{"id":2219291,"url":"http://patchwork.ozlabs.org/api/1.0/covers/2219291/?format=json","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.0/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260402184923.2681798-1-georgia.garcia@canonical.com>","date":"2026-04-02T18:49:21","name":"[SRU,Q,0/2] fix network mediation issues","submitter":{"id":82129,"url":"http://patchwork.ozlabs.org/api/1.0/people/82129/?format=json","name":"Georgia Garcia","email":"georgia.garcia@canonical.com"},"series":[{"id":498541,"url":"http://patchwork.ozlabs.org/api/1.0/series/498541/?format=json","date":"2026-04-02T18:49:21","name":"fix network mediation issues","version":1,"mbox":"http://patchwork.ozlabs.org/series/498541/mbox/"}],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=oawNt0H+;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmrWD5qVrz1yCs\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 03 Apr 2026 05:49:44 +1100 (AEDT)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1w8N6h-0004OE-U0; Thu, 02 Apr 2026 18:49:31 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <georgia.garcia@canonical.com>)\n id 1w8N6g-0004Ny-7A\n for kernel-team@lists.ubuntu.com; Thu, 02 Apr 2026 18:49:30 +0000","from mail-ua1-f70.google.com (mail-ua1-f70.google.com\n [209.85.222.70])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 1F1C93F648\n for <kernel-team@lists.ubuntu.com>; Thu,  2 Apr 2026 18:49:30 +0000 (UTC)","by mail-ua1-f70.google.com with SMTP id\n a1e0cc1a2514c-953b15c76fdso254807241.2\n for <kernel-team@lists.ubuntu.com>; Thu, 02 Apr 2026 11:49:30 -0700 (PDT)","from georgia.. ([177.220.176.197]) by smtp.gmail.com with ESMTPSA id\n 71dfb90a1353d-56d9bc9b75dsm4359091e0c.12.2026.04.02.11.49.26\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 02 Apr 2026 11:49:27 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775155770;\n bh=zJ5eofA6ZW6zmytGqaszknCAJFzVzwk/ZSYrijz+FuA=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=oawNt0H+shOtfW0qqT5ifRHtXkHeYCnsvMCEGk8dZpUXpCP6EVsWOztk2mgyMcuGm\n vQsMEotuOph0rCr3ia5t1EYGsWMdb6Q5C++0VwLFNnd2T5HJopTbDXVrN3DWEyI+q/\n jDiOXVIM5XuyhjxJ9XdQNW6UEbdeMo1ZLphaBxnIFlDxX9CK3WHP/+7xpS49zYkpUL\n X8lU12rT+i9QX0mxQGVLszR9QbpFDNbAfjFkvfXxoXktQb2Oj0cyqQZq8Ts9TPWQSf\n O4Y0kQ7B9bCgPbZjMnF6+L1sHbw/j+974XQysIUS8Nhx25RLuIf9YS8zf9lb/U9Mnx\n ki8YA86WOJi4BxpnlXlq3kvlpjBWwiLbhaGV3pD8+ynZzAYJIXSLi9yKv2IhtoKT9x\n SOAKaJLSKgFOZERNjnldILcQFQlBcrzMHsXTYUjnnfwW4YmiIpoLRs+LBGSwRImeG8\n wUEoaJrw87Lm9wyRWc+3UhBUODn19F4Cu7W7PVt1kXw0Dud61TldZqDKb6Pa0Cg2py\n idcN841ykOQ+K7h1tZkpnA2OZaYlD3OeIlqNHodxS31AvB4o82Sw3+Ep/2UlJ/PL4U\n lh29bMbMZ9FHWhU2aQ6SOY1QtmjgLfmQGsg51M4/coKVVftiBtcqN7NZIwd849PLWL\n a80fNohIppF5v7ix+Sc9U2Dg=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775155768; x=1775760568;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=zJ5eofA6ZW6zmytGqaszknCAJFzVzwk/ZSYrijz+FuA=;\n b=U2fhEWLyUSyT/PClB38gG+16cFIGWfY7ja/NVcYIlaHvrpPvqLzON96hVrR2HxOQrE\n SUgWimjtdhQ+BvNmG8pwIIipMctcAPHcFqtD5BGL+Qoa62ItH0lp+9koPAUvsMc5v3NW\n 3JSnmnp+S7G3Ni6dTaWWLXFPENskJkrL8CNGsnqzjUd5MK/yUdUStXvVYyyuuLlAqWyF\n i6tDvxhVYHtugw4yCRQv9kHgtKzPPFVWumJQN7oXaw+6jUJvNUjqB86CvlUo5DcqjtjJ\n cMDqAKAaGJINrF6TQCklg+qb1n39jy50GOVEx/64HKtcfyRQN0bm9LN/pC34uO4t6juJ\n sFPA==","X-Gm-Message-State":"AOJu0YwwotwYIqUXZ5Y+ne2UnPJ45Zmvu0o5fyHreRPdd6Lk1eLPEPTx\n