Your message dated Wed, 29 May 2024 09:04:58 +0000
with message-id <[email protected]>
and subject line Bug#1071234: fixed in sbuild 0.85.9
has caused the Debian Bug report #1071234,
regarding sbuild --chroot-mode=unshare: exposes /sys/kernel; breaks apparmor
detection; ftbfs lomiri-thumbnailer and mediascanner2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1071234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071234
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libsbuild-perl
Version: 0.85.8
Tags: ftbfs patch
Control: affects -1 + src:mediascanner2 src:lomiri-thumbnailer
Hi Johannes and Jochen,
Jochen asked me to look into why the affected packages FTBFS when using
unshare chroot-mode. I managed to reproduce the failure, run the failing
test in isolation, capture an strace, stare at the strace output,
codesearch for random strings such as
"com.canonical.MediaScanner2.Error.Unauthorized" and following it down
to "check_access", "does_client_have_access",
"get_client_apparmor_context" and finally "aa_is_enabled". That was a
clue to look into AppArmor, so I ran "aa-enabled" on various
configurations:
* bookworm without apparmor -> Yes
* Something with apparmor -> Yes
* sbuild --chroot-mode=unshare -> Yes
* sbuild --chroot-mode=schroot -> Maybe
I think you spot the difference. The tests believe that AppArmor is
working when it really is not and thus fail as the AppArmor context does
not come back in the expected way. That leaves the question of why
AppArmor looks like it was working. It's because
/sys/kernel/security/apparmor exists. The
https://systemd.io/CONTAINER_INTERFACE/ documents /sys/kernel to be
inaccessible. Once you do that (and sbuild makes it really hard to do
that), both packages can be built. I'm attaching a patch for your
convenience.
Helmut
diff -Nru sbuild-0.85.8/debian/changelog sbuild-0.85.8+nmu1/debian/changelog
--- sbuild-0.85.8/debian/changelog 2024-04-25 14:49:56.000000000 +0200
+++ sbuild-0.85.8+nmu1/debian/changelog 2024-05-16 23:02:54.000000000 +0200
@@ -1,3 +1,10 @@
+sbuild (0.85.8+nmu1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Do not expose /sys/kernel in the unshare backend. (Closes: #-1)
+
+ -- Helmut Grohne <[email protected]> Thu, 16 May 2024 23:02:54 +0200
+
sbuild (0.85.8) unstable; urgency=medium
[ Aurelien Jarno ]
diff -Nru sbuild-0.85.8/lib/Sbuild/ChrootUnshare.pm
sbuild-0.85.8+nmu1/lib/Sbuild/ChrootUnshare.pm
--- sbuild-0.85.8/lib/Sbuild/ChrootUnshare.pm 2024-04-25 14:49:56.000000000
+0200
+++ sbuild-0.85.8+nmu1/lib/Sbuild/ChrootUnshare.pm 2024-05-16
22:55:25.000000000 +0200
@@ -337,6 +337,7 @@
mount -t tmpfs tmpfs \"\$rootdir/dev/shm\";
mkdir -p \"\$rootdir/sys\";
mount -o rbind /sys \"\$rootdir/sys\";
+ mount -t tmpfs tmpfs \"\$rootdir/sys/kernel\" -o mode=0000,size=4k,ro
mkdir -p \"\$rootdir/proc\";
mount -t proc proc \"\$rootdir/proc\";
exec /usr/sbin/chroot \"\$rootdir\" $init /sbin/runuser -u \"\$user\"
-- sh -c \"cd \\\"\\\$1\\\" && shift && \\\"\\\$@\\\"\" -- \"\$dir\" \"\$@\";
--- End Message ---
--- Begin Message ---
Source: sbuild
Source-Version: 0.85.9
Done: Jochen Sprickerhof <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sbuild, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jochen Sprickerhof <[email protected]> (supplier of updated sbuild package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 May 2024 10:46:22 +0200
Source: sbuild
Architecture: source
Version: 0.85.9
Distribution: unstable
Urgency: medium
Maintainer: sbuild maintainers <[email protected]>
Changed-By: Jochen Sprickerhof <[email protected]>
Closes: 1070007 1071000 1071234
Changes:
sbuild (0.85.9) unstable; urgency=medium
.
[ Aurelien Jarno ]
* Unshare: add IPv6 loopback address to /etc/hosts
* Unshare: preserve HOME environment variable
* Unshare: define the LOGNAME environment variable
.
[ Christian Kastner ]
* sbuild-qemu: Fix typo breaking one guess for image path
* sbuild-qemu: Don't add --dist (Closes: #1071000)
.
[ Helmut Grohne ]
* lib/Sbuild/ChrootUnshare.pm: Do not expose /sys/kernel in the unshare
backend.
(Closes: #1071234)
.
[ Timo Röhling ]
* Relax permissions on pipes connected to STDOUT (Closes: #1070007)
.
[ Johannes Schauer Marin Rodrigues ]
* lib/Sbuild/Conf.pm: make the schroot binary configurable via ~/.sbuildrc
* bin/sbuild: only check group membership if 'schroot' is configured as the
schroot binary
Checksums-Sha1:
f1d84f487a5a94835cd2458b3f8d3d2013bb11df 2555 sbuild_0.85.9.dsc
6b5f0ec455a045f3ff8ea1c883fb25ce905a9526 259364 sbuild_0.85.9.tar.xz
Checksums-Sha256:
c2943c5591ebac127c688aab1108534dae00b294332b4ec3f3a0a4f6591009e0 2555
sbuild_0.85.9.dsc
c42b43d36d3e822c455f9c8a97e4055193b425ec89a89463c6517c4bb50c600d 259364
sbuild_0.85.9.tar.xz
Files:
2cb0a410215d8da2fc4bfbc9cf654d12 2555 devel optional sbuild_0.85.9.dsc
405dae402217499c1b35a44a0570ac9a 259364 devel optional sbuild_0.85.9.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEc7KZy9TurdzAF+h6W//cwljmlDMFAmZW7koACgkQW//cwljm
lDNLBRAAg4Xzm47bmFeyIWcA6X2EmuucPp3H4HtrCGlg/1cptczC+A+k/+9i5Rs+
yAuuEFQn0AVIKsu9e6NCOd5KJ97lDmHQGNSZaL/L+6PZSbeYkdgCcTjzgoy7XdRW
k0M8r3DOW/wjtyM0QvA3Huh28fRJgEkRspC3Qk9AOIFK+KJkWOceJ1faKN8QWLo6
lg1j17zuca2qZj9K5ZqQDC+HyosnIi3FzUoHgoRADCdnhJIbZYpcEghy/pKmJ+0+
+cat8MYc8i19siKzkHCuo6suoW3kmoqnMB+7MqNqaXRAhSVSkVSOjxji91jWwZbI
JyUvZMzUeLtmolquISy8k/y+0oEl1MhIAKsCm3KMXQ+zdIsj0U/7i2RtPNZMzMcc
8LCDoiXsS5cbib+iSWJ5yFj9+fOLCHBecTLmZHKMEsgmc4XFq0ukDAtoKGZKTxx6
ARIzu7lZBlijK2NDpylgugcGHSUm8Ng+DcInASZ7jQ1uhtQRENtr+VqQkOohI3qa
2CWWMEO+y2U3n0MVpbs0Q9bUt0ZF0cgbkO0+NwM3FVlYwQOE3W1ZO/yJNTqSi+yU
W9OBohn6QV8baq8bk+LR0ByOqex+mfecMGqdLsitWlDS3lxA7ovjsLvCGodf85tR
iqo75ZoM6ojo4mZNgwgVm0ou88qTIQUe+jOEQau/NyVyD072UjA=
=5/J0
-----END PGP SIGNATURE-----
pgpAsJMkHNv5D.pgp
Description: PGP signature
--- End Message ---
