Skip to content

interfaces/apparmor: allow 'm' in default policy for snap-exec#1967

Merged
niemeyer merged 1 commit intocanonical:masterfrom
jdstrand:lp1626121
Sep 21, 2016
Merged

interfaces/apparmor: allow 'm' in default policy for snap-exec#1967
niemeyer merged 1 commit intocanonical:masterfrom
jdstrand:lp1626121

Conversation

@jdstrand
Copy link

@jdstrand jdstrand commented Sep 21, 2016

4.8+ kernels have a semantic change where the location of the mmap check in
the binfmt_elf loader changed along with the cred that is used for the check.
As a result, when using snappy reexec on these kernels we must allow 'm' on
/usr/lib/snapd/snap-exec.

Bug: LP: #1626121

interfaces: allow 'm' in default policy for /usr/lib/snapd/snap-exec
60b7e8f 
4.8+ kernels have a semantic change where the location of the mmap check in
the binfmt_elf loader changed along with the cred that is used for the check.
As a result, when using snappy reexec on these kernels we must allow 'm' on
/usr/lib/snapd/snap-exec.

Bug: LP: #1626121
@jdstrand
Copy link
Author

jdstrand commented Sep 21, 2016

@mvo5 - fyi, to unblock people and address autopkgtest failures on 16.10, I've uploaded 2.15.2+16.10.3 just now. Please be sure to verify this PR or the patch in 2.15.2+16.10.3 is in your next snapd upload to 16.10 so it isn't accidentally dropped.

@niemeyer niemeyer changed the title interfaces: allow 'm' in default policy for /usr/lib/snapd/snap-exec interfaces/apparmor: allow 'm' in default policy for snap-exec Sep 21, 2016
@niemeyer niemeyer merged commit 1d3e3e8 into canonical:master Sep 21, 2016
@jdstrand jdstrand deleted the lp1626121 branch September 22, 2016 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@niemeyer niemeyer niemeyer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdstrand @niemeyer