Bug#712451: [pkg-apparmor] Bug#712451: Bug#712451: Please support AppArmor network rules
On Fri, 02 Oct 2020, Andrew Savchenko wrote: > Greetings, > > As AppArmor v3.0 is now released[1], is there a chance that network, dbus and > sockets will be supported in Bullseye? > > [1] https://lists.ubuntu.com/archives/apparmor/2020-October/012183.html AppArmor 3 allows use of networkv8 rules (ie, what is in the upstream kernel) so apparmor 3 in Debian would allow for this to work. The upstream kernel does not yet support AF_UNIX rules, so anonymous sockets, abstract sockets and dbus won't be available. Work has picked up to get this into the upstream kernel (perhaps 5.11). -- Jamie Strandboge | http://www.canonical.com
Bug#712451: [pkg-apparmor] Bug#712451: Please support AppArmor network rules
Greetings, As AppArmor v3.0 is now released[1], is there a chance that network, dbus and sockets will be supported in Bullseye? [1] https://lists.ubuntu.com/archives/apparmor/2020-October/012183.html -- Regards, A
Bug#712451: [pkg-apparmor] Bug#712451: Please support AppArmor network rules
Hi, Heenec (2020-04-09): > intrigeri: >> FWIW, this is now mentioned in the manpage that documents the policy >> language: apparmor.d(5) > > Maybe I have not read the manual thoroughly enough, but I have not found > mentions of features that does not work in Debian yet. On my sid system I see this on top of apparmor.d(5): NAME apparmor.d - syntax of security profiles for AppArmor. DESCRIPTION AppArmor profiles describe mandatory access rights granted to given programs and are fed to the AppArmor policy enforcement module using apparmor_parser(8). This man page describes the format of the AppArmor configuration files; see apparmor(7) for an overview of AppArmor. Some features are not supported on Debian yet: Network Rules DBus rules Unix socket rules > Maybe such notice should be placed in "Network Rules" section of the > manual? Or in "KNOWN BUGS"? So that newcomers will not be misguided > (like me). I would gladly review a MR against Vcs-Git that implements this :)
Bug#712451: [pkg-apparmor] Bug#712451: Please support AppArmor network rules
intrigeri: > FWIW, this is now mentioned in the manpage that documents the policy > language: apparmor.d(5) Maybe I have not read the manual thoroughly enough, but I have not found mentions of features that does not work in Debian yet. Maybe such notice should be placed in "Network Rules" section of the manual? Or in "KNOWN BUGS"? So that newcomers will not be misguided (like me). Okay, it's my bad that I have not checked explicitly if it works. But IMO there is an issue with documentation if you can't understand from it what is supposed to be working and what is not. By the way, ping under apparmor fails with "ping: socket: Operation not permitted", while wget or curl works pretty well under the same profile. Don't know if it is supposed to be like it. Heenec 0x4B12C0FAA12F367B.asc Description: application/pgp-keys
Bug#712451: [pkg-apparmor] Bug#712451: Please support AppArmor network rules
Paolo Greppi: > Should this be documented in /usr/share/doc/apparmor/README.Debian ? FWIW, this is now mentioned in the manpage that documents the policy language: apparmor.d(5) Cheers, -- intrigeri
Bug#712451: Please support AppArmor network rules
I looked at the status of this on buster: uname -a Linux localhost.localdomain 4.19.0-2-amd64 #1 SMP Debian 4.19.16-1 (2019-01-17) x86_64 GNU/Linux and the issue still can be reproduced (in the sense that telnet.netkit network access will not be blocked after enforcing the rule). Except it is worse because this command: sudo apparmor_parser -vr /etc/apparmor.d/usr.bin.telnet.netkit does not show anymore the message "network rules not enforced". Should this be documented in /usr/share/doc/apparmor/README.Debian ? This currently refers to: https://wiki.debian.org/AppArmor but there is no mention of this limitation in there. Paolo
Bug#712451: Please support AppArmor network rules
On Tue, 24 Jul 2018 18:38:49 +0800 intrigeri wrote: John answered my question on IRC: - "you can't yet. You will need an apparmor 3.0 beta which keeps getting delayed" Aawww.. Anyway, good to know :) .
Bug#712451: Please support AppArmor network rules
intrigeri: > John, could you please tell me how I can benefit from the network > socket mediation feature that was merged into Linux 4.17? John answered my question on IRC: - "you can't yet. You will need an apparmor 3.0 beta which keeps getting delayed" - "for various reasons, I won't let the network patches into the wild without the tie to the feature abi work" So let's put this on the back burner until there's userspace available to benefit from the new kernel feature.
Bug#712451: Please support AppArmor network rules
Hi, (John, one question for you below, please search for your name :) Vincas Dargis: > On 7/22/18 3:48 PM, intrigeri wrote: >> Vincas Dargis: >>> I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I >>> did not see >>> any immediate problems with some lightweight testing. >> >> Great. >> >> Both on Stretch, right? > Yes. >> Did you disable feature-set pinning entirely or update the feature-set >> to enable the new features? If the latter, can you please share the >> exact feature-set you've used? > I have feature-set commented out. OK! I'm now running 4.17 from sid without feature set pinning and did not notice any breakage either. *But* I don't think that just upgrading to 4.17 actually gives me network socket mediation. I have this in parser.conf: warn=rule-not-enforced warn=rule-downgraded … and when compiling policy, I see "network rules not enforced" all over the place. Then I've read somewhere that network socket mediation might need newer userspace (I'm running 2.13 from Debian experimental). John, could you please tell me how I can benefit from the network socket mediation feature that was merged into Linux 4.17? >>> Though it would be really nice to have some sort of integration test suite >>> for >>> apparmor-confined packages to do some serious testing before releasing >>> upgrades... >> >> Absolutely. > Does Debian packages has infrastructure for integration tests that maintainer > could run after building? Yes: autopkgtest. If you're interested in working on this, please start a dedicated thread on the team ML or on a new bug report :) Cheers, -- intrigeri
Bug#712451: Please support AppArmor network rules
On 7/22/18 3:48 PM, intrigeri wrote: Hi Vincas, Vincas Dargis: I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I did not see any immediate problems with some lightweight testing. Great. Both on Stretch, right? Yes. Did you disable feature-set pinning entirely or update the feature-set to enable the new features? If the latter, can you please share the exact feature-set you've used? I have feature-set commented out. Though it would be really nice to have some sort of integration test suite for apparmor-confined packages to do some serious testing before releasing upgrades... Absolutely. Does Debian packages has infrastructure for integration tests that maintainer could run after building?
