Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

To: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Cc: 882697@bugs.debian.org
Subject: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
From: intrigeri <intrigeri@debian.org>
Date: Wed, 06 Dec 2017 18:54:15 +0100
Message-id: <[🔎] 85efo7g2t4.fsf@boum.org>
Reply-to: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org
In-reply-to: <[🔎] 20171206145352.scgbb77dll75kjm2@nora.maurer-it.com> ("Fabian \=\?utf-8\?Q\?Gr\=C3\=BCnbichler\=22's\?\= message of "Wed, 6 Dec 2017 15:53:52 +0100")
References: <151163895024.25639.11816562461367496713.reportbug@deb.localhost> <151163895024.25639.11816562461367496713.reportbug@deb.localhost> <[🔎] 1512212798.2278.23.camel@adam-barratt.org.uk> <151163895024.25639.11816562461367496713.reportbug@deb.localhost> <[🔎] 85po7xqmhv.fsf@boum.org> <[🔎] 1512242519.2278.48.camel@adam-barratt.org.uk> <151163895024.25639.11816562461367496713.reportbug@deb.localhost> <[🔎] 20171206133125.zntf5srjsia2g6vo@nora.maurer-it.com> <[🔎] 85zi6wj5ho.fsf@boum.org> <151163895024.25639.11816562461367496713.reportbug@deb.localhost> <[🔎] 20171206145352.scgbb77dll75kjm2@nora.maurer-it.com> <151163895024.25639.11816562461367496713.reportbug@deb.localhost>

Hi again Fabian & release team,

Fabian Grünbichler:
> On Wed, Dec 06, 2017 at 03:28:03PM +0100, intrigeri wrote:
>> > it potentially breaks systems using a custom/backports/newer kernel
>> > and AA profiles requiring features not supported by the pinned 4.9
>> > feature set.
>> 
>> In this case, "breaks" == the AppArmor confinement becomes weaker,
>> but the application keeps working.

> not the case for all scenarios unfortunately. LXC containers using the
> upstream profiles (and a kernel supporting the needed features) don't
> start anymore:

> apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=21550 comm="lxc-start" flags="rw, rslave"

Wow, Assuming you're indeed running with the 4.9 feature set I've
uploaded, that's definitely a bug: the 4.9 feature set is supposed to
fully disable mount mediation, so a mount denial should never happen.
At first glance this very much looks like a bug in the custom kernel
you're using.

If you can reproduce this with a pristine 4.13 or 4.14 Debian kernel,
then I'm very sorry and I agree we should revert this s-p-u until this
kernel bug is fixed in mainline; I'll gladly help you report this bug
upstream. If, however, you can't reproduce this bug with a Debian
kernel, well, then it's a bug in the kernel patches you've applied and
I think we should leave s-p-u as-is.

Possibly helpful: can you please share the content of
/etc/apparmor.d/cache/.features on the system that exposes
this problem?

Cheers,
-- 
intrigeri

Reply to:

Follow-Ups:
- Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
  - From: intrigeri <intrigeri@debian.org>

References:
- Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
  - From: intrigeri <intrigeri@debian.org>
- Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
  - From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
- Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
  - From: intrigeri <intrigeri@debian.org>
- Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
  - From: Fabian Grünbichler <f.gruenbichler@proxmox.com>

Prev by Date: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Next by Date: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Previous by thread: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Next by thread: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Index(es):
- Date
- Thread