[08:28] Guest38, if you want to send to security@ubuntu.com all the false positives you might be facing. I can take a look at all of them [08:29] ok thanks [18:55] hi #security, any history on an apparmor rule that is like this: [18:55] /usr/sbin/swanctl r, [18:55] getting a DENIED: [18:55] [Fri Dec 16 18:44:52 2022] audit: type=1400 audit(1671216292.135:459): apparmor="DENIED" operation="file_mmap" class="file" namespace="root//lxd-l1_" profile="/usr/sbin/swanctl" name="/usr/sbin/swanctl" pid=31160 comm="swanctl" requested_mask="m" denied_mask="m" fsuid=1000000 ouid=1000000 [18:55] but JUST on ppc64el? [18:55] oh, and another wrinkle: just when inside lxd [18:55] on a ppc64el HOST, it works fine [18:55] and on non-ppc64el, it works fine anywhere (host or lxd) [18:55] and, of course, when it gets a denied, it segfaults, why not :) [18:56] root@l1:~# swanctl [18:56] Segmentation fault [18:56] oh, and only lunar combo (host/lxd) [18:56] well, tbh, didn't test other release on ppc64el, but the test that is breaking works fine in all other arches in lunar [18:56] I can fix that by adding the "m" flag to that apparmor rule [18:56] but this being so unique (ppc64el only, lunar only, lxd only), that I thought about asking briefly before doing that [19:11] ahasenack_ I've seen binaries needing "rm" for a while when inside containers [19:11] on amd64 that is though [19:13] ahasenack_: all the binaries in https://salsa.debian.org/debian/strongswan/-/blob/debian/master/debian/usr.lib.ipsec.charon have the "m" [19:18] swanctl has its own little profile [19:18] i'm testing a new build now [19:19] right but swanctl isn't what was used typically on Debian and derivatives [19:19] despite being the modern alternative [19:20] yeah, I wrote the new test thinking like that, using the "modern" alternative [19:20] there is still some confusion in the packaging, it's still possible to install incorrect packages so that you have 2x charon running [19:21] one directly by systemd, and the other one started by ipsec [19:33] ahasenack_: re the "rmix" part, I had bugged sarnold some years back and here what he explained: https://salsa.debian.org/debian/strongswan/-/blob/debian/master/debian/usr.lib.ipsec.charon [19:33] wrong link, sorry, take #2: https://salsa.debian.org/debian/strongswan/-/merge_requests/4#note_76186 [19:33] -ubottu:#ubuntu-security- Merge 4 in debian/strongswan "Apparmor fixes" [Merged] [19:37] again, containers mentioned [19:37] interesting [19:57] grmbl, forgot to enable ppc64el in the ppa [20:24] hey, strongswan 5.9.8 will at least catch the 2x charon running problem because they disabled `SO_REUSEADDR` [20:50] I didn't notice that, only that the tunnel wouldn't work [20:50] by "catch" you mean something in the logs? [20:51] I'd expect one of the services to fail due to being unable to bind the IKE port(s) [20:52] see the last item at the bottom of https://www.strongswan.org/blog/2022/10/03/strongswan-5.9.8-released.html [20:53] maybe that doesn't prevent them from starting, but the logs will show something [22:58] ebarretto thanks for fixing OVAL definitions [22:59] on my server, these ones (kernel related CVE) are cleared : CVE-2022-43945 [22:59] CVE-2022-42722 [22:59] -ubottu:#ubuntu-security- The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data... [22:59] CVE-2022-42720 [22:59] CVE-2022-42703 [22:59] -ubottu:#ubuntu-security- In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices. [22:59] CVE-2022-2602 [22:59] CVE-2022-42721 [22:59] CVE-2022-42719 [22:59] -ubottu:#ubuntu-security- Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code. [22:59] CVE-2022-41674 [22:59] CVE-2022-40768 [22:59] -ubottu:#ubuntu-security- mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. [22:59] -ubottu:#ubuntu-security- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. [22:59] -ubottu:#ubuntu-security- A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code. [22:59] -ubottu:#ubuntu-security- A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. [22:59] -ubottu:#ubuntu-security- An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. [22:59] -ubottu:#ubuntu-security- drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.