Bug#712451: Please support AppArmor network rules
Hi Vincas, Vincas Dargis: > I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I did > not see > any immediate problems with some lightweight testing. Great. Both on Stretch, right? Did you disable feature-set pinning entirely or update the feature-set to enable the new features? If the latter, can you please share the exact feature-set you've used? > Though it would be really nice to have some sort of integration test suite for > apparmor-confined packages to do some serious testing before releasing > upgrades... Absolutely. Cheers, -- intrigeri
Bug#712451: Please support AppArmor network rules
On Sun, 17 Jun 2018 16:36:39 +0200 intrigeri wrote: Vincas Dargis: > linux-compiler-gcc-7-x86 needs gcc-7 that is not available? For Tails we work this around with equivs: https://git-tails.immerda.ch/tails/tree/config/chroot_local-hooks/12-kernel-modules-build-environment I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I did not see any immediate problems with some lightweight testing. Though it would be really nice to have some sort of integration test suite for apparmor-confined packages to do some serious testing before releasing upgrades...
Bug#712451: Please support AppArmor network rules
Vincas Dargis: > linux-compiler-gcc-7-x86 needs gcc-7 that is not available? For Tails we work this around with equivs: https://git-tails.immerda.ch/tails/tree/config/chroot_local-hooks/12-kernel-modules-build-environment
Bug#712451: Please support AppArmor network rules
On Wed, 13 Jun 2018 19:44:58 +0200 intrigeri wrote: Also, it would be nice to test Linux 4.17 with the feature-sets we ship in Stretch and testing/sid, in order to catch any bug like #883703 ASAP. Got ideas how could I install 4.17 on Stretch? ``` $ sudo apt install -t experimental linux-headers-4.17.0-rc7-amd64 linux-image-4.17.0-rc7-amd64 Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'linux-image-4.17.0-rc7-amd64-unsigned' instead of 'linux-image-4.17.0-rc7-amd64' Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: linux-headers-4.17.0-rc7-amd64 : Depends: linux-compiler-gcc-7-x86 (>= 4.14.17-1~) but it is not going to be installed E: Unable to correct problems, you have held broken packages ``` linux-compiler-gcc-7-x86 needs gcc-7 that is not available? ``` linux-compiler-gcc-7-x86 : Depends: gcc-7 (>= 7.2.0-20~) but it is not installable ``` gcc-7 is only in Testing. Will 4.17 be available as Stretch backport at all..?
Bug#712451: Please support AppArmor network rules
Vincas Dargis: > On Wed, 13 Jun 2018 19:44:58 +0200 intrigeri wrote: >> I'll be very busy until DebCamp so it's unlikely I do much on this >> front until then (best case I'll press the right buttons to enable >> this on my own system once 4.17 is in sid, but I won't have time to >> test software I don't use myself). >> >> Anyone excited? > I am! Amazing! \o/ > Currently I see no immediate breakages with Linux 4.17 and AppArmor 2.13 so > far. Nice :)
Bug#712451: Please support AppArmor network rules
On Wed, 13 Jun 2018 19:44:58 +0200 intrigeri wrote: I'll be very busy until DebCamp so it's unlikely I do much on this front until then (best case I'll press the right buttons to enable this on my own system once 4.17 is in sid, but I won't have time to test software I don't use myself). Anyone excited? I am! Currently I see no immediate breakages with Linux 4.17 and AppArmor 2.13 so far.
Bug#712451: Please support AppArmor network rules
intrigeri: > Linux v4.17-rc1 now supports basic socket mediation, which will allow > us to close this bug report: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56974a6fcfef69ee0825bd66ed13e92070ac5224 … which made it into v4.17 final :) We could start testing our policy locally with socket mediation enabled. To do so: - run Linux from Debian experimental (it currently has 4.17~rc7-1~exp1) - disable feature-set pinning or update the feature-set to enable these new features Also, it would be nice to test Linux 4.17 with the feature-sets we ship in Stretch and testing/sid, in order to catch any bug like #883703 ASAP. I'll be very busy until DebCamp so it's unlikely I do much on this front until then (best case I'll press the right buttons to enable this on my own system once 4.17 is in sid, but I won't have time to test software I don't use myself). Anyone excited?
Bug#712451: [pkg-apparmor] Bug#712451: Please support AppArmor network rules
Woohoo! What's next left, DBus? On 4/20/18 11:45 AM, intrigeri wrote: Linux v4.17-rc1 now supports basic socket mediation, which will allow us to close this bug report: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56974a6fcfef69ee0825bd66ed13e92070ac5224 :)
Bug#712451: Please support AppArmor network rules
Linux v4.17-rc1 now supports basic socket mediation, which will allow us to close this bug report: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56974a6fcfef69ee0825bd66ed13e92070ac5224 :)