[Touch-packages] [Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile
This bug was fixed in the package systemd - 215-6ubuntu2 --- systemd (215-6ubuntu2) vivid; urgency=medium [ Martin Pitt ] * Merge fixes from Debian master. * Put user slices into all cgroup controllers. This makes unprivileged user LXC containers work under systemd. (LP: #1396270) * boot-and-services autopkgtest: Test AppArmor confined units (LP #1396270) [ Marc Deslauriers ] * Build-depend on libapparmor-dev to enable AppArmor support. (LP: #1396270) systemd (215-7) UNRELEASED; urgency=medium [ Martin Pitt ] * Add myself to Uploaders. * Add boot-and-services autopkgtest: Check booting with systemd-sysv and that the most crucial services behave as expected. * logind autopkgtest: Fix stderr output in waiting loop for scsi_debug. * Add nspawn test to boot-and-services autopkgtest. * Make systemd-nspawn@.service work out of the box: (Closes: #770275) - Pre-create /var/lib/container with a secure mode (0700) via tmpfiles.d. - Add new try-{guest,host} modes for --link-journal to silently skip setting up the guest journal if the host has no persistant journal. - Extend boot-and-services autopkgtest to cover systemd-nspawn@.service. * Cherry-pick upstream patch to fix SELinux unit access check (regression in 215). [ Jon Severinsson] * Add /run/shm -> /dev/shm symlink in debian/tmpfiles.d/debian.conf. This avoids breakage in Jessie for packages which still refer to /run/shm, and while https://wiki.debian.org/ReleaseGoals/RunDirectory is still official. (LP: #1320534, Closes: #674755). -- Martin PittThu, 27 Nov 2014 16:38:55 +0100 ** Changed in: systemd (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1396270 Title: specifying AppArmorProfile doesn't result in processes launched under the named profile Status in “systemd” package in Ubuntu: Fix Released Bug description: Steps to reproduce 1. grab attached tarball and unpack in /tmp: tar -zxvf /tmp/test.tar.gz 2. cd /tmp/test 3. Load the apparmor profile: sudo apparmor_parser -r ./apparmor.profile 4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg: $ sudo aa-status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. ... test-service ... 5. enable the systemd service file: $ cat ./test.service [Unit] Description=test webserver [Service] Environment=PYTHONDONTWRITEBYTECODE=1 ExecStart=/tmp/test/bin/webserver Restart=on-failure WorkingDirectory=/tmp/test/www AppArmorProfile=test-service [Install] WantedBy=multi-user.target $ sudo cp ./test.service /etc/systemd/system/ $ sudo systemctl enable test.service 6. start the service $ sudo systemctl start test.service $ sudo systemctl --no-pager status test.service ● test.service - test webserver Loaded: loaded (/etc/systemd/system/test.service; enabled) Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago Main PID: 1246 (webserver) CGroup: /system.slice/test.service └─1246 /usr/bin/python3 /tmp/test/bin/webserver Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test webserver. 7. verify that the service is confined (use Main PID from the last step. You can also use aa-status): $ ps -Z 1246 LABEL PID TTY STAT TIME COMMAND unconfined 1246 ?Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver Because the service file uses 'AppArmorProfile=test-service' and the 'test-service' profile is already loaded into the kernel, I would expect /tmp/test/bin/webserver to be running under the 'test-service' label, not 'unconfined'. Note: you can manually start the webserver under apparmor using aa-exec. Eg: $ sudo aa-exec -p test-service /tmp/test/bin/webserver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile
AppArmor enabled in http://anonscm.debian.org/cgit/pkg- systemd/systemd.git/commit/?h=ubuntu&id=026526 (note that manually specifying the binary libapparmor1 dependency is not necessary and should not be done -- dh_shlibdeps will do that in a better way). I also added an autopkgtest to reproduce this and ensure that it stays working: http://anonscm.debian.org/cgit/pkg- systemd/systemd.git/commit/?h=ubuntu&id=faae385 ** Changed in: systemd (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1396270 Title: specifying AppArmorProfile doesn't result in processes launched under the named profile Status in “systemd” package in Ubuntu: Fix Committed Bug description: Steps to reproduce 1. grab attached tarball and unpack in /tmp: tar -zxvf /tmp/test.tar.gz 2. cd /tmp/test 3. Load the apparmor profile: sudo apparmor_parser -r ./apparmor.profile 4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg: $ sudo aa-status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. ... test-service ... 