[ubuntu/questing-proposed] linux 6.16.0-11.11 (Accepted)
Andy Whitcroft
apw at canonical.com
Sun Aug 3 21:47:43 UTC 2025
linux (6.16.0-11.11) questing; urgency=medium
* questing/linux: 6.16.0-11.11 -proposed tracker (LP: #2119360)
* update apparmor and LSM stacking patch set (LP: #2028253)
- SAUCE: apparmor5.0.0 [1/93]: Stacking: Audit: Create audit_stamp
structure
- SAUCE: apparmor5.0.0 [2/93]: Stacking: Audit: Allow multiple records in
an audit_buffer
- SAUCE: apparmor5.0.0 [3/93]: Stacking: LSM: security_lsmblob_to_secctx
module selection
- SAUCE: apparmor5.0.0 [4/93]: Stacking: Audit: Add record for multiple
task security contexts
- SAUCE: apparmor5.0.0 [5/93]: Stacking: Audit: multiple subject lsm
values for netlabel
- SAUCE: apparmor5.0.0 [6/93]: Stacking: Audit: Add record for multiple
object contexts
- SAUCE: apparmor5.0.0 [7/93]: Stacking: LSM: Single calls in secid hooks
- SAUCE: apparmor5.0.0 [8/93]: Stacking: LSM: Exclusive secmark usage
- SAUCE: apparmor5.0.0 [9/93]: Stacking: Audit: Call only the first of the
audit rule hooks
- SAUCE: apparmor5.0.0 [10/93]: Stacking: AppArmor: Remove the exclusive
flag
- SAUCE: apparmor5.0.0 [11/93]: 6.17 apparmor-next: apparmor: Use
str_yes_no() helper function
- SAUCE: apparmor5.0.0 [12/93]: 6.17 apparmor-next: apparmor: Improve
debug print infrastructure
- SAUCE: apparmor5.0.0 [13/93]: 6.17 apparmor-next: apparmor: cleanup:
attachment perm lookup to use lookup_perms()
- SAUCE: apparmor5.0.0 [14/93]: 6.17 apparmor-next: apparmor: remove
redundant unconfined check.
- SAUCE: apparmor5.0.0 [15/93]: 6.17 apparmor-next: apparmor: switch
signal mediation to use RULE_MEDIATES
- SAUCE: apparmor5.0.0 [16/93]: 6.17 apparmor-next: apparmor: ensure
labels with more than one entry have correct flags
- SAUCE: apparmor5.0.0 [17/93]: 6.17 apparmor-next: apparmor: remove
explicit restriction that unconfined cannot use change_hat
- SAUCE: apparmor5.0.0 [18/93]: 6.17 apparmor-next: apparmor: cleanup:
refactor file_perm() to doc semantics of some checks
- SAUCE: apparmor5.0.0 [19/93]: 6.17 apparmor-next: apparmor: carry
mediation check on label
- SAUCE: apparmor5.0.0 [20/93]: 6.17 apparmor-next: apparmor: add
additional flags to extended permission.
- SAUCE: apparmor5.0.0 [21/93]: 6.17 apparmor-next: apparmor: add support
for profiles to define the kill signal
- SAUCE: apparmor5.0.0 [22/93]: 6.17 apparmor-next: apparmor: fix
x_table_lookup when stacking is not the first entry
- SAUCE: apparmor5.0.0 [23/93]: 6.17 apparmor-next: apparmor: add ability
to mediate caps with policy state machine
- SAUCE: apparmor5.0.0 [24/93]: 6.17 apparmor-next: apparmor: remove
af_select macro
- SAUCE: apparmor5.0.0 [25/93]: 6.17 apparmor-next: apparmor: lift kernel
socket check out of critical section
- SAUCE: apparmor5.0.0 [26/93]: 6.17 apparmor-next: apparmor: in
preparation for finer networking rules rework match_prot
- SAUCE: apparmor5.0.0 [27/93]: 6.17 apparmor-next: apparmor: add fine
grained af_unix mediation
- SAUCE: apparmor5.0.0 [28/93]: 6.17 apparmor-next: apparmor: gate make
fine grained unix mediation behind v9 abi
- SAUCE: apparmor5.0.0 [29/93]: 6.17 apparmor-next: apparmor: fix dbus
permission queries to v9 ABI
- SAUCE: apparmor5.0.0 [30/93]: 6.17 apparmor-next: apparmor: Fix checking
address of an array in accum_label_info()
- SAUCE: apparmor5.0.0 [31/93]: 6.17 apparmor-next: apparmor: Modify
mismatched function name
- SAUCE: apparmor5.0.0 [32/93]: 6.17 apparmor-next: apparmor: Modify
mismatched function name
- SAUCE: apparmor5.0.0 [33/93]: 6.17 apparmor-next: apparmor: fix typos
and spelling errors
- SAUCE: apparmor5.0.0 [34/93]: 6.17 apparmor-next: apparmor: use the
condition in AA_BUG_FMT even with debug disabled
- SAUCE: apparmor5.0.0 [35/93]: 6.17 apparmor-next: apparmor: Remove
unused variable 'sock' in __file_sock_perm()
- SAUCE: apparmor5.0.0 [68/93]: Revert "6.17 apparmor-next: apparmor: fix
dbus permission queries to v9 ABI"
- SAUCE: apparmor5.0.0 [69/93]: Revert "6.17 apparmor-next: apparmor: gate