WTbYLm1dNFOSuc0+q7kcgV8kAso1opecck1t2mFi/iFsyeUuKnIPpxpgPtqdcsofj1go9yQggVd\n JYLREny2YN6F7+nOy/GVLfLnq+3KH4xtSMzagHrLMrrLBqir5jrFFxVlB141rGM3ujq1tjRA8Ux\n TyOjbJZUXUjshyig==","X-Gm-Gg":"ATEYQzxpF+irpQj+F7ZYTcTqEbAkPFqbjxrOLYCajncwxOAYM9L+zQkTqR/9Hs896LZ\n vxx+DyTynWwlOnzMhnkC4nnfbVpoGaWLJyDYG5leNxTyJQIeH22znYHjjTLojZ3Nv+jVYy54JoB\n 1scZQkf7rkBtIzgCtostLFSWL/SybibvOfMT2m9amfRFg1cMXxbPrgTPsa3F2GjIj42l39hfDvF\n gVRopV8D9wHVQCnkcP5IYH1Q7DKx0zUmKOtmjW4AF5kf/B4dajpXi1iURABtkQW205bu4tH2wGh\n Jfzfw2zGYXt37SbmFAbCfNTqgUlXV1vbScDAyyftw+xR6gwJsYGkSmp97A8qyRq4hQQG9h8iTup\n kx+cqxVJjn8UbyYaxWLX6pSeMtkC+Y3HbaslS4jGenyl0UIrwz80Y6yinWdRNCsM=","X-Received":["by 2002:a05:6122:3384:b0:566:357b:ef25 with SMTP id\n 71dfb90a1353d-56daba62d82mr45722e0c.15.1775155768481;\n Thu, 02 Apr 2026 11:49:28 -0700 (PDT)","by 2002:a05:6122:3384:b0:566:357b:ef25 with SMTP id\n 71dfb90a1353d-56daba62d82mr45709e0c.15.1775155767849;\n Thu, 02 Apr 2026 11:49:27 -0700 (PDT)"],"From":"Georgia Garcia <georgia.garcia@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][Q][PATCH 0/2] fix network mediation issues","Date":"Thu,  2 Apr 2026 15:49:21 -0300","Message-ID":"<20260402184923.2681798-1-georgia.garcia@canonical.com>","X-Mailer":"git-send-email 2.43.0","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"BugLink: https://bugs.launchpad.net/bugs/2142860\n\nSRU Justification:\n\n[Impact]\n\nDuring a rebase the code to wire in the fine grained inet mediation\nfor sock_file_perm got dropped. This breaks network mediation if\nv8/v9 fine grained inet mediation is used, which was the case for\nthe policy that was updated to use abi 5.0 added in apparmor 5.0.0~alpha2\n\n[Fix]\n\nCherry-pick resolute:linux commits:\n5240899d3fb2e01b88ecceb2c53921dd64b74c75\n7cb6769a2d96ab3b6da8ca401936a22745523bad\n\n[Test Plan]\n\nThere are two test cases:\n\n1. using flatpak:\n$ sudo apt install flatpak\n$ flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo\n$ flatpak install flathub com.brave.Browser\n$ flatpak run com.brave.Browser\n\nWhen the browser opens, make sure it can open any website\n(https://ubuntu.com/ for example)\n\n2. using sbuild with unshare backend\n\n$ sudo apt install sbuild mmdebstrap uidmap\n\nCreate a file called .sbuildrc in your home directory with the\nfollowing contents:\n\n$mailto = 'foo@bar.com';\n$maintainer_name='Foo Bar <foo@bar.com>';\n#$build_dep_resolver=\"apt\";\n$chroot_mode = \"unshare\";\n1;\n\nEdit /etc/apt/sources.list.d/ubuntu.sources adding deb-src to Types:\n\nTypes: deb deb-src\n\n$ sudo apt update\n$ apt source apparmor\n$ cd apparmor-5.0.0~beta1/\n$ sbuild -d resolute\n\nMake sure you don't see any \"Connection failed\" messages during the\nstep \"I: Setting up apt archive...\" and that build completes\nsuccessfully.\n\n[Where problems could occur]\n\nThe regression can be considered as low since both fixes have been\napplied to the resolute kernel.\n\nJohn Johansen (2):\n  UBUNTU: SAUCE: apparmor5.0.0 [29/57]: apparmor: fix fine grained inet\n    mediation sock_file_perm\n  UBUNTU: SAUCE: apparmor5.0.0 [53/57]: apparmor: fix af_unix local addr\n    mediation binding\n\n security/apparmor/af_inet.c | 2 +-\n security/apparmor/audit.c   | 2 +-\n security/apparmor/net.c     | 9 ++++++++-\n 3 files changed, 10 insertions(+), 3 deletions(-)"}