Page MenuHomeSolus

Update apparmor to 2.13.3
ClosedPublic

Authored by livingsilver94 on Oct 24 2019, 12:40 PM.

Diff Detail

Repository
R3611 apparmor
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

livingsilver94 requested review of this revision.Oct 24 2019, 12:40 PM
livingsilver94 edited the summary of this revision. (Show Details)EditedOct 24 2019, 12:41 PM

I'm not entirely sure how to test it and whether it requires revdeps rebuild. Suggestions welcome.

Girtablulu added inline comments.
package.yml
51

No check?

livingsilver94 marked an inline comment as done.Oct 24 2019, 2:02 PM
livingsilver94 added a comment.EditedOct 24 2019, 2:15 PM

I tested T7772 and it's fixed now, but what's suspicious is that sudo apparmor_status lists:

apparmor module is loaded.
2 profiles are loaded.
2 profiles are in enforce mode.
   /usr/sbin/sshd
   /usr/sbin/sshd//passwd
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

There are no profiles listed that are built in var/cache/aa-lsm-hook. Also, sudo apparmor_parser --print-cache-dir reports /var/cache/apparmor/ab6ae91e.0, not /var/cache/aa-lsm-hook/ab6ae91e.0.
I don't know much of apparmor so consider that maybe I'm telling fairy tales, but this kinda suggests me there's something wrong somewhere. Can you please confirm that the outputs I posted are correct despite the presence of aa-lsm-hook?

Run sudo aa-lsm-hook-load and try again.

Nothing changes, outputs are exactly the same.
Plus, after a reboot:

❯ sudo apparmor_status                  
Password: 
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

System is like "you saw nothing...".

Well it's only going to load profiles for things that are running. So you may need to install a new Snap package to test.

livingsilver94 added a comment.EditedOct 24 2019, 4:46 PM

OK profiles are loaded on-demand.
2 things to note:

  • sudo apparmor_parser --print-cache-dir still outputs a directory not tied to aa-lsm-hook even when snapd profiles are active
  • For every snap package I want to run I get snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks. Maybe snapd requires a rebuild?

More information:

❯ sudo ls /var/cache/apparmor/ab6ae91e.0
snap.chromium.chromedriver  snap-confine.core.7917   snap.core.hook.configure  snap-update-ns.chromium  snap-update-ns.spotify
snap.chromium.chromium      snap-confine.snapd.4992  snap.spotify.spotify      snap-update-ns.core
❯ sudo ls /var/cache/aa-lsm-hook/ab6ae91e.0
bin.ping  lsb_release  nvidia_modprobe  sbin.klogd  sbin.syslogd  sbin.syslog-ng  usr.lib64.snapd.snap-confine

Can you run sudo strace -o aa-lsm.out -ytff aa-lsm-hook-load and bundle up all of the aa-lsm.out* files? Thanks.

DataDrake accepted this revision.Dec 22 2019, 5:49 PM

LGTM. Thanks!

This revision is now accepted and ready to land.Dec 22 2019, 5:49 PM
This revision was automatically updated to reflect the committed changes.