5. enable the systemd service file: $ cat ./test.service [Unit] Description=test webserver [Service] Environment=PYTHONDONTWRITEBYTECODE=1 ExecStart=/tmp/test/bin/webserver Restart=on-failure WorkingDirectory=/tmp/test/www AppArmorProfile=test-service [Install] WantedBy=multi-user.target $ sudo cp ./test.service /etc/systemd/system/ $ sudo systemctl enable test.service 6. start the service $ sudo systemctl start test.service $ sudo systemctl --no-pager status test.service ● test.service - test webserver Loaded: loaded (/etc/systemd/system/test.service; enabled) Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago Main PID: 1246 (webserver) CGroup: /system.slice/test.service └─1246 /usr/bin/python3 /tmp/test/bin/webserver Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test webserver. 7. verify that the service is confined (use Main PID from the last step. You can also use aa-status): $ ps -Z 1246 LABEL PID TTY STAT TIME COMMAND unconfined 1246 ?Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver Because the service file uses 'AppArmorProfile=test-service' and the 'test-service' profile is already loaded into the kernel, I would expect /tmp/test/bin/webserver to be running under the 'test-service' label, not 'unconfined'. Note: you can manually start the webserver under apparmor using aa-exec. Eg: $ sudo aa-exec -p test-service /tmp/test/bin/webserver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile
Thanks! I added this locally to my tree and confirm that this works. I want to write a corresponding autopkgtest for this which tries an apparmor violation and ensures that this actually fails (but not without confinement). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1396270 Title: specifying AppArmorProfile doesn't result in processes launched under the named profile Status in “systemd” package in Ubuntu: In Progress Bug description: Steps to reproduce 1. grab attached tarball and unpack in /tmp: tar -zxvf /tmp/test.tar.gz 2. cd /tmp/test 3. Load the apparmor profile: sudo apparmor_parser -r ./apparmor.profile 4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg: $ sudo aa-status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. ... test-service ... 5. enable the systemd service file: $ cat ./test.service [Unit] Description=test webserver [Service] Environment=PYTHONDONTWRITEBYTECODE=1 ExecStart=/tmp/test/bin/webserver Restart=on-failure WorkingDirectory=/tmp/test/www AppArmorProfile=test-service [Install] WantedBy=multi-user.target $ sudo cp ./test.service /etc/systemd/system/ $ sudo systemctl enable test.service 6. start the service $ sudo systemctl start test.service $ sudo systemctl --no-pager status test.service ● test.service - test webserver Loaded: loaded (/etc/systemd/system/test.service; enabled) Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago Main PID: 1246 (webserver) CGroup: /system.slice/test.service └─1246 /usr/bin/python3 /tmp/test/bin/webserver Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test webserver. 7. verify that the service is confined (use Main PID from the last step. You can also use aa-status): $ ps -Z 1246 LABEL PID TTY STAT TIME COMMAND unconfined 1246 ?Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver Because the service file uses 'AppArmorProfile=test-service' and the 'test-service' profile is already loaded into the kernel, I would expect /tmp/test/bin/webserver to be running under the 'test-service' label, not 'unconfined'. Note: you can manually start the webserver under apparmor using aa-exec. Eg: $ sudo aa-exec -p test-service /tmp/test/bin/webserver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile
** Changed in: systemd (Ubuntu) Status: New => In Progress ** Changed in: systemd (Ubuntu) Milestone: None => ubuntu-14.11 ** Changed in: systemd (Ubuntu) Assignee: (unassigned) => Martin Pitt (pitti) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1396270 Title: specifying AppArmorProfile doesn't result in processes launched under the named profile Status in “systemd” package in Ubuntu: In Progress Bug description: Steps to reproduce 1. grab attached tarball and unpack in /tmp: tar -zxvf /tmp/test.tar.gz 2. cd /tmp/test 3. Load the apparmor profile: sudo apparmor_parser -r ./apparmor.profile 4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg: $ sudo aa-status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. ... test-service ... 