Bug#1071234: sbuild --chroot-mode=unshare: exposes /sys/kernel; breaks apparmor detection; ftbfs lomiri-thumbnailer and mediascanner2

Thu, 16 May 2024 14:21:15 -0700 

Package: libsbuild-perl
Version: 0.85.8
Tags: ftbfs patch
Control: affects -1 + src:mediascanner2 src:lomiri-thumbnailer

Hi Johannes and Jochen,

Jochen asked me to look into why the affected packages FTBFS when using
unshare chroot-mode. I managed to reproduce the failure, run the failing
test in isolation, capture an strace, stare at the strace output,
codesearch for random strings such as
"com.canonical.MediaScanner2.Error.Unauthorized" and following it down
to "check_access", "does_client_have_access",
"get_client_apparmor_context" and finally "aa_is_enabled". That was a
clue to look into AppArmor, so I ran "aa-enabled" on various
configurations:
 * bookworm without apparmor -> Yes
 * Something with apparmor -> Yes
 * sbuild --chroot-mode=unshare -> Yes
 * sbuild --chroot-mode=schroot -> Maybe

I think you spot the difference. The tests believe that AppArmor is
working when it really is not and thus fail as the AppArmor context does
not come back in the expected way. That leaves the question of why
AppArmor looks like it was working. It's because
/sys/kernel/security/apparmor exists. The
https://systemd.io/CONTAINER_INTERFACE/  documents /sys/kernel to be
inaccessible. Once you do that (and sbuild makes it really hard to do
that), both packages can be built. I'm attaching a patch for your
convenience.

Helmut

diff -Nru sbuild-0.85.8/debian/changelog sbuild-0.85.8+nmu1/debian/changelog
--- sbuild-0.85.8/debian/changelog      2024-04-25 14:49:56.000000000 +0200
+++ sbuild-0.85.8+nmu1/debian/changelog 2024-05-16 23:02:54.000000000 +0200
@@ -1,3 +1,10 @@
+sbuild (0.85.8+nmu1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Do not expose /sys/kernel in the unshare backend. (Closes: #-1)
+
+ -- Helmut Grohne <hel...@subdivi.de>  Thu, 16 May 2024 23:02:54 +0200
+
 sbuild (0.85.8) unstable; urgency=medium
 
   [ Aurelien Jarno ]
diff -Nru sbuild-0.85.8/lib/Sbuild/ChrootUnshare.pm 
sbuild-0.85.8+nmu1/lib/Sbuild/ChrootUnshare.pm
--- sbuild-0.85.8/lib/Sbuild/ChrootUnshare.pm   2024-04-25 14:49:56.000000000 
+0200
+++ sbuild-0.85.8+nmu1/lib/Sbuild/ChrootUnshare.pm      2024-05-16 
22:55:25.000000000 +0200
@@ -337,6 +337,7 @@
        mount -t tmpfs tmpfs \"\$rootdir/dev/shm\";
        mkdir -p \"\$rootdir/sys\";
        mount -o rbind /sys \"\$rootdir/sys\";
+       mount -t tmpfs tmpfs \"\$rootdir/sys/kernel\" -o mode=0000,size=4k,ro
        mkdir -p \"\$rootdir/proc\";
        mount -t proc proc \"\$rootdir/proc\";
        exec /usr/sbin/chroot \"\$rootdir\" $init /sbin/runuser -u \"\$user\" 
-- sh -c \"cd \\\"\\\$1\\\" && shift && \\\"\\\$@\\\"\" -- \"\$dir\" \"\$@\";

Reply via email to