Bug#911806: Please provide a way to opt out of AppArmor confinement when running tests

2018-12-16 Thread intrigeri 
> 1. Ask the src:lxc maintainers to apply these 3 upstream patches
>until they upgrade the package to 3.1.0+.

#916639

> 2. Ask the debci maintainers to use the config described above
>for LXC containers used to run autopkgtests, once they upgrade
>to Buster.

#916644

Bug#911806: Please provide a way to opt out of AppArmor confinement when running tests

2018-12-16 Thread intrigeri 
Hi,

Michael Biebl:
> $ ./make-dsc
> 

It took me a while to get back to this thread; obviously upstream
master has moved on since you wrote this, so:

I had to update Use-Debian-specific-config-files.patch to make it
apply and use helper functions in a way that's compatible with their
current API. Updated patch attached, in case it may save you
some time.

I've also added two patches to BLACKLIST (refreshing them seemed
non-trivial as I'm not a C developer):
Revert-udev-network-device-renaming-immediately-give.patch
fsckd-daemon-for-inter-fsckd-communication.patch

> lxc.aa_profile = unconfined

FTR with LXC 3.x that's now:

  lxc.apparmor.profile = unconfined

> There are currently two, known failures with AA turned off:
> - dnsmasq 2.80 introduced a regression in networkd-test.py
> - test-bpf failing

Confirmed with lxc 1:3.0.3-1 from sid.

> With AA turned on, the list of failing tests is too long to list here.

Confirmed with lxc 1:3.0.3-1 from sid: the exact same tests pass/fail
as in your logs. I see lots of mount operations denied by AppArmor.
That's expected because the AppArmor vs. systemd fixes are in LXC
3.1.0, that was released a few days ago, but not in LXC 3.0.3.

Then I've cherry-picked on top of lxc 3.0.3-1 the 3 upstream commits
that implement the nested containers vs. AppArmor fixes; and in the
config of the LXC container I use for autopkgtests I've set:

  lxc.apparmor.profile = generated
  lxc.apparmor.allow_nesting = 1

With this configuration, the systemd autopkgtests work just as well
as unconfined \o/

My current plan is thus:

1. Ask the src:lxc maintainers to apply these 3 upstream patches
   until they upgrade the package to 3.1.0+.

2. Ask the debci maintainers to use the config described above
   for LXC containers used to run autopkgtests, once they upgrade
   to Buster.

3. Let you decide what to do with the request this bug report was
   originally about.

> Hope this helpful.

This was *very* helpful and saved me lots of time :)

Thanks for your patience,
cheers,
-- 
intrigeri

>From 035ef2dcad71f449835c41387672ed680fc54dac Mon Sep 17 00:00:00 2001
From: Michael Biebl 
Date: Thu, 18 Jul 2013 20:11:02 +0200
Subject: [PATCH 01/19] Use Debian specific config files

Use /etc/default/locale instead of /etc/locale.conf for locale settings.

Use /etc/default/keyboard instead of /etc/X11/xorg.conf.d/00-keyboard.conf for
keyboard configuration.

Read/write /etc/timezone if /etc/localtime does not exist.

Gbp-Pq: Topic debian
Gbp-Pq: Name Use-Debian-specific-config-files.patch
---
 src/basic/time-util.c|  21 +++-
 src/core/locale-setup.c  |  22 
 src/locale/keymap-util.c | 210 +++
 src/timedate/timedated.c |  10 ++
 4 files changed, 156 insertions(+), 107 deletions(-)

diff --git a/src/basic/time-util.c b/src/basic/time-util.c
index 557c75debc..ea5f6a4491 100644
--- a/src/basic/time-util.c
+++ b/src/basic/time-util.c
@@ -1382,8 +1382,25 @@ int get_timezone(char **tz) {
 int r;
 
 r = readlink_malloc("/etc/localtime", &t);
-if (r < 0)
-return r; /* returns EINVAL if not a symlink */
+if (r < 0) {
+if (r != -EINVAL)
+return r; /* returns EINVAL if not a symlink */
+
+r = read_one_line_file("/etc/timezone", &t);
+if (r < 0) {
+if (r != -ENOENT)
+log_warning_errno(r, "Failed to read /etc/timezone: %m");
+return -EINVAL;
+}
+
+if (!timezone_is_valid(t, LOG_DEBUG))
+return -EINVAL;
+z = strdup(t);
+if (!z)
+return -ENOMEM;
+*tz = z;
+return 0;
+}
 
 e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/");
 if (!e)
diff --git a/src/core/locale-setup.c b/src/core/locale-setup.c
index 584fb220a1..3d3cb641de 100644
--- a/src/core/locale-setup.c
+++ b/src/core/locale-setup.c
@@ -59,6 +59,28 @@ int locale_setup(char ***environment) {
 log_warning_errno(r, "Failed to read /etc/locale.conf: %m");
 }
 
+   if (r <= 0) {
+   r = parse_env_file(NULL, "/etc/default/locale",
+  "LANG",  &variables[VARIABLE_LANG],
+  "LANGUAGE",  &variables[VARIABLE_LANGUAGE],
+  "LC_CTYPE",  &variables[VARIABLE_LC_CTYPE],
+  "LC_NUMERIC",&variables[VARIABLE_LC_NUMERIC],
+  "LC_TIME",   &variables[VARIABLE_LC_TIME],
+  "LC_COLLATE",&variables[VARIABLE_LC_COLLATE],
+  "LC_MONETARY",   &variables[VARIABLE_LC_MONETARY],
+  "LC_MESSAGES",

Bug#911806: Please provide a way to opt out of AppArmor confinement when running tests

2018-10-27 Thread Michael Biebl 
Hi!

