Bug in ensure_not_symlink() from 0003-CVE-2015-1335.patch

Thanks - haven't tested, but it certainly makes sense.

 status: confirmed
 importance: high

Apparently the kernel is now fixed so that we should be able to use the upstream fix. I'm going to try to get that into the trusty package rather than keep tweakng this separate patch.

Yup, switching in the upstream fix works - will upload that in a bit.

No, sadly one testcase - lxc-test-unpriv - still fails:

Oct 28 15:33:49 lxct1 kernel: [ 2659.417204] type=1400 audit(1446046429.177:52): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/home/lxcunpriv/.local/share/lxc/c1/rootfs/dev/console" pid=23805 comm="lxc-start" srcname="/dev/console" flags="rw, bind"

(Note that running unprivileged containers by hand does work)

(invalid would probably be a better status for the development release, but i dont' want to scare the SRU team :)

Uploaded a workaround for this bug. Using the upstream fix sadly is still broken by apparmor+overlayfs bugs.

Hello Steve, or anyone else affected,

Accepted lxc into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/1.0.7-0ubuntu0.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I am now running 1.0.7-0ubuntu0.10 and can confirm that it resolves the issue. I can successfully start containers with recursive bind mounts.

Thanks for the fix! Greatly appreciated!

This bug was fixed in the package lxc - 1.0.7-0ubuntu0.10

---------------
lxc (1.0.7-0ubuntu0.10) trusty; urgency=medium

  * Update the /proc/self/mountinfo no-symlink verification to accomodate
    recursive mounts. (LP: #1509752)

 -- Serge Hallyn <email address hidden> Wed, 28 Oct 2015 12:21:38 -0500

The verification of the Stable Release Update for lxc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.