/mask (+1/-0)
live-build/apparmor/6.2/signal/mask (+1/-0)
live-build/auto/build (+13/-0)
live-build/auto/config (+198/-0)
live-build/buildd/hooks/02-disk-image-uefi.binary (+22/-14)
live-build/functions (+68/-0)
live-build/lb_binary_layered (+4/-0)
live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary (+313/-0)
live-build/ubuntu-cpc/hooks.d/base/riscv64/grub/cmdline.cfg (+4/-0)
live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot (+32/-0)
live-build/ubuntu-server/hooks/01-unminimize.chroot_early (+4/-0)
live-build/ubuntu-server/hooks/03-kernel-metapkg.chroot_early (+3/-0)
- Brian Murray: Approve
- Jess Jang (community): Approve
-
Diff: 23 lines (+9/-0)2 files modifieddebian/changelog (+8/-0)
live-build/apparmor/generic/ipc/posix_mqueue (+1/-0)
- Jess Jang: Approve
-
Diff: 16 lines (+8/-0)1 file modifieddebian/changelog (+8/-0)
- Philip Roche (community): Disapprove
-
Diff: 32 lines (+11/-0) (has conflicts)2 files modifieddebian/changelog (+10/-0)
live-build/apparmor/generic/ipc/posix_mqueue (+1/-0)
- Jess Jang (community): Approve
- Ankush Pathak (community): Approve
- Steve Langasek: Approve
-
Diff: 289 lines (+71/-1)34 files modifieddebian/changelog (+7/-0)
live-build/apparmor/5.15/capability (+1/-0)
live-build/apparmor/5.15/caps/mask (+1/-0)
live-build/apparmor/5.15/dbus/mask (+1/-0)
live-build/apparmor/5.15/domain/attach_conditions/xattr (+1/-0)
live-build/apparmor/5.15/domain/change_hat (+1/-0)
live-build/apparmor/5.15/domain/change_hatv (+1/-0)
live-build/apparmor/5.15/domain/change_onexec (+1/-0)
live-build/apparmor/5.15/domain/change_profile (+1/-0)
live-build/apparmor/5.15/domain/computed_longest_left (+1/-0)
live-build/apparmor/5.15/domain/fix_binfmt_elf_mmap (+1/-0)
live-build/apparmor/5.15/domain/post_nnp_subset (+1/-0)
live-build/apparmor/5.15/domain/stack (+1/-0)
live-build/apparmor/5.15/domain/version (+1/-0)
live-build/apparmor/5.15/file/mask (+1/-0)
live-build/apparmor/5.15/ipc/posix_mqueue (+1/-0)
live-build/apparmor/5.15/mount/mask (+1/-0)
live-build/apparmor/5.15/namespaces/pivot_root (+1/-0)
live-build/apparmor/5.15/namespaces/profile (+1/-0)
live-build/apparmor/5.15/network/af_mask (+1/-0)
live-build/apparmor/5.15/network/af_unix (+1/-0)
live-build/apparmor/5.15/network_v8/af_mask (+1/-0)
live-build/apparmor/5.15/policy/set_load (+1/-0)
live-build/apparmor/5.15/policy/versions/v5 (+1/-0)
live-build/apparmor/5.15/policy/versions/v6 (+1/-0)
live-build/apparmor/5.15/policy/versions/v7 (+1/-0)
live-build/apparmor/5.15/policy/versions/v8 (+1/-0)
live-build/apparmor/5.15/ptrace/mask (+1/-0)
live-build/apparmor/5.15/query/label/data (+1/-0)
live-build/apparmor/5.15/query/label/multi_transaction (+1/-0)
live-build/apparmor/5.15/query/label/perms (+1/-0)
live-build/apparmor/5.15/rlimit/mask (+1/-0)
live-build/apparmor/5.15/signal/mask (+1/-0)
live-build/functions (+32/-1)
Changed in livecd-rootfs (Ubuntu): | |
status: | Confirmed → Fix Committed |
tags: | added: verification-done-jammy |
tags: | added: verification-needed |
tags: | removed: verification-needed |
tags: | added: verification-needed |
Changed in livecd-rootfs (Ubuntu): | |
status: | Fix Committed → Fix Released |
upstream linux bug that tracked the change.
https:/ /bugs.launchpad .net/ubuntu/ +source/ linux/+ bug/2045384