make fine grained unix mediation behind v9 abi"
- SAUCE: apparmor5.0.0 [70/93]: apparmor: net: patch to provide
compatibility with v2.x net rules
- SAUCE: apparmor5.0.0 [71/93]: apparmor: net: add fine grained ipv4/ipv6
mediation
- SAUCE: apparmor5.0.0 [72/93]: apparmor: userns: add unprivileged user ns
mediation
- SAUCE: apparmor5.0.0 [73/93]: apparmor: userns: Add sysctls for
additional controls of unpriv userns restrictions
- SAUCE: apparmor5.0.0 [75/93]: apparmor: userns: open userns related
sysctl so lxc can check if restriction are in place
- SAUCE: apparmor5.0.0 [76/93]: apparmor: userns: allow profile to be
transitioned when a userns is created
- SAUCE: apparmor5.0.0 [80/93]: apparmor: uring: add io_uring mediation
- SAUCE: apparmor5.0.0 [83/93]: apparmor: prompt: setup slab cache for
audit data
- SAUCE: apparmor5.0.0 [84/93]: apparmor: prompt: add the ability for
profiles to have a learning cache
- SAUCE: apparmor5.0.0 [85/93]: apparmor: prompt: enable userspace upcall
for mediation
- [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS
* Installation of AppArmor on a 6.14 kernel produces error message "Illegal
number: yes" (LP: #2102680)
- SAUCE: apparmor5.0.0 [81/93]: apparmor: create an
AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant
- SAUCE: apparmor5.0.0 [82/93]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT
for userns and io_uring sysctls
* update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]
apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in
mantic (LP: #2032602)
- SAUCE: apparmor5.0.0 [74/93]: apparmor: userns - make it so special
unconfined profiles can mediate user namespaces
* Miscellaneous Ubuntu changes
- SAUCE: apparmor5.0.0 [36/93]: 6.17 apparmor-next: security/apparmor: use
kfree_sensitive() in unpack_secmark()
- SAUCE: apparmor5.0.0 [37/93]: 6.17 apparmor-next: apparmor: Fix
incorrect profile->signal range check
- SAUCE: apparmor5.0.0 [38/93]: 6.17 apparmor-next: apparmor: fix some
kernel-doc issues in header files
- SAUCE: apparmor5.0.0 [39/93]: 6.17 apparmor-next: apparmor: ensure
WB_HISTORY_SIZE value is a power of 2
- SAUCE: apparmor5.0.0 [40/93]: 6.17 apparmor-next: apparmor: fix loop
detection used in conflicting attachment resolution
- SAUCE: apparmor5.0.0 [41/93]: 6.17 apparmor-next: apparmor: make all
generated string array headers const char *const
- SAUCE: apparmor5.0.0 [42/93]: 6.17 apparmor-next: apparmor: force audit
on unconfined exec if info is set by find_attach
- SAUCE: apparmor5.0.0 [43/93]: 6.17 apparmor-next: apparmor: move the
"conflicting profile attachments" infostr to a const declaration
- SAUCE: apparmor5.0.0 [44/93]: 6.17 apparmor-next: apparmor: include
conflicting attachment info for confined ix/ux fallback
- SAUCE: apparmor5.0.0 [45/93]: 6.17 apparmor-next: apparmor: force
auditing of conflicting attachment execs from confined
- SAUCE: apparmor5.0.0 [46/93]: 6.17 apparmor-next: apparmor: make
debug_values_table static
- SAUCE: apparmor5.0.0 [47/93]: 6.17 apparmor-next: apparmor: Document
that label must be last member in struct aa_profile
- SAUCE: apparmor5.0.0 [48/93]: 6.17 apparmor-next: apparmor: mitigate
parser generating large xtables
- SAUCE: apparmor5.0.0 [49/93]: 6.17 apparmor-next: apparmor: make
__begin_current_label_crit_section() indicate whether put is needed
- SAUCE: apparmor5.0.0 [50/93]: 6.17 apparmor-next: apparmor: update
kernel doc comments for xxx_label_crit_section
- SAUCE: apparmor5.0.0 [51/93]: 6.17 apparmor-next: apparmor: Remove use
of the double lock
- SAUCE: apparmor5.0.0 [52/93]: 6.17 apparmor-next: apparmor: fix af_unix
auditing to include all address information
- SAUCE: apparmor5.0.0 [53/93]: 6.17 apparmor-next: apparmor: fix
AA_DEBUG_LABEL()
- SAUCE: apparmor5.0.0 [54/93]: 6.17 apparmor-next: apparmor: fix
regression in fs based unix sockets when using old abi
- SAUCE: apparmor5.0.0 [55/93]: 6.17 apparmor-next: apparmor: make sure
unix socket labeling is correctly updated.
