Thanks for the patch. I have some questions and comments below.
a)
The profile file is /etc/apparmor.d/usr.bin.lxc-copy, which contains:
abi <abi/4.0>,
#include <tunables/global>
/usr/bin/lxc-start flags=(attach_disconnected) {
#include <abstractions/lxc/start-container>
}
There is an obvious name mismatch, but the thing is, the name of the file
doesn't matter. An apparmor profile named "/usr/bin/lxc-start" will be created
by the above profile, and it will attach to the executable /usr/bin/lxc-start,
not to /usr/bin/lxc-copy.
So in reality, /usr/bin/lxc-copy is NOT confined. Can you please
elaborate on what is breaking for you?
Is it a matter of policy? Because there are many other unconfined
profiles there:
$ grep -E "\(unconfined\)" /etc/apparmor.d/lxc-*
/etc/apparmor.d/lxc-attach:profile lxc-attach /usr/bin/lxc-attach
flags=(unconfined) {
/etc/apparmor.d/lxc-create:profile lxc-create /usr/bin/lxc-create
flags=(unconfined) {
/etc/apparmor.d/lxc-destroy:profile lxc-destroy /usr/bin/lxc-destroy
flags=(unconfined) {
/etc/apparmor.d/lxc-execute:profile lxc-execute /usr/bin/lxc-execute
flags=(unconfined) {
/etc/apparmor.d/lxc-stop:profile lxc-stop /usr/bin/lxc-stop flags=(unconfined) {
/etc/apparmor.d/lxc-unshare:profile lxc-unshare /usr/bin/lxc-unshare
flags=(unconfined) {
/etc/apparmor.d/lxc-usernsexec:profile lxc-usernsexec /usr/bin/lxc-usernsexec
flags=(unconfined) {
b) d/changelog
+lxc (1:5.0.3-2ubuntu8) UNRELEASED; urgency=medium
For the version, please follow the version convention from "Update the
packaging" from https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation.
For this case, the version should be 1:5.0.3-2ubuntu7.1
Please replace "UNRELEASED" with "noble".
+
+ * apparmor: lxc-copy: Replace mistyped filename lxc-start by lxc-copy
It's customary to list the files you are changing. In this case, you are
changing a patch file, so I would expect the changelog above to say
something like:
* d/p/0014-cherry-pick-lxc-copy-apparmor.patch: replace mistyped
filename lxc-start by lxc-copy
(with appropriate word wrapping as needed)
+
+ -- Nicolas Schier <[email protected]> Thu, 05 Sep 2024 10:14:51 +0200
c) Bug description
Since this is targeting a stable release of ubuntu (noble), the bug description
needs to be in the SRU format:
https://canonical-sru-docs.readthedocs-hosted.com/en/latest/reference/bug-template/
The general steps to follow are outlined in https://canonical-sru-
docs.readthedocs-hosted.com/en/latest/howto/standard/
I can help and guide you through these. I would suggest to start with
the template, and we can go from there. That is, if you still want to
proceed with this bug fix, depending on the answer to (a) above (which
translates to the "impact" section of the SRU template, and helps us
gauge if this bug is worth fixing or not).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2080358
Title:
liblxc-common: AppArmor-Profile for /usr/bin/lxc-copy contains rule
for lxc-start
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2080358/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
