Ubuntu
apparmor package

[FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic

Bug #2032602 reported by Alex Murray
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

As per the spec documented at https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this.

This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required.

This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package:
  - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads
  - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads
  - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads
  - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads

The package can be found in https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic-take2

This includes build logs etc (e.g. for amd64 this is found at https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic-take2/+build/26530996)

Note there is no ChangeLog file in upstream apparmor so instead I am attaching the git history between the current version of apparmor in mantic (3.0.8) and 4.0.0-alpha2.

Also note that this new version of apparmor does not actually enable the user namespaces restriction yet - that is planned for a future upload (and hence a future FFe) - however, it lays all the groundwork to enable this, once sufficient testing and integration has been done across the rest of the Ubuntu archive and package ecosystem.

As such, there is no risk of regression at this time due to that change - and the extensive regression testing also supports this conclusion as well.

See original description
Revision history for this message
Alex Murray (alexmurray) wrote :
affects: ubuntu → apparmor (Ubuntu)
description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

apt log when installing new package

Alex Murray (alexmurray)
description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

qa-regression-testing log for test-apparmor.py - shows one failure on the attach_disconnected tests in the upstream regression test suite - this is due to a kernel bug which is fixed by the following kernel patch - https://lists.ubuntu.com/archives/apparmor/2023-August/012901.html

Revision history for this message
Utkarsh Gupta (utkarsh) wrote (last edit ):

Hi Alex,

Thanks for filing an FFe. The quick first thing is that the ChangeLog attachment is borked. It's not readable at all. :)
Here's a better (not the best) view - https://gitlab.com/apparmor/apparmor/-/compare/v4.0.0-alpha2...v3.0.8?from_project_id=4484878&straight=false.

Anyway, coming to the actual review of the FFe:

- test-apparmor.py is pretty intense and I see good testing performed. I went through the script and the logs, they look good. Thanks for explaining the failure, too.

- the changes, whilst being wayyyyy to many (~200 commits roughly), w/ its rationale makes sense.

- the latest build mostly looks OK. However, I did spot -
```
dpkg-gensymbols: warning: some new symbols appeared in the symbols file: see diff output below
dpkg-gensymbols: warning: debian/libapparmor1/DEBIAN/symbols doesn't match completely debian/libapparmor1.symbols
```
Please ensure this is fixed and also run lintian prior to the upload.

- thanks for all the details, this makes it really easy to review an FFe.

Given the above points and assuming good faith (in pro-actively fixing symbol mismatch and running lintian), I think this is good to go. Thanks for your work on this.

Note - I am not an official release team member yet. I'll let them grant the final approval. :)

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for the detailed review Utkarsh - I have fixed the symbols error and made sure to run lintian and the output looks as expected now - see attached for the full build log including the lintian run at the end.

I want to use the same version number still, so have uploaded this new re-build to a new PPA - https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic-take2/ - this is still building but should be done soon.

I will update the main bug description to reflect this change of location now too.

Revision history for this message
Alex Murray (alexmurray) wrote :

For posterity, I am reuploading the ChangeLog so that Launchpad hopefully uses the correct format (text/plain) rather than html to make it more readable.

Alex Murray (alexmurray)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

I am not re-reviewing the changelog with respect to possible other new features that would warrant FFe. With respect to the feature stated in the bug title, this is an anticipated change and has my approval for FFe.

Changed in apparmor (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 4.0.0~alpha2-0ubuntu2

---------------
apparmor (4.0.0~alpha2-0ubuntu2) mantic; urgency=medium

  * Fix invalid JSON output from aa-status --json via upstream patch
    (LP: #2032994)
    - d/p/u/binutils-aa_status.c-quiet-verbose-outputs-when-json.patch

 -- Alex Murray <email address hidden> Fri, 25 Aug 2023 09:48:24 +0930

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure-6.5/6.5.0-1007.7~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-azure-6.5' to 'verification-done-jammy-linux-azure-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure-6.5' to 'verification-failed-jammy-linux-azure-6.5'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-azure-6.5-v2 verification-needed-jammy-linux-azure-6.5
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws-6.5/6.5.0-1008.8~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-aws-6.5' to 'verification-done-jammy-linux-aws-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws-6.5' to 'verification-failed-jammy-linux-aws-6.5'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-aws-6.5-v2 verification-needed-jammy-linux-aws-6.5
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.