[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
This bug was fixed in the package apparmor - 3.0.0~beta1-0ubuntu6 --- apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium * Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not 3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the wrong directory in is_container_with_internal_policy(), which causes policy to always fail to load in containers. Thanks to Christian Ehrhardt for the analysis. (LP: #1895967) apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium [ John Johansen ] * d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch: fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the parser to emit rules needed for change_hat in the hat profiles but broke the rule being emitted for the parent profile, this fixes it for both so that it is emitted for any profile that is a hat or that contains a hat. * d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile abstraction so that it allows access to the apparmor attribute paths under LSM stacking. apparmor (3.0.0~beta1-0ubuntu2) groovy; urgency=medium [ John Johansen ] * d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch: fix parser not adding a rule to profiles if they are a hat or contain hats granting write access to the kernel interfaces. apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium [ John Johansen ] * New upstream release (LP: #1895060, LP: #1887577, LP: #1880841) * Drop all patches backported from upstream: applied in 3.0 * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide example and base abi to pin pre 3.0 policy * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning of pre AppArmor 3.x policy * drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer needed with upstream 'include if exists' [ Steve Beattie ] * d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important now that groovy has a 5.8 kernel. * d/apparmor-profiles.install: + adjust for renamed postfix profiles + add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles + remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in apparmor-profiles) * d/apparmor.install: include abi/ directory and tunables/etc. * d/apparmor.manpages: add apparmor_xattrs.7 manpage * d/control: + apparmor-utils: no more shipped perl tools, drop perl dependency + apparmor-notify: aa-notify was converted to python3 from perl; adjust -notify dependencies to compensate * d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch: fix sed expression in settest() [ Emilia Torino ] * Removing Ubuntu specific chromium-browser profile. This is safe to do since groovy's chromium-browser deb installs the snap. If apparmor3 is backported to 18.04 or earlier, the profile will need to be taken into consideration - d/profiles/chromium-browser: remove chromium-browser profile - d/apparmor-profiles.postinst: remove postinst script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.postrm: remove postrm script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.install: remove ubuntu-specific chromium-browser abstraction and profile - d/apparmor-profiles.lintian-overrides: remove chromium-browser profile lintian overrides - d/p/ubuntu/add-chromium-browser.patch: remove patch which added chrome-browser [ Alex Murray ] * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: refresh this patch with the official upstream version * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: refresh this patch to match the above * d/p/parser-add-abi-warning-flags.patch: enable parser warnings to be silenced or to be treated as errors [ Jamie Strandboge ] * d/p/adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus 1.5.22. This can be dropped with AppArmor 3.0 final. * d/p/parser-add-abi-warning-flags.patch: refresh to avoid lintian warnings * d/p/ubuntu/lp1891338.patch: adjust ubuntu-integration to use abstractions/exo-open (LP: #1891338) * d/p/ubuntu/lp1889699.patch: adjust to support brave in ubuntu abstractions. Patch thanks to François Marier (LP: #1889699) * d/p/ubuntu/lp1881357.patch: adjust for new ICEauthority path in /run (LP: #1881357) -- Jamie Strandboge Tue, 22 Sep 2020 15:10:33 + ** Changed in: apparmor (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
FYI, I removed the block-proposed tag since ubuntu6 fixes this bug. ** Tags removed: block-proposed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
Christian - thanks for your work on debugging this - can you please remove the block-proposed tag if you are happy that 3.0.0~beta1-0ubuntu6 resolves this issue? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
I uploaded 3.0.0~beta1-0ubuntu6 just now that should address this issue. Thanks Christian for your debugging! ** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
** Changed in: apparmor (Ubuntu) Status: Confirmed => In Progress ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/apparmor/+git/apparmor/+merge/391134 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
That patch by Christian Bolz is already applied (which seems reasonable after that much time), but when merging 3.0 the old patch for bug 1824812 should have been dropped. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
Tested the change - works as expected, prepping an MP -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
As refrence, it is a re-occurrence of https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1824812 , look who filed that bug :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
Isn't that "Not starting AppArmor in container" message just in: /lib/apparmor/apparmor.systemd -> /lib/apparmor/rc.apparmor.functions -> function is_container_with_internal_policy() That looks unchanged (except a comment) but it behaves differently: root@testguest-apparmor-good:~# . /usr/lib/apparmor/rc.apparmor.functions root@testguest-apparmor-good:~# is_container_with_internal_policy root@testguest-apparmor-good:~# echo $? 0 root@testguest-apparmor-bad:~# . /usr/lib/apparmor/rc.apparmor.functions root@testguest-apparmor-bad:~# is_container_with_internal_policy root@testguest-apparmor-bad:~# echo $? 1 Looking into what happens in detail ... good: + SFS_MOUNTPOINT=/sys/kernel/security/apparmor + local ns_stacked_path=/sys/kernel/security/apparmor/.ns_stacked bad: + SFS_MOUNTPOINT=/sys/kernel/security/ + local ns_stacked_path=/sys/kernel/security//.ns_stacked Once we know that we can see that it is missing in the bad case good: root@testguest-apparmor-good:~# grep MODULE /usr/lib/apparmor/rc.apparmor.functions MODULE=apparmor SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}" if [ -f "${SECURITYFS}/${MODULE}/profiles" ]; then SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}" MODULE=apparmor /sbin/modprobe -qr $MODULE bad: root@testguest-apparmor-bad:~# grep MODULE /usr/lib/apparmor/rc.apparmor.functions SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}" So whatever took away the modprobe from /usr/lib/apparmor/rc.apparmor.functions also removed the variable, but that has broken function is_container_with_internal_policy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
https://gitlab.com/apparmor/apparmor/-/commit/61c27d8808f0589beb6a319cc04073e8bb32d860 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
And we are back with Christian Bolz :-) commit 61c27d8808f0589beb6a319cc04073e8bb32d860 Author: Christian Boltz Date: Fri Jun 21 19:22:15 2019 +0200 Fix and simplify setting SFS_MOUNTPOINT The question is why isn't this in the apparmor 3.0 package in groovy- proposed ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895967] Re: Apparmor 3.0.0 does not load profiles in containers anymore
Still chasing this down The apparmor.systemd file is unchanged from focal. The change is in rc.apparmor.functions which is a dependency of apparmor.systemd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs