[Kernel-packages] [Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root

[Georgia Garcia]

Verification passed for mantic-linux-laptop. I ran the AppArmor QA
Regression Tests [1] checked file permissions for
/proc/sys/kernel/*unprivileged*. The QA Regression Tests that failed
were due to a timeout because I'm emulating in my machine, but they pass
when the timeout is increased.

georgia@sec-mantic-arm64:~$ uname -a
Linux sec-mantic-arm64 6.5.0-1007-laptop #10-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 
22 20:27:28 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

georgia@sec-mantic-arm64:~$ ll /proc/sys/kernel/*unprivileged*
-rw------- 1 root root 0 Jan 12 18:38 
/proc/sys/kernel/apparmor_restrict_unprivileged_io_uring
-rw-r--r-- 1 root root 0 Jan 12 18:38 
/proc/sys/kernel/apparmor_restrict_unprivileged_unconfined
-rw-r--r-- 1 root root 0 Jan 12 18:36 
/proc/sys/kernel/apparmor_restrict_unprivileged_userns
-rw------- 1 root root 0 Jan 12 18:38 
/proc/sys/kernel/apparmor_restrict_unprivileged_userns_complain
-rw------- 1 root root 0 Jan 12 18:38 
/proc/sys/kernel/apparmor_restrict_unprivileged_userns_force
-rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_bpf_disabled
-rw------- 1 root root 0 Jan 12 18:38 
/proc/sys/kernel/unprivileged_userns_apparmor_policy
-rw-r--r-- 1 root root 0 Jan 12 18:38 /proc/sys/kernel/unprivileged_userns_clone

georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py
ERROR: test_dbus (__main__.ApparmorTest.test_dbus)
Test dbus apparmor activation from dbus-tests
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/georgia/qrt-test-apparmor/./test-apparmor.py", line 719, in 
test_dbus
    rc, report = 
testlib.cmd(['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh'],
                 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/georgia/qrt-test-apparmor/testlib.py", line 471, in cmd
    out, outerr = sp.communicate(input, timeout=timeout)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/subprocess.py", line 1209, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/subprocess.py", line 2109, in _communicate
    self._check_timeout(endtime, orig_timeout, stdout, stderr)
  File "/usr/lib/python3.11/subprocess.py", line 1253, in _check_timeout
    raise TimeoutExpired(
subprocess.TimeoutExpired: Command 
'['/usr/lib/dbus-1.0/installed-tests/dbus/test-apparmor-activation.sh']' timed 
out after 5 seconds

---------------------------------------------------------------------

running attach_disconnected
Fatal Error (unix_fd_server): Unable to run test sub-executable

PASSED: aa_exec access at_secure introspect capabilities changeprofile onexec 
changehat changehat_fork changehat_misc chdir clone coredump deleted e2e 
environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir 
mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root 
posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap 
sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server 
unix_socket_pathname unix_socket_abstract unix_socket_unnamed 
unix_socket_autobind unlink userns xattrs xattrs_profile longpath nfs 
dbus_eavesdrop dbus_message dbus_service dbus_unrequested_reply io_uring 
aa_policy_cache exec_stack nnp stackonexec stackprofile
FAILED: attach_disconnected
make: *** [Makefile:402: alltests] Error 1

---------------------------------------------------------------------

ERROR: test_0 (__main__.TestLogprof.test_0)
test 'ping'
----------------------------------------------------------------------
Traceback (most recent call last):
  File 
"/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/common_test.py",
 line 90, in stub_test
    self._run_test(test_data, expected)
  File 
"/tmp/testlib2jc8hiih/source/mantic/apparmor-4.0.0~alpha2/utils/test/test-logprof.py",
 line 99, in _run_test
    self.process.wait(timeout=0.2)
  File "/usr/lib/python3.11/subprocess.py", line 1264, in wait
    return self._wait(timeout=timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/subprocess.py", line 2038, in _wait
    raise TimeoutExpired(self.args, timeout)
subprocess.TimeoutExpired: Command '['/usr/bin/python3', '../aa-logprof', 
'--json', '--configdir', './', '-f', './logprof/ping.auditlog', '-d', 
'/tmp/aa-test-tkkg1ex3/profiles', '--no-check-mountpoint']' timed out after 0.2 
seconds

----------------------------------------------------------------------
Ran 62 tests in 43542.817s

FAILED (failures=3, errors=1, skipped=3)


Rerunning failing tests increasing the timeout

georgia@sec-mantic-arm64:~/qrt-test-apparmor$ sudo ./test-apparmor.py 
ApparmorTest.test_dbus
Skipping private tests
.
----------------------------------------------------------------------
Ran 1 test in 19.786s

OK


georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ 
sudo bash ./attach_disconnected.sh
georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/tests/regression/apparmor$ 
echo $?
0


georgia@sec-mantic-arm64:~/apparmor-4.0.0~alpha2/utils/test$ python3 
test-logprof.py TestLogprof.test_0
.
----------------------------------------------------------------------
Ran 1 test in 12.463s

OK

[1] https://launchpad.net/qa-regression-testing

** Tags removed: verification-needed-mantic-linux-laptop
** Tags added: verification-done-mantic-linux-laptop

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2040194

Title:
  apparmor restricts read access of user namespace mediation sysctls to
  root

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Mantic:
  Fix Committed

Bug description:
  lxc and lxd currently need to determine if the apparmor restriction           
  
  on unprivileged user namespaces are being enforced, so that apparmor          
  
  restrictions won't break lxc/d, and they won't clutter the logs               
  
  by doing something like                                                       
  
                                                                                
  
    unshare true                                                                
  
                                                                                
  
  to test if the restrictions are being enforced.                               
  
                                                                                
  
  Ideally access to this information would be restricted so that any            
  
  unknown access would be logged, but lxc/d currently aren't ready for          
  
  this so in order to _not_ force lxc/d to probe whether enforcement is         
  
  enabled, open up read access to the sysctls for unprivileged user             
  
  namespace mediation.                                                          
  
   
  https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp