Page MenuHomeSolus
Differential D7478

Update apparmor to 2.13.3
ClosedPublic
Actions

Authored by livingsilver94 on Oct 24 2019, 12:40 PM.
Tags
None
Referenced Files
F10829429: D7478.id18909.diff
Sun, Jun 4, 12:07 PM
F10825585: D7478.diff
Sun, Jun 4, 12:36 AM
F10792034: D7478.diff
Sat, May 27, 5:54 AM
F10785223: D7478.id.diff
Fri, May 26, 3:29 AM
F10780325: D7478.id.diff
Thu, May 25, 12:14 AM
F10739940: D7478.diff
Sat, May 13, 11:30 PM
F10709751: D7478.id.diff
Apr 28 2023, 6:07 AM
F5275742: aa-lsm.out.4256
Oct 24 2019, 6:37 PM
View All 9 Files
Subscribers
DataDrake
Girtablulu
Tokens
"Burninate" token, awarded by Girtablulu.

Details

Reviewers
DataDrake
Group Reviewers
Triage Team
Maniphest Tasks
T7772: Apparmor extra-profiles/usr.sbin.sshd broken
T4287: AppArmor Python tools/libraries are broken
Commits
R3611:853658301d20: Update apparmor to 2.13.3
Summary

Changelog:

Fixes T4287, T7772.

Test Plan

TBD

Diff Detail

Repository
R3611 apparmor
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

livingsilver94 created this revision.Oct 24 2019, 12:40 PM
Herald added a reviewer: Triage Team. · View Herald TranscriptOct 24 2019, 12:40 PM
livingsilver94 requested review of this revision.Oct 24 2019, 12:40 PM
livingsilver94 edited the summary of this revision. (Show Details)EditedOct 24 2019, 12:41 PM
livingsilver94 added a task: T4287: AppArmor Python tools/libraries are broken.

I'm not entirely sure how to test it and whether it requires revdeps rebuild. Suggestions welcome.

Girtablulu awarded a token.Oct 24 2019, 12:53 PM
Girtablulu added a subscriber: Girtablulu.Oct 24 2019, 12:58 PM
Girtablulu added inline comments.
package.yml
51

No check?

livingsilver94 updated this revision to Diff 17953.Oct 24 2019, 2:02 PM

Moar tests

livingsilver94 marked an inline comment as done.Oct 24 2019, 2:02 PM
livingsilver94 edited the summary of this revision. (Show Details)Oct 24 2019, 2:07 PM
livingsilver94 added a task: T7772: Apparmor extra-profiles/usr.sbin.sshd broken.
livingsilver94 added a comment.EditedOct 24 2019, 2:15 PM

I tested T7772 and it's fixed now, but what's suspicious is that sudo apparmor_status lists:

apparmor module is loaded.
2 profiles are loaded.
2 profiles are in enforce mode.
   /usr/sbin/sshd
   /usr/sbin/sshd//passwd
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

There are no profiles listed that are built in var/cache/aa-lsm-hook. Also, sudo apparmor_parser --print-cache-dir reports /var/cache/apparmor/ab6ae91e.0, not /var/cache/aa-lsm-hook/ab6ae91e.0.
I don't know much of apparmor so consider that maybe I'm telling fairy tales, but this kinda suggests me there's something wrong somewhere. Can you please confirm that the outputs I posted are correct despite the presence of aa-lsm-hook?

DataDrake added a subscriber: DataDrake.Oct 24 2019, 4:04 PM

Run sudo aa-lsm-hook-load and try again.

livingsilver94 added a comment.Oct 24 2019, 4:09 PM

Nothing changes, outputs are exactly the same.
Plus, after a reboot:

❯ sudo apparmor_status                  
Password: 
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

System is like "you saw nothing...".

DataDrake added a comment.Oct 24 2019, 4:19 PM

Well it's only going to load profiles for things that are running. So you may need to install a new Snap package to test.

livingsilver94 added a comment.EditedOct 24 2019, 4:46 PM

OK profiles are loaded on-demand.
2 things to note:

  • sudo apparmor_parser --print-cache-dir still outputs a directory not tied to aa-lsm-hook even when snapd profiles are active
  • For every snap package I want to run I get snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks. Maybe snapd requires a rebuild?
livingsilver94 added a comment.Oct 24 2019, 4:48 PM

More information:

❯ sudo ls /var/cache/apparmor/ab6ae91e.0
snap.chromium.chromedriver  snap-confine.core.7917   snap.core.hook.configure  snap-update-ns.chromium  snap-update-ns.spotify
snap.chromium.chromium      snap-confine.snapd.4992  snap.spotify.spotify      snap-update-ns.core
❯ sudo ls /var/cache/aa-lsm-hook/ab6ae91e.0
bin.ping  lsb_release  nvidia_modprobe  sbin.klogd  sbin.syslogd  sbin.syslog-ng  usr.lib64.snapd.snap-confine
DataDrake added a comment.Oct 24 2019, 5:43 PM

Can you run sudo strace -o aa-lsm.out -ytff aa-lsm-hook-load and bundle up all of the aa-lsm.out* files? Thanks.

livingsilver94 added a comment.Oct 24 2019, 6:37 PM

aa-lsm.out.42551 KBDownload

aa-lsm.out.425683 KBDownload

Jacalz mentioned this in T8433: Tor Browser.Oct 24 2019, 6:42 PM
livingsilver94 added a child revision: D7487: Update libvirt to 5.8.0.Oct 25 2019, 4:01 PM
DataDrake mentioned this in T8449: Meta: Week 44/45 Task List.Oct 27 2019, 3:20 PM
DataDrake accepted this revision.Dec 22 2019, 5:49 PM

LGTM. Thanks!

This revision is now accepted and ready to land.Dec 22 2019, 5:49 PM
Closed by commit R3611:853658301d20: Update apparmor to 2.13.3 (authored by livingsilver94, committed by DataDrake). · Explain WhyDec 22 2019, 5:49 PM
This revision was automatically updated to reflect the committed changes.
DataDrake added a commit: R3611:853658301d20: Update apparmor to 2.13.3.

Revision Contents
Changeset List

PathSize
10 lines
1 line
47 lines
174 lines

Diff 18909

View Options

abi_symbols

Loading...
View Options

abi_used_libs

Loading...
View Options

package.yml

Loading...
View Options

pspec_x86_64.xml

Loading...
Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.