5. enable the systemd service file: $ cat ./test.service [Unit] Description=test webserver [Service] Environment=PYTHONDONTWRITEBYTECODE=1 ExecStart=/tmp/test/bin/webserver Restart=on-failure WorkingDirectory=/tmp/test/www AppArmorProfile=test-service [Install] WantedBy=multi-user.target $ sudo cp ./test.service /etc/systemd/system/ $ sudo systemctl enable test.service 6. start the service $ sudo systemctl start test.service $ sudo systemctl --no-pager status test.service ● test.service - test webserver Loaded: loaded (/etc/systemd/system/test.service; enabled) Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago Main PID: 1246 (webserver) CGroup: /system.slice/test.service └─1246 /usr/bin/python3 /tmp/test/bin/webserver Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test webserver. 7. verify that the service is confined (use Main PID from the last step. You can also use aa-status): $ ps -Z 1246 LABEL PID TTY STAT TIME COMMAND unconfined 1246 ?Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver Because the service file uses 'AppArmorProfile=test-service' and the 'test-service' profile is already loaded into the kernel, I would expect /tmp/test/bin/webserver to be running under the 'test-service' label, not 'unconfined'. Note: you can manually start the webserver under apparmor using aa-exec. Eg: $ sudo aa-exec -p test-service /tmp/test/bin/webserver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1396270 Title: specifying AppArmorProfile doesn't result in processes launched under the named profile Status in “systemd” package in Ubuntu: New Bug description: Steps to reproduce 1. grab attached tarball and unpack in /tmp: tar -zxvf /tmp/test.tar.gz 2. cd /tmp/test 3. Load the apparmor profile: sudo apparmor_parser -r ./apparmor.profile 4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg: $ sudo aa-status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. ... test-service ... 5. enable the systemd service file: $ cat ./test.service [Unit] Description=test webserver [Service] Environment=PYTHONDONTWRITEBYTECODE=1 ExecStart=/tmp/test/bin/webserver Restart=on-failure WorkingDirectory=/tmp/test/www AppArmorProfile=test-service [Install] WantedBy=multi-user.target $ sudo cp ./test.service /etc/systemd/system/ $ sudo systemctl enable test.service 6. start the service $ sudo systemctl start test.service $ sudo systemctl --no-pager status test.service ● test.service - test webserver Loaded: loaded (/etc/systemd/system/test.service; enabled) Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago Main PID: 1246 (webserver) CGroup: /system.slice/test.service └─1246 /usr/bin/python3 /tmp/test/bin/webserver Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test webserver. 7. verify that the service is confined (use Main PID from the last step. You can also use aa-status): $ ps -Z 1246 LABEL PID TTY STAT TIME COMMAND unconfined 1246 ?Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver Because the service file uses 'AppArmorProfile=test-service' and the 'test-service' profile is already loaded into the kernel, I would expect /tmp/test/bin/webserver to be running under the 'test-service' label, not 'unconfined'. Note: you can manually start the webserver under apparmor using aa-exec. Eg: $ sudo aa-exec -p test-service /tmp/test/bin/webserver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile
It looks like systemd isn't compiled with apparmor support. mdeslaur gave me a debdiff to add the necessary bits to debian/control to make this work. I verified that the test case results in the service running under the 'test-service' label. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1396270 Title: specifying AppArmorProfile doesn't result in processes launched under the named profile Status in “systemd” package in Ubuntu: New Bug description: Steps to reproduce 1. grab attached tarball and unpack in /tmp: tar -zxvf /tmp/test.tar.gz 2. cd /tmp/test 3. Load the apparmor profile: sudo apparmor_parser -r ./apparmor.profile 4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg: $ sudo aa-status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. ... test-service ... 5. enable the systemd service file: $ cat ./test.service [Unit] Description=test webserver [Service] Environment=PYTHONDONTWRITEBYTECODE=1 ExecStart=/tmp/test/bin/webserver Restart=on-failure WorkingDirectory=/tmp/test/www AppArmorProfile=test-service [Install] WantedBy=multi-user.target $ sudo cp ./test.service /etc/systemd/system/ $ sudo systemctl enable test.service 6. start the service $ sudo systemctl start test.service $ sudo systemctl --no-pager status test.service ● test.service - test webserver Loaded: loaded (/etc/systemd/system/test.service; enabled) Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago Main PID: 1246 (webserver) CGroup: /system.slice/test.service └─1246 /usr/bin/python3 /tmp/test/bin/webserver Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test webserver. 7. verify that the service is confined (use Main PID from the last step. You can also use aa-status): $ ps -Z 1246 LABEL PID TTY STAT TIME COMMAND unconfined 1246 ?Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver Because the service file uses 'AppArmorProfile=test-service' and the 'test-service' profile is already loaded into the kernel, I would expect /tmp/test/bin/webserver to be running under the 'test-service' label, not 'unconfined'. Note: you can manually start the webserver under apparmor using aa-exec. Eg: $ sudo aa-exec -p test-service /tmp/test/bin/webserver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile
