[Touch-packages] [Bug 2060535] [NEW] apparmor's is_container_with_internal_policy() does not recognize incus

Mon, 08 Apr 2024 06:47:18 -0700 

Public bug reported:

apparmor is not loading for Ubuntu containers under incus. This is due
to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
`/lib/apparmor/functions`):

is_container_with_internal_policy() {
    # this function is sometimes called independently of
    # is_apparmor_loaded(), so also define this here.
    local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
    local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
    local ns_stacked
    local ns_name

    if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
        return 1
    fi

    read -r ns_stacked < "$ns_stacked_path"
    if [ "$ns_stacked" != "yes" ]; then
        return 1
    fi

    # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
    # "lxc-", respectively. Return non-zero for all other namespace
    # identifiers.
    read -r ns_name < "$ns_name_path"
    if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
       [ "${ns_name#lxc-*}" = "$ns_name" ]; then
        return 1
    fi

    return 0
}

This can be fixed by adjusting it to have:

    # LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
    # "lxc-", and "incus-" respectively. Return non-zero for all other namespace
    # identifiers.
    read -r ns_name < "$ns_name_path"
    if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
       [ "${ns_name#lxc-*}" = "$ns_name" ] && \
       [ "${ns_name#incus-*}" = "$ns_name" ] ; then
        return 1
    fi


References:
* https://github.com/lxc/incus/issues/740

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: apparmor (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Affects: apparmor (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: apparmor (Ubuntu Jammy)
     Importance: Undecided
         Status: New

** Affects: apparmor (Ubuntu Noble)
     Importance: Undecided
         Status: New

** Also affects: apparmor (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Description changed:

  apparmor is not loading for Ubuntu containers under incus. This is due
  to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
  `/lib/apparmor/functions`):
  
+ is_container_with_internal_policy() {
+     # this function is sometimes called independently of
+     # is_apparmor_loaded(), so also define this here.
+     local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
+     local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
+     local ns_stacked
+     local ns_name
  
- is_container_with_internal_policy() {
-       # this function is sometimes called independently of
-       # is_apparmor_loaded(), so also define this here.
-       local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
-       local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
-       local ns_stacked
-       local ns_name
+     if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
+         return 1
+     fi
  
-       if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
-               return 1
-       fi
+     read -r ns_stacked < "$ns_stacked_path"
+     if [ "$ns_stacked" != "yes" ]; then
+         return 1
+     fi
  
-       read -r ns_stacked < "$ns_stacked_path"
-       if [ "$ns_stacked" != "yes" ]; then
-               return 1
-       fi
+     # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
+     # "lxc-", respectively. Return non-zero for all other namespace
+     # identifiers.
+     read -r ns_name < "$ns_name_path"
+     if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
+        [ "${ns_name#lxc-*}" = "$ns_name" ]; then
+         return 1
+     fi
  
-       # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
-       # "lxc-", respectively. Return non-zero for all other namespace
-       # identifiers.
-       read -r ns_name < "$ns_name_path"
-       if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
-          [ "${ns_name#lxc-*}" = "$ns_name" ]; then
-               return 1
-       fi
- 
-       return 0
+     return 0
  }
- ```
  
  This can be fixed by adjusting it to have:
- ```
-       # LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
-       # "lxc-", and "incus-" respectively. Return non-zero for all other 
namespace
-       # identifiers.
-       read -r ns_name < "$ns_name_path"
-       if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
-          [ "${ns_name#lxc-*}" = "$ns_name" ] && \
-          [ "${ns_name#incus-*}" = "$ns_name" ] ; then
-               return 1
-       fi
  
-         return 0
+     # LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
+     # "lxc-", and "incus-" respectively. Return non-zero for all other 
namespace
+     # identifiers.
+     read -r ns_name < "$ns_name_path"
+     if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
+        [ "${ns_name#lxc-*}" = "$ns_name" ] && \
+        [ "${ns_name#incus-*}" = "$ns_name" ] ; then
+         return 1
+     fi
  
  
  References:
  * https://github.com/lxc/incus/issues/740

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060535

Title:
  apparmor's is_container_with_internal_policy() does not recognize
  incus

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Bionic:
  New
Status in apparmor source package in Focal:
  New
Status in apparmor source package in Jammy:
  New
Status in apparmor source package in Noble:
  New

Bug description:
  apparmor is not loading for Ubuntu containers under incus. This is due
  to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
  `/lib/apparmor/functions`):

  is_container_with_internal_policy() {
      # this function is sometimes called independently of
      # is_apparmor_loaded(), so also define this here.
      local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
      local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
      local ns_stacked
      local ns_name

      if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
          return 1
      fi

      read -r ns_stacked < "$ns_stacked_path"
      if [ "$ns_stacked" != "yes" ]; then
          return 1
      fi

      # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
      # "lxc-", respectively. Return non-zero for all other namespace
      # identifiers.
      read -r ns_name < "$ns_name_path"
      if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
         [ "${ns_name#lxc-*}" = "$ns_name" ]; then
          return 1
      fi

      return 0
  }

  This can be fixed by adjusting it to have:

      # LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
      # "lxc-", and "incus-" respectively. Return non-zero for all other 
namespace
      # identifiers.
      read -r ns_name < "$ns_name_path"
      if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
         [ "${ns_name#lxc-*}" = "$ns_name" ] && \
         [ "${ns_name#incus-*}" = "$ns_name" ] ; then
          return 1
      fi

  
  References:
  * https://github.com/lxc/incus/issues/740

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060535/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to