Am 27.10.18 um 10:20 schrieb intrigeri:
> So on the LXC + AppArmor vs. systemd v240+ front, I think the next
> steps are:
> 
> 1. Try running current systemd master branch and its autopkgtests
>inside a container managed by LXC 2.x on current testing/sid.
>Goal: confirm the issues Michael discovered and have a baseline
>to evaluate LXC 3.x against.
> 
> 2. Try running current systemd master branch and its autopkgtests
>inside a container managed by LXC 3.x on current testing/sid.
>Report any issue so they're fixed before 3.x becomes stable
>and is hopefully included in Buster.

In case you want to reproduce the failures, these are the rough steps I
used on Debian sid

1/ Install lxc

# apt install lxc

2/ Setup /etc/default/lxc-net:

# cat /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"

# cat /etc/lxc/default.conf
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up

# systemctl restart lxc-net

3/ Install autopkgtest and create an LXC container for autopkgtest:

# apt install autopkgtest
# autopkgtest-build-lxc debian sid

4/ Clone the systemd trunk-ci scripts:

$ git clone https://salsa.debian.org/systemd-team/trunk-ci.git

5/ Create a dsc

$ ./make-dsc


6/ Build the package using dpkg-buildpackage, pbuilder, sbuild, your
favourite tool.
You want to specify the "noudeb" profile, to speed up the build and
avoid building udebs.

7/ Run autopkgtest via LXC

# autopkgtest -o logs *.dsc *.deb -- lxc -s autopkgtest-sid


In case you want to run the LXC container with AA turned off, add the
following to /var/lib/lxc/autopkgtest-sid/config

lxc.aa_profile = unconfined

There are currently two, known failures with AA turned off:
- dnsmasq 2.80 introduced a regression in networkd-test.py
- test-bpf failing

With AA turned on, the list of failing tests is too long to list here.

I've made two runs of current systemd git master with AA turned on and
off. See
https://people.debian.org/~biebl/lxc/log-confined.txt
https://people.debian.org/~biebl/lxc/log-unconfined.txt

Hope this helpful.

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#911806: Please provide a way to opt out of AppArmor confinement when running tests

2018-10-27 Thread intrigeri 
Hi LXC maintainers,

intrigeri:
>Ideally, picking the best strategy and implementing it would be
>a matter of coordination between LXC and systemd (ideally upstream,
>but quite possibly distro maintainers will need to be involved
>here). I'll raise this issue to the Ubuntu LXC and AppArmor folks.

Done. To sum up:

 - LX*D* apparently has the support needed to set up AppArmor policy
   in a way that should not be affected by the problem this thread
   is about (running systemd v240+ in a container). autopkgtest has
   a LXD backend but LXD is not in Debian yet (WIP, see #768073; I'm
   not counting on this being completed in time for the Buster freeze).

 - Similar support was added to LXC 3.x branch. It won't be backported
   to 2.x (that we currently have in testing/sid). I've asked about
   the timeline to release 3.x as stable and Stéphane Graber replied:
   "I think we were aiming towards February-ish originally but there's
   no real reason to wait that long either, so if Christian isn't
   waiting for some big changes to land before doing a non-LTS feature
   release, we should be able to tag one next month. It'd be worth
   someone make sure that current master with the apparmor work that
   was done by Wolfgang will do the right thing out of the box though,
   otherwise that wouldn't really achieve a whole lot."

So on the LXC + AppArmor vs. systemd v240+ front, I think the next
steps are:

1. Try running current systemd master branch and its autopkgtests
   inside a container managed by LXC 2.x on current testing/sid.
   Goal: confirm the issues Michael discovered and have a baseline
   to evaluate LXC 3.x against.

2. Try running current systemd master branch and its autopkgtests
   inside a container managed by LXC 3.x on current testing/sid.
   Report any issue so they're fixed before 3.x becomes stable
   and is hopefully included in Buster.

For details, see:
https://lists.ubuntu.com/archives/apparmor/2018-October/011830.html
… except Stéphane Graber's messages are apparently held for moderation
so they don't appear in the list archives yet.

Cheers,
-- 
intrigeri

Bug#911806: Please provide a way to opt out of AppArmor confinement when running tests

2018-10-26 Thread intrigeri 
Hi,

Michael Biebl:
> E.g. if I try to run autopkgtest for systemd on sid in a AA-confined LXC
> container, it explodes left and right, whereas it passes with
> AA-confinement turned off.

Thanks for reporting this!

Disclaimer: I don't use LXC.

I've spent some time reading the various related systemd upstream
issues and commits and my understanding is that we have two problems:

1. Recent systemd sets up namespacing with calls to mount that are not
   allowed under the default AppArmor policy shipped in the lxc
   package (or rather: it has always done so but previously, failures
   to set up said namespacing were non-fatal). If I got it right, this
   means that lots of services will be broken when run in LXC once
   systemd v240 is released and uploaded to Debian, i.e. the problem
   is broader than our CI: most typical LXC use cases will be affected
   as well.

   It's an instance of a classical problem when nesting security
   systems:

- Either the outside one (in this case, AppArmor) allows the
  inside one (in this case, systemd) whatever it takes so the
  latter can do its job. Ideally this cooperation gives us the
  best of both worlds. But in practice, this sometimes requires
  the outside security system to give permissions that are so
  relaxed that it becomes essentially useless (which might be the
  case here, I don't know); when this happens, we basically can't
  rely on the outside security system anymore, and instead we rely
  mostly on the inside one. When the inside security system is
  controlled by untrusted parties, such as an untrusted
  container's root user, that's a risky approach, to say the
  least. In other words, there's a risk to break isolation between
  containers in order to improve isolation between services inside
  a given container.

- Or the outside security system is restrictive to the point that
  it breaks the inside one, and then it's the opposite: weaker
  service isolation inside the container but stronger isolation
  between containers.

   Ideally, picking the best strategy and implementing it would be
   a matter of coordination between LXC and systemd (ideally upstream,
   but quite possibly distro maintainers will need to be involved
   here). I'll raise this issue to the Ubuntu LXC and AppArmor folks.

   Worst case, if this does not get resolved in time for Buster, we
   may have to disable AppArmor confinement for LXC containers in
   Buster; that would be sad but it may be the best we can do for
   Buster, and it would not be a regression vs. Stretch for most users
   (the Stretch kernel lacks the AppArmor features that LXC needs for
   meaningful confinement so even if one opts in for AppArmor on
   Stretch, they get pretty weak isolation). And then whoever
   particularly cares about hardening LXC on Debian has a couple more
   years to sort this out for Bullseye :)

2. Regardless of #1, some software is broken when run inside
   a container, be it due to the way it the container technology uses
   Linux namespaces or due to additional LSM-based sandboxing. In this
   case the best approach is probably to run these tests inside a KVM
   runner instead. During the autopkgtest at last DebConf, with
   another similar issue in mind, I've asked about KVM runners for
   ci.debian.net and I was told this was WIP and would have it
   soonish, which will provide a tool to solve this class of problems:
   any affected autopkgtest can declare the isolation-machine restriction.

   A special sub-case is when the software would run just fine in
   a container but its test suite exercises it in a way that requires
   different privileges than normal usage of said software inside
   a container, e.g. by setting up stuff in super custom way, which
   might break under the default sandboxing rules. In this case,
   either I would argue that the test suite should instead exercise
   something closer to what actual users will run under that
   confinement: that's a guiding design principle of autopkgtests.
   Whenever fixing such a test suite is not possible for some reason,
   then running the affected tests in KVM could be an
   acceptable workaround.

> It is my understanding, that Ubuntu itself turns off AA-confinement in
> their LXC based CI or at least ship a AA policy which is much less
> strict [1].

If I got it right, that's correct for armhf but for every other
architecture, they run tests in standard Ubuntu KVM cloud instances
and not in LXC. Advantage: apart of armhf, no need to deal with the
peculiarities of LXC+AppArmor, and AppArmor-wise they're testing
exactly what users will experience outside of containers. Drawback: to
exercise software that would be broken under the default LXC+AppArmor
sandboxing, they need to relax the AppArmor sandboxing for _all_ tests
on armhf, meaning they don't test software in exactly the same sandbox
that will be used by actual users of Ubuntu LXC co

Bug#911806: Please provide a way to opt out of AppArmor confinement when running tests

2018-10-24 Thread Michael Biebl 
Source: debci
Severity: wishlist

Hi,

atm, debci runs on stable, i.e. AppArmor is not active by default.
Once buster is released, this is likely going to change.

autopktest with lxc as backend and AppArmor confinement enabled is
problematic atm, at least for certain packages.
E.g. if I try to run autopkgtest for systemd on sid in a AA-confined LXC
container, it explodes left and right, whereas it passes with
AA-confinement turned off.

It is my understanding, that Ubuntu itself turns off AA-confinement in
their LXC based CI or at least ship a AA policy which is much less
strict [1].

Looking ahead at the buster release, we either need to turn off AA
confinement in our Debian CI as well, ship a custom AA policy or provide
a way for individual packages to opt out of AA confinement. In the
latter case, this will probably need some changes to autopkgtest as
well.

Would welcome your input on this.

Regards,
Michael


[1] https://github.com/systemd/systemd/issues/10166#issuecomment-428523883

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled