[pkg-apparmor] Bug#1054123: apparmor breaks nfs root
Anton Ivanov
anton.ivanov at kot-begemot.co.uk
Wed Oct 25 10:59:22 BST 2023
On 25/10/2023 10:22, intrigeri wrote:
> Hi,
>
> Christian Boltz (2023-10-17):
>> Am Dienstag, 17. Oktober 2023, 14:18:43 CEST schrieb Anton Ivanov:
>>> Alternatively, the kernel should stop treating network filesystem
>>> access as network access for apparmor purposes. That, however,
>>> is likely to a be a bit difficult.
>> [...]
>>> Kernel: Linux 5.10.0-22-amd64 (SMP w/12 CPU threads)
>> This issue was fixed in kernel 6.0 [1]
> Thanks a lot, Christian, for the info!
>
> Current Debian stable (Bookworm), released a few months ago, ships
> Linux 6.1, so I'm closing this bug as fixed.
>
> I understand this problem affects only Bullseye (and older systems) on
> NFS root. The fact it took more than 2 years since the Bullseye
> release for anyone to report it gives us an indication that the impact
> is minimal.
Bullseye does not enforce this apparmor rule. So all diskless boots worked fine for the last two years.
It is not a question of "not reported". It is a bug specific to upgrade from bullseye to bookworm on diskless systems.
Because of this, they should not be left running the old kernel even if everything appears to work.
The kernel and initrd in diskless environments are determined by the pxe config and picked from a different location and not the /boot directory so this would be a fairly common, albeit temporary state after an upgrade.
In any case - the cause, circumstances and solution are now documented. It can be closed.
> And now we know the workaround should be relatively
> straightforward for the kind of user who are able to set up NFS root:
> upgrade to Bookworm's kernel. Therefore I don't think it would be
> a good usage of limited Debian volunteer resources to spend time
> backporting the fix for Bullseye.
> Cheers,
--
Anton R. Ivanov
https://www.kot-begemot.co.uk/
More information about the pkg-apparmor-team
mailing list