- SAUCE: apparmor5.0.0 [56/93]: 6.17 apparmor-next: apparmor: shift ouid
when mediating hard links in userns
- SAUCE: apparmor5.0.0 [57/93]: 6.17 apparmor-next: apparmor: shift uid
when mediating af_unix in userns
- SAUCE: apparmor5.0.0 [58/93]: 6.17 apparmor-next: apparmor: Fix 8-byte
alignment for initial dfa blob streams
- SAUCE: apparmor5.0.0 [59/93]: 6.17 apparmor-next: apparmor: Fix
unaligned memory accesses in KUnit test
- SAUCE: apparmor5.0.0 [60/93]: 6.17 apparmor-next: apparmor: fix kernel
doc warnings for kernel test robot
- SAUCE: apparmor5.0.0 [61/93]: 6.17 apparmor-next: apparmor: remove
redundant perms.allow MAY_EXEC bitflag set
- SAUCE: apparmor5.0.0 [62/93]: 6.17 apparmor-next: apparmor: fix
documentation mismatches in val_mask_to_str and socket functions
- SAUCE: apparmor5.0.0 [63/93]: 6.17 apparmor-next: apparmor: transition
from a list of rules to a vector of rules
- SAUCE: apparmor5.0.0 [64/93]: 6.17 apparmor-next: apparmor: fix: accept2
being specifie even when permission table is presnt
- SAUCE: apparmor5.0.0 [65/93]: 6.17 apparmor-next: apparmor: Remove the
unused variable rules
- SAUCE: apparmor5.0.0 [66/93]: 6.17 apparmor-next: apparmor: fix test
error: WARNING in apparmor_unix_stream_connect
- SAUCE: apparmor5.0.0 [67/93]: 6.17 apparmor-next: apparmor: fix
Regression on linux-next (next-20250721)
- SAUCE: apparmor5.0.0 [77/93]: aoparmor: userns: Add support for execpath
in userns
- SAUCE: apparmor5.0.0 [78/93]: apparmor: mqueue: call
security_inode_init_security on inode creation
- SAUCE: apparmor5.0.0 [79/93]: apparmor: mqueue: add fine grained
mediation of posix mqueues
- SAUCE: apparmor5.0.0 [86/93]: apparmor: prompt: pass prompt boolean
through into path_name as well
- SAUCE: apparmor5.0.0 [87/93]: apparmor: add AA_DEBUG_PROFILE to have
debug on profiles with flag set
- SAUCE: apparmor5.0.0 [88/93]: apparmor: make str table more generic and
be able to have multiple entries
- SAUCE: apparmor5.0.0 [89/93]: apparmor: check for supported version in
notification messages.
- SAUCE: apparmor5.0.0 [90/93]: apparmor: refactor building notice so it
is easier to extend
- SAUCE: apparmor5.0.0 [91/93]: apparmor: switch from ENOTSUPP to
EPROTONOSUPPORT
- SAUCE: apparmor5.0.0 [92/93]: UBUNTU: SAUCE: apparmor5.0.0 [92/93]:
apparmor: add support for meta data tags
- SAUCE: apparmor5.0.0 [93/93]: apparmor: mmap_file() doesn't need to be
called atomically
Date: 2025-08-02 09:42:19.810100+00:00
Changed-By: Paolo Pisati <paolo.pisati at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux/6.16.0-11.11
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list