Hi,
I apparently just ran into a kernel regression with AppArmor and I'm
looking for the correct bugtracker now.
The situation at hand is roughly the following:
/usr/bin/element-desktop
is a bash-script, therefore spawns a bash
spawns "electron /usr/lib/element/element.asar"
I have a profile for /usr/bin/element-desktop containerizing this stack
using ix for execution. This, if I have this correctly, should spawn
every subprocess of the aforementioned executable in the same profile,
hence this should also work recursively.
I observe the problem specifically for the element-desktop-profile, I
have other AppArmor-profiles that still work as intended.
It does work on Linux 5.8.1, but it apparently doesn't anymore on 5.8.2
and 5.8.3, where I get a permission denied for bash for
/etc/ld.so.cache as well as /usr/lib/libreadline.so.8.0 (albeit not
changing the AppArmor-profile, and both are whitelisted for reading
(which is the permission that's denied by AppArmor according to dmesg),
one via "/usr/** rmix,", the other via "/etc/ld.so.cache mr," therefore
I am 90% sure that this is not a mistake on my side and 10% sure that
I missed something, but don't know what).
The bug seems to be in the "ix", as explicitly whitelisting both files
in the profile manually does not resolve the situation, at least not
for libreadline, and the process that dies on it is the bash in the
second stage. (I somehow managed to fix it for ld.so.cache, not sure why
that works whereas for libreadline it doesn't).
The question now is: which bugtracker does this go to to be best
reported if it continues to be a bug? Kernel or AppArmor-Tools?
Seems to be the kernel, but I don't know how AppArmor is implemented,
if it's something implemented in eBPF it's possibly not the kernel?
Maybe I have another idea for the root cause, but currently I'm a bit
out of ideas. (Open for ideas, though, if anyone has a guess what's the
issue at play.)
Thanks,
Jonas
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
