[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-apparmor] Bug#1050256: autopkgtest fails on debci


Am Samstag, 2. September 2023, 01:13:11 CEST schrieb Mathias Gibbens:
>   A minimal reproducer is to install bookworm and create a container
> with a systemd service using a hardening option like
> PrivateNetwork=yes. With the latest bookworm kernel (6.1.38-4), the
> service will fail. But, grab a kernel from testing (6.4.11-1) and then
> things work -- with no other changes required. I tried the "oldest"
> kernel on snapshot.d.o post 6.1 series (6.3.1+1~exp1 [1]) and the
> service works properly with that version as well. So, something
> changed in the kernel (either upstream or in Debian's packaging)
> between 6.1 and      6.3 that "unbreaks" services within lxc containers.

I asked in #apparmor, and John answered

[11:04:33] <cboltz> can someone have a look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050256 ? Short version: Debian gets  unix  denials when running lxc with kernel 6.1.38 from bookwork, but things work with kernel 6.3.1
[19:19:41] <jjohansen> cboltz: ok, I will try and look at it today
[07:00:34] <jjohansen> cboltz: I didn't see anything that would cause unix failures in a first pass. I will take another pass at it tomorrow
[10:01:30] <jjohansen> cboltz: commit 1cf26c3d2c4c apparmor: fix apparmor mediating locking non-fs unix sockets

So you could test if the bookwork kernel with 1cf26c3d2c4c applied on 
top fixes the issue.

To answer a question from a later mail:

Am Sonntag, 3. September 2023, 02:56:05 CEST schrieb Michael Biebl:
> I also tested downgrading apparmor to 2.13.6-10 (i.e. the version from
>  oldstable) on a bookworm system.
> This was also sufficient to unbreak lxc.
> So it "looks" like apparmor 3.x makes assumptions about the kernel
> that are not fulfilled by the kernel 6.1.x in bookworm.

The difference is in the abi levels - without an abi/ include specified, 
unix rules don't get enforced (= allow everything), while with abi/3.0
and AppArmor >= 3.x userspace, unix rules get enforced.

abi/3.0 got introduced in AppArmor 3.0, and my guess is that the abi/3.0
include was also added to the lxc profile.

Actually the explanation might be slightly different (same result, but 
without abi/3.0 in the lxc profile):

It looks like the Debian AppArmor maintainers pinned the abi to
which, like abi/3.0, includes enforcing unix rules.

(Note: I'm only looking at https://salsa.debian.org/apparmor-team/apparmor.git/
since I don't have a Debian machine running.)

For completeness: 2.13.x doesn't support abi at all (besides ignoring
abi/* includes if it finds them in a profile) so even if you have a
profile with abi/3.0, unix rules won't be enforced.

There's an exception:  Ubuntu kernels carry some patches to enable unix 
and some other rules even with older AppArmor versions.


Christian Boltz
in my experience it's safe to assume developers never test
[Stephan Kulow in opensuse-factory]

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: