[ubuntu/questing-proposed] linux 6.15.0-4.4 (Accepted)

Andy Whitcroft apw at canonical.com
Mon Jul 7 22:16:39 UTC 2025 

linux (6.15.0-4.4) questing; urgency=medium

  * questing/linux: 6.15.0-4.4 -proposed tracker (LP: #2115965)

  * update apparmor and LSM stacking patch set (LP: #2028253)
    - SAUCE: apparmor5.0.0 [1/79]: Stacking: Audit: Create audit_stamp structure
    - SAUCE: apparmor5.0.0 [2/79]: Stacking: Audit: Allow multiple records in an
      audit_buffer
    - SAUCE: apparmor5.0.0 [3/79]: Stacking: LSM: security_lsmblob_to_secctx
      module selection
    - SAUCE: apparmor5.0.0 [4/79]: Stacking: Audit: Add record for multiple task
      security contexts
    - SAUCE: apparmor5.0.0 [5/79]: Stacking: Audit: multiple subject lsm values
      for netlabel
    - SAUCE: apparmor5.0.0 [6/79]: Stacking: Audit: Add record for multiple object
      contexts
    - SAUCE: apparmor5.0.0 [7/79]: Stacking: LSM: Single calls in secid hooks
    - SAUCE: apparmor5.0.0 [8/79]: Stacking: LSM: Exclusive secmark usage
    - SAUCE: apparmor5.0.0 [9/79]: Stacking: Audit: Call only the first of the
      audit rule hooks
    - SAUCE: apparmor5.0.0 [10/79]: Stacking: AppArmor: Remove the exclusive flag
    - SAUCE: apparmor5.0.0 [11/79]: 6.17 apparmor-next: apparmor: Use str_yes_no()
      helper function
    - SAUCE: apparmor5.0.0 [12/79]: 6.17 apparmor-next: apparmor: Improve debug
      print infrastructure
    - SAUCE: apparmor5.0.0 [13/79]: 6.17 apparmor-next: apparmor: cleanup:
      attachment perm lookup to use lookup_perms()
    - SAUCE: apparmor5.0.0 [14/79]: 6.17 apparmor-next: apparmor: remove redundant
      unconfined check.
    - SAUCE: apparmor5.0.0 [15/79]: 6.17 apparmor-next: apparmor: switch signal
      mediation to use RULE_MEDIATES
    - SAUCE: apparmor5.0.0 [16/79]: 6.17 apparmor-next: apparmor: ensure labels
      with more than one entry have correct flags
    - SAUCE: apparmor5.0.0 [17/79]: 6.17 apparmor-next: apparmor: remove explicit
      restriction that unconfined cannot use change_hat
    - SAUCE: apparmor5.0.0 [18/79]: 6.17 apparmor-next: apparmor: cleanup:
      refactor file_perm() to doc semantics of some checks
    - SAUCE: apparmor5.0.0 [19/79]: 6.17 apparmor-next: apparmor: carry mediation
      check on label
    - SAUCE: apparmor5.0.0 [20/79]: 6.17 apparmor-next: apparmor: add additional
      flags to extended permission.
    - SAUCE: apparmor5.0.0 [21/79]: 6.17 apparmor-next: apparmor: add support for
      profiles to define the kill signal
    - SAUCE: apparmor5.0.0 [22/79]: 6.17 apparmor-next: apparmor: fix
      x_table_lookup when stacking is not the first entry
    - SAUCE: apparmor5.0.0 [23/79]: 6.17 apparmor-next: apparmor: add ability to
      mediate caps with policy state machine
    - SAUCE: apparmor5.0.0 [24/79]: 6.17 apparmor-next: apparmor: remove af_select
      macro
    - SAUCE: apparmor5.0.0 [25/79]: 6.17 apparmor-next: apparmor: lift kernel
      socket check out of critical section
    - SAUCE: apparmor5.0.0 [26/79]: 6.17 apparmor-next: apparmor: in preparation
      for finer networking rules rework match_prot
    - SAUCE: apparmor5.0.0 [27/79]: 6.17 apparmor-next: apparmor: add fine grained
      af_unix mediation
    - SAUCE: apparmor5.0.0 [28/79]: 6.17 apparmor-next: apparmor: gate make fine
      grained unix mediation behind v9 abi
    - SAUCE: apparmor5.0.0 [29/79]: 6.17 apparmor-next: apparmor: fix dbus
      permission queries to v9 ABI
    - SAUCE: apparmor5.0.0 [30/79]: 6.17 apparmor-next: apparmor: Fix checking
      address of an array in accum_label_info()
    - SAUCE: apparmor5.0.0 [31/79]: 6.17 apparmor-next: apparmor: Modify
      mismatched function name
    - SAUCE: apparmor5.0.0 [32/79]: 6.17 apparmor-next: apparmor: Modify
      mismatched function name
    - SAUCE: apparmor5.0.0 [33/79]: 6.17 apparmor-next: apparmor: fix typos and
      spelling errors
    - SAUCE: apparmor5.0.0 [34/79]: 6.17 apparmor-next: apparmor: use the
      condition in AA_BUG_FMT even with debug disabled
    - SAUCE: apparmor5.0.0 [35/79]: 6.17 apparmor-next: apparmor: Remove unused
      variable 'sock' in __file_sock_perm()
    - SAUCE: apparmor5.0.0 [58/79]: Revert "6.17 apparmor-next: apparmor: fix dbus
      permission queries to v9 ABI"
    - SAUCE: apparmor5.0.0 [59/79]: Revert "6.17 apparmor-next: apparmor: gate
      make fine grained unix mediation behind v9 abi"
    - SAUCE: apparmor5.0.0 [60/79]: patch to provide compatibility with v2.x net
      rules
    - SAUCE: apparmor5.0.0 [61/79]: apparmor: transition from a list of rules to a
      vector of rules
    - SAUCE: apparmor5.0.0 [62/79]: setup slab cache for audit data
    - SAUCE: apparmor5.0.0 [63/79]: add the ability for profiles to have a
      learning cache
    - SAUCE: apparmor5.0.0 [64/79]: add unprivileged user ns mediation
    - SAUCE: apparmor5.0.0 [65/79]: Add sysctls for additional controls of unpriv
      userns restrictions
    - SAUCE: apparmor5.0.0 [67/79]: apparmor: open userns related sysctl so lxc
      can check if restriction are in place
    - SAUCE: apparmor5.0.0 [68/79]: apparmor: allow profile to be transitioned
      when a userns is created
    - SAUCE: apparmor5.0.0 [69/79]: Add fine grained mediation of posix mqueues
    - SAUCE: apparmor5.0.0 [71/79]: apparmor: add fine grained ipv4/ipv6 mediation
    - SAUCE: apparmor5.0.0 [72/79]: add io_uring mediation
    - SAUCE: apparmor5.0.0 [73/79]: enable userspace upcall for mediation
    - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS

  * Disconnected paths for mqueues show a TODO in the kernel logs (LP: #2102237)
    - SAUCE: apparmor5.0.0 [78/79]: apparmor: add mediation of disconnected paths
      in mqueues

  * Installation of AppArmor on a 6.14 kernel produces error message "Illegal
    number: yes" (LP: #2102680)
    - SAUCE: apparmor5.0.0 [76/79]: apparmor: create an
      AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant
    - SAUCE: apparmor5.0.0 [77/79]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT for
      userns and io_uring sysctls

  * QRT AppArmorUnixDomainConnect test failures on Plucky 6.14 kernel
    (LP: #2103460)
    - SAUCE: apparmor5.0.0 [74/79]: AppArmor: Fix af_unix backwards compat
    - SAUCE: apparmor5.0.0 [75/79]: apparmor: Fix inet mediation

  * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]
    apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
    (LP: #2032602)
    - SAUCE: apparmor5.0.0 [66/79]: userns - make it so special unconfined
      profiles can mediate user namespaces

  * Miscellaneous Ubuntu changes
    - SAUCE: apparmor5.0.0 [36/79]: 6.17 apparmor-next: security/apparmor: use
      kfree_sensitive() in unpack_secmark()
    - SAUCE: apparmor5.0.0 [37/79]: 6.17 apparmor-next: apparmor: Fix incorrect
      profile->signal range check
    - SAUCE: apparmor5.0.0 [38/79]: 6.17 apparmor-next: apparmor: fix some kernel-
      doc issues in header files
    - SAUCE: apparmor5.0.0 [39/79]: 6.17 apparmor-next: apparmor: ensure
      WB_HISTORY_SIZE value is a power of 2
    - SAUCE: apparmor5.0.0 [40/79]: 6.17 apparmor-next: apparmor: fix loop
      detection used in conflicting attachment resolution
    - SAUCE: apparmor5.0.0 [41/79]: 6.17 apparmor-next: apparmor: make all
      generated string array headers const char *const
    - SAUCE: apparmor5.0.0 [42/79]: 6.17 apparmor-next: apparmor: force audit on
      unconfined exec if info is set by find_attach
    - SAUCE: apparmor5.0.0 [43/79]: 6.17 apparmor-next: apparmor: move the
      "conflicting profile attachments" infostr to a const declaration
    - SAUCE: apparmor5.0.0 [44/79]: 6.17 apparmor-next: apparmor: include
      conflicting attachment info for confined ix/ux fallback
    - SAUCE: apparmor5.0.0 [45/79]: 6.17 apparmor-next: apparmor: force auditing
      of conflicting attachment execs from confined
    - SAUCE: apparmor5.0.0 [46/79]: 6.17 apparmor-next: apparmor: make
      debug_values_table static
    - SAUCE: apparmor5.0.0 [47/79]: 6.17 apparmor-next: apparmor: Document that
      label must be last member in struct aa_profile
    - SAUCE: apparmor5.0.0 [48/79]: 6.17 apparmor-next: apparmor: mitigate parser
      generating large xtables
    - SAUCE: apparmor5.0.0 [49/79]: 6.17 apparmor-next: apparmor: Remove use of
      the double lock
    - SAUCE: apparmor5.0.0 [50/79]: 6.17 apparmor-next: apparmor: fix af_unix
      auditing to include all address information
    - SAUCE: apparmor5.0.0 [51/79]: 6.17 apparmor-next: apparmor: fix
      AA_DEBUG_LABEL()
    - SAUCE: apparmor5.0.0 [52/79]: 6.17 apparmor-next: apparmor: fix regression
      in fs based unix sockets when using old abi
    - SAUCE: apparmor5.0.0 [53/79]: 6.17 apparmor-next: apparmor: shift ouid when
      mediating hard links in userns
    - SAUCE: apparmor5.0.0 [54/79]: 6.17 apparmor-next: apparmor: shift uid when
      mediating af_unix in userns
    - SAUCE: apparmor5.0.0 [55/79]: 6.17 apparmor-next: apparmor: Fix 8-byte
      alignment for initial dfa blob streams
    - SAUCE: apparmor5.0.0 [56/79]: 6.17 apparmor-next: apparmor: Fix unaligned
      memory accesses in KUnit test
    - SAUCE: apparmor5.0.0 [57/79]: 6.17 apparmor-next: apparmor: fix kernel doc
      warnings for kernel test robot
    - SAUCE: apparmor5.0.0 [70/79]: apparmor: audit mqueue-via-path access as
      getattr instead of unlink

Date: 2025-07-04 13:06:13.203172+00:00
Changed-By: Timo Aaltonen <tjaalton at ubuntu.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux/6.15.0-4.4
-------------- next part --------------
Sorry, changesfile not available.

More information about the Questing-changes mailing list