Re: regression in 4.14-rc2 caused by apparmor: add base infastructure for socket mediation

[James Bottomley <James.Bottomley@HansenPartnership.com>]

On Tue, 2017-10-24 at 08:39 +0200, Thorsten Leemhuis wrote:
> Lo, your friendly regression tracker here!
> 
> On 03.10.2017 09:17, John Johansen wrote:
> > 
> > On 10/02/2017 11:48 PM, Vlastimil Babka wrote:
> > > 
> > > On 10/03/2017 07:15 AM, James Bottomley wrote:
> > > > 
> > > > On Mon, 2017-10-02 at 21:11 -0700, John Johansen wrote:
> > > > > 
> > > > > On 10/02/2017 09:02 PM, James Bottomley wrote:
> > > > > > 
> > > > > > 
> > > > > > The specific problem is that dnsmasq refuses to start on
> > > > > > openSUSE Leap 42.2.  The specific cause is that and attempt
> > > > > > to open a PF_LOCAL socket gets EACCES.  This means that
> > > > > > networking doesn't function on a system with a 4.14-rc2
> > > > > > system. Reverting commit
> > > > > > 651e28c5537abb39076d3949fb7618536f1d242e
> > > > > > (apparmor: add base infastructure for socket mediation)
> > > > > > causes the system to function again.
> > > > > This is not a kernel regression,
> > > > Regression means something that worked in a previous version of
> > > > the kernel which is broken now. This problem falls within that
> > > > definition.
> > > Hm, but if this was because opensuse kernel and apparmor rules
> > > relied on an out-of-tree patch, then it's not an upstream
> > > regression?
> > While its true that previous opensuse kernels were relying on an
> > out of tree patch for doing mediation in this area, the real issue
> > is the configuration of the userspace on the system is setup to
> > enforce new policy features advertised by the kernel. Regardless of
> > whether policy has been updated to deal with it.
> 
> Did anything came out of this discussion?

Not really, no.  I've got the patch reverted locally, so it's not
causing *me* problems anymore.

>  I checked LKML and recent commits, but missed if anything happened.
> But it seems this problem annoys quite a few of people on various
> distros. It turned out one of the the regressions in my last
> regression report seemed to be due to the changes in apparmor. See:
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=197137#7
> 
> That commit links to two bugs filed for Debian and Ubuntu:
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1724450
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877581
> 
> The stuff even made the news:
> https://www.phoronix.com/scan.php?page=news_item&px=AppArmor-Linux-4.
> 14
> 
> It's obviously Linus to decide in the end, but from my understanding
> of the whole "no regressions" rule this looks quite a lot like a
> regression to me.

It's certainly a lack of co-ordination between all the apparmour using
upstreams, yes.  I think of it as a regression because I have no way
other than reverting the patch of getting my system running again.

I'd also argue that treating this as a regression might possibly
encourage better co-ordination in future.

James