Here is a debdiff to turn on AppArmor support, which appears to have solved the issue. ** Patch added: "systemd_215-6ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+attachment/4268304/+files/systemd_215-6ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1396270 Title: specifying AppArmorProfile doesn't result in processes launched under the named profile Status in “systemd” package in Ubuntu: New Bug description: Steps to reproduce 1. grab attached tarball and unpack in /tmp: tar -zxvf /tmp/test.tar.gz 2. cd /tmp/test 3. Load the apparmor profile: sudo apparmor_parser -r ./apparmor.profile 4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg: $ sudo aa-status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. ... test-service ... 5. enable the systemd service file: $ cat ./test.service [Unit] Description=test webserver [Service] Environment=PYTHONDONTWRITEBYTECODE=1 ExecStart=/tmp/test/bin/webserver Restart=on-failure WorkingDirectory=/tmp/test/www AppArmorProfile=test-service [Install] WantedBy=multi-user.target $ sudo cp ./test.service /etc/systemd/system/ $ sudo systemctl enable test.service 6. start the service $ sudo systemctl start test.service $ sudo systemctl --no-pager status test.service ● test.service - test webserver Loaded: loaded (/etc/systemd/system/test.service; enabled) Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago Main PID: 1246 (webserver) CGroup: /system.slice/test.service └─1246 /usr/bin/python3 /tmp/test/bin/webserver Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test webserver. 7. verify that the service is confined (use Main PID from the last step. You can also use aa-status): $ ps -Z 1246 LABEL PID TTY STAT TIME COMMAND unconfined 1246 ?Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver Because the service file uses 'AppArmorProfile=test-service' and the 'test-service' profile is already loaded into the kernel, I would expect /tmp/test/bin/webserver to be running under the 'test-service' label, not 'unconfined'. Note: you can manually start the webserver under apparmor using aa-exec. Eg: $ sudo aa-exec -p test-service /tmp/test/bin/webserver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile
systemd in vivid isn't compiled with apparmor support: AppArmor:no -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1396270 Title: specifying AppArmorProfile doesn't result in processes launched under the named profile Status in “systemd” package in Ubuntu: New Bug description: Steps to reproduce 1. grab attached tarball and unpack in /tmp: tar -zxvf /tmp/test.tar.gz 2. cd /tmp/test 3. Load the apparmor profile: sudo apparmor_parser -r ./apparmor.profile 4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg: $ sudo aa-status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. ... test-service ... 5. enable the systemd service file: $ cat ./test.service [Unit] Description=test webserver [Service] Environment=PYTHONDONTWRITEBYTECODE=1 ExecStart=/tmp/test/bin/webserver Restart=on-failure WorkingDirectory=/tmp/test/www AppArmorProfile=test-service [Install] WantedBy=multi-user.target $ sudo cp ./test.service /etc/systemd/system/ $ sudo systemctl enable test.service 6. start the service $ sudo systemctl start test.service $ sudo systemctl --no-pager status test.service ● test.service - test webserver Loaded: loaded (/etc/systemd/system/test.service; enabled) Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago Main PID: 1246 (webserver) CGroup: /system.slice/test.service └─1246 /usr/bin/python3 /tmp/test/bin/webserver Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test webserver. 7. verify that the service is confined (use Main PID from the last step. You can also use aa-status): $ ps -Z 1246 LABEL PID TTY STAT TIME COMMAND unconfined 1246 ?Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver Because the service file uses 'AppArmorProfile=test-service' and the 'test-service' profile is already loaded into the kernel, I would expect /tmp/test/bin/webserver to be running under the 'test-service' label, not 'unconfined'. Note: you can manually start the webserver under apparmor using aa-exec. Eg: $ sudo aa-exec -p test-service /tmp/test/bin/webserver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp