Verification passed for mantic-linux-laptop. I ran the AppArmor QA Regression Tests [1] checked file permissions for /proc/sys/kernel/*unprivileged*. The QA Regression Tests that failed were due to a timeout because I'm emulating in my machine, but they pass when the timeout is increased.
georgia@sec-mantic-arm64:~$ uname -a Linux sec-mantic-arm64 6.5.0-1007-laptop #10-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 22 20:27:28 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux georgia@sec-mantic-arm64:~$ ll /proc/sys/kernel/*unprivileged* -rw------- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_io_uring -rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined -rw-r--r-- 1 root root 0 Jan 12 18:36 /proc/sys/kernel/apparmor_restrict_unprivileged_userns -rw------- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain -rw------- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/apparmor_restrict_unprivileged_userns_force -rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_bpf_disabled -rw------- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_userns_clone georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ERROR: test_dbus (__main__.ApparmorTest.test_dbus) Test dbus apparmor activation from dbus-tests ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/georgia/qrt-test-apparmor/./test-apparmor.py", line 719, in test_dbus rc, report = testlib.cmd(['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh'], ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/georgia/qrt-test-apparmor/testlib.py", line 471, in cmd out, outerr = sp.communicate(input, timeout=timeout) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/subprocess.py", line 1209, in communicate stdout, stderr = self._communicate(input, endtime, timeout) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/subprocess.py", line 2109, in _communicate self._check_timeout(endtime, orig_timeout, stdout, stderr) File "/usr/lib/python3.11/subprocess.py", line 1253, in _check_timeout raise TimeoutExpired( subprocess.TimeoutExpired: Command '['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh']' timed out after 5 seconds --------------------------------------------------------------------- running attach_disconnected Fatal Error (unix_fd_server): Unable to run test sub-executable PASSED: aa_exec access at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_socket_pathname unix_socket_abstract unix_socket_unnamed unix_socket_autobind unlink userns xattrs xattrs_profile longpath nfs dbus_eavesdrop dbus_message dbus_service dbus_unrequested_reply io_uring aa_policy_cache exec_stack nnp stackonexec stackprofile FAILED: attach_disconnected make: *** [Makefile:402: alltests] Error 1 --------------------------------------------------------------------- ERROR: test_0 (__main__.TestLogprof.test_0) test 'ping' ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/common_test.py", line 90, in stub_test self._run_test(test_data, expected) File "/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/test-logprof.py", line 99, in _run_test self.process.wait(timeout=0.2) File "/usr/lib/python3.11/subprocess.py", line 1264, in wait return self._wait(timeout=timeout) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/subprocess.py", line 2038, in _wait raise TimeoutExpired(self.args, timeout) subprocess.TimeoutExpired: Command '['/usr/bin/python3', '../aa-logprof', '--json', '--configdir', './', '-f', './logprof/ping.auditlog', '-d', '/tmp/aa-test-tkkg1ex3/profiles', '--no-check-mountpoint']' timed out after 0.2 seconds ---------------------------------------------------------------------- Ran 62 tests in 43542.817s FAILED (failures=3, errors=1, skipped=3) Rerunning failing tests increasing the timeout georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py ApparmorTest.test_dbus Skipping private tests . ---------------------------------------------------------------------- Ran 1 test in 19.786s OK georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ sudo bash ./attach_disconnected.sh georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ echo $? 0 georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/utils/test$ python3 test-logprof.py TestLogprof.test_0 . ---------------------------------------------------------------------- Ran 1 test in 12.463s OK [1] https://launchpad.net/qa-regression-testing ** Tags removed: verification-needed-mantic-linux-laptop ** Tags added: verification-done-mantic-linux-laptop -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: Fix Committed Bug description: lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp