[pkg-apparmor] AppArmor ABI incompability - is it a userspace or kernel bug?

Lambda Team lambdateam at airmail.cc
Tue Apr 18 16:35:50 BST 2023 

Hello list,

I've encountered a bug on a fully updated Debian Bullseye that (perhaps 
also) makes the network directives of AppArmor not work, so for example, 
the following code in an AppArmor profile won't have any effect, the 
network would still be fully accessible by the process.

deny network

Also when I use a profile in enforcing mode, without that snippet of 
code and without any includes, network traffic does get let through. 
 From what I can tell this should not be happening.

I found out that on Bullseye, all userspace packages are on version 
2.13.6. This means that it has version 2 ABI. However, based on a few 
loose bits of information on the internet, the kernel side AppArmor was 
updated to version 3 ABI a couple of versions before Linux 5.10. A big 
change in version 3 ABI was "upstream v8 network socket rules". I think 
this has to do something with why AppArmor network policies don't work.

There was a patch set for OpenSuse a long time ago that patched AppArmor 
in the kernel so that the version 2 networking ABI would also work in 
the kernel 
(https://raw.githubusercontent.com/openSUSE/kernel-source/rpm-5.3.8-2/patches.suse/0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch 
and 
https://github.com/openSUSE/kernel-source/blob/rpm-5.3.8-2/patches.suse/0001-apparmor-fix-unnecessary-creation-of-net-compat.patch). 
They don't look they would be too much of a challenge to add to Debian's 
kernel patches. However, I think that the best and the most obvious way 
is to backport, or even better, update the 3.0 userspace tools of 
AppArmor to Bullseye.

Someone has probably noticed this in Debian before me, perhaps this was 
a conscious decision by the Debian team. In any case, please let me know 
since nothing came up related to this besides an odd Arch Linux Forum 
thread and a Ubuntu bug linked to the previously mentioned patches which 
is behind a login wall (https://bugzilla.suse.com/show_bug.cgi?id=1112770).

More information about the pkg-apparmor-team mailing list