[debian-mysql] Bug#1130272: mariadb-server: mariadbd AppArmor profile denies MTR accesses in enforce mode

[Aquila Macedo]

Package: mariadb-server
X-Debbugs-Cc: aquila at debian.org
Version: 1:11.8.6-2
Severity: normal

Hello,

The shipped AppArmor profile for mariadbd denies accesses during mariadb 
test runs in enforce mode.

I am not claiming that all observed MTR test failures are caused by 
AppArmor. Some testcase failures appear to be unrelated. For instance, 
rpl.rpl_blackhole_row_annotate currently shows a result mismatch due to 
the extra "from Debian-log" string in the binlog output, which does not 
look like an AppArmor permission failure.

However, the AppArmor denials are real and reproducible.

Observed denials include:

   apparmor="DENIED" operation="mknod" class="file" profile="mariadbd" \
   name="/usr/share/mariadb/mariadb-test/mariadb-app.lower-test" \
   requested_mask="c" denied_mask="c"

   apparmor="DENIED" operation="open" class="file" profile="mariadbd" \
   name="/sys/block/" requested_mask="r" denied_mask="r"

For comparison, when the profile is set to complain mode, the same 
accesses are logged as ALLOWED instead of DENIED.

Steps to reproduce:

1. Set up a Debian unstable VM or container and install mariadb-server

2. Set the profile to enforce mode:
    aa-enforce /usr/sbin/mariadbd

3. Run an MTR testcase, for instance:
    ./mariadb-test-run --vardir=/var/tmp/mtrvar --force 
rpl.rpl_blackhole_row_annotate

4. Inspect /var/log/audit/audit.log

Example audit log excerpts:

   type=AVC msg=audit(...): apparmor="DENIED" operation="mknod" 
class="file" profile="mariadbd" 
name="/usr/share/mariadb/mariadb-test/mariadb-app.lower-test" pid=1049 
comm="mariadbd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
   type=AVC msg=audit(...): apparmor="DENIED" operation="open" 
class="file" profile="mariadbd" name="/sys/block/" pid=1055 
comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

This suggests that the shipped mariadbd AppArmor profile does not 
currently allow at least some accesses exercised by MTR in this environment.

I am still investigating the exact impact of these denials on the 
observed MTR failures.

Environment used:

* Debian unstable
* MariaDB 11.8.6-MariaDB-2
* AppArmor enabled

Cheers,
Aquila Macedo