[pkg-apparmor] Bug#1050256: autopkgtest fails on debci
Christian Boltz
apparmor at cboltz.de
Mon Sep 4 13:37:00 BST 2023
Hello,
Am Samstag, 2. September 2023, 01:13:11 CEST schrieb Mathias Gibbens:
> A minimal reproducer is to install bookworm and create a container
> with a systemd service using a hardening option like
> PrivateNetwork=yes. With the latest bookworm kernel (6.1.38-4), the
> service will fail. But, grab a kernel from testing (6.4.11-1) and then
> things work -- with no other changes required. I tried the "oldest"
> kernel on snapshot.d.o post 6.1 series (6.3.1+1~exp1 [1]) and the
> service works properly with that version as well. So, something
> changed in the kernel (either upstream or in Debian's packaging)
> between 6.1 and 6.3 that "unbreaks" services within lxc containers.
I asked in #apparmor, and John answered
[11:04:33] <cboltz> can someone have a look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050256 ? Short version: Debian gets unix denials when running lxc with kernel 6.1.38 from bookwork, but things work with kernel 6.3.1
[19:19:41] <jjohansen> cboltz: ok, I will try and look at it today
[07:00:34] <jjohansen> cboltz: I didn't see anything that would cause unix failures in a first pass. I will take another pass at it tomorrow
[10:01:30] <jjohansen> cboltz: commit 1cf26c3d2c4c apparmor: fix apparmor mediating locking non-fs unix sockets
So you could test if the bookwork kernel with 1cf26c3d2c4c applied on
top fixes the issue.
To answer a question from a later mail:
Am Sonntag, 3. September 2023, 02:56:05 CEST schrieb Michael Biebl:
> I also tested downgrading apparmor to 2.13.6-10 (i.e. the version from
> oldstable) on a bookworm system.
>
> This was also sufficient to unbreak lxc.
>
> So it "looks" like apparmor 3.x makes assumptions about the kernel
> that are not fulfilled by the kernel 6.1.x in bookworm.
The difference is in the abi levels - without an abi/ include specified,
unix rules don't get enforced (= allow everything), while with abi/3.0
and AppArmor >= 3.x userspace, unix rules get enforced.
abi/3.0 got introduced in AppArmor 3.0, and my guess is that the abi/3.0
include was also added to the lxc profile.
Actually the explanation might be slightly different (same result, but
without abi/3.0 in the lxc profile):
It looks like the Debian AppArmor maintainers pinned the abi to
/etc/apparmor.d/abi/kernel-5.4-outoftree-network
which, like abi/3.0, includes enforcing unix rules.
(Note: I'm only looking at https://salsa.debian.org/apparmor-team/apparmor.git/
since I don't have a Debian machine running.)
For completeness: 2.13.x doesn't support abi at all (besides ignoring
abi/* includes if it finds them in a profile) so even if you have a
profile with abi/3.0, unix rules won't be enforced.
There's an exception: Ubuntu kernels carry some patches to enable unix
and some other rules even with older AppArmor versions.
Regards,
Christian Boltz
--
in my experience it's safe to assume developers never test
[Stephan Kulow in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20230904/d0a2b64f/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list