[Bug 1895060] Re: [FFe] apparmor 3 upstream release
This bug was fixed in the package apparmor - 3.0.0~beta1-0ubuntu6 --- apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium * Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not 3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the wrong directory in is_container_with_internal_policy(), which causes policy to always fail to load in containers. Thanks to Christian Ehrhardt for the analysis. (LP: #1895967) apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium [ John Johansen ] * d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch: fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the parser to emit rules needed for change_hat in the hat profiles but broke the rule being emitted for the parent profile, this fixes it for both so that it is emitted for any profile that is a hat or that contains a hat. * d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile abstraction so that it allows access to the apparmor attribute paths under LSM stacking. apparmor (3.0.0~beta1-0ubuntu2) groovy; urgency=medium [ John Johansen ] * d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch: fix parser not adding a rule to profiles if they are a hat or contain hats granting write access to the kernel interfaces. apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium [ John Johansen ] * New upstream release (LP: #1895060, LP: #1887577, LP: #1880841) * Drop all patches backported from upstream: applied in 3.0 * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide example and base abi to pin pre 3.0 policy * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning of pre AppArmor 3.x policy * drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer needed with upstream 'include if exists' [ Steve Beattie ] * d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important now that groovy has a 5.8 kernel. * d/apparmor-profiles.install: + adjust for renamed postfix profiles + add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles + remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in apparmor-profiles) * d/apparmor.install: include abi/ directory and tunables/etc. * d/apparmor.manpages: add apparmor_xattrs.7 manpage * d/control: + apparmor-utils: no more shipped perl tools, drop perl dependency + apparmor-notify: aa-notify was converted to python3 from perl; adjust -notify dependencies to compensate * d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch: fix sed expression in settest() [ Emilia Torino ] * Removing Ubuntu specific chromium-browser profile. This is safe to do since groovy's chromium-browser deb installs the snap. If apparmor3 is backported to 18.04 or earlier, the profile will need to be taken into consideration - d/profiles/chromium-browser: remove chromium-browser profile - d/apparmor-profiles.postinst: remove postinst script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.postrm: remove postrm script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.install: remove ubuntu-specific chromium-browser abstraction and profile - d/apparmor-profiles.lintian-overrides: remove chromium-browser profile lintian overrides - d/p/ubuntu/add-chromium-browser.patch: remove patch which added chrome-browser [ Alex Murray ] * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: refresh this patch with the official upstream version * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: refresh this patch to match the above * d/p/parser-add-abi-warning-flags.patch: enable parser warnings to be silenced or to be treated as errors [ Jamie Strandboge ] * d/p/adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus 1.5.22. This can be dropped with AppArmor 3.0 final. * d/p/parser-add-abi-warning-flags.patch: refresh to avoid lintian warnings * d/p/ubuntu/lp1891338.patch: adjust ubuntu-integration to use abstractions/exo-open (LP: #1891338) * d/p/ubuntu/lp1889699.patch: adjust to support brave in ubuntu abstractions. Patch thanks to François Marier (LP: #1889699) * d/p/ubuntu/lp1881357.patch: adjust for new ICEauthority path in /run (LP: #1881357) -- Jamie Strandboge Tue, 22 Sep 2020 15:10:33 + ** Changed in: apparmor (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions --
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
FYI, there was a components mismatch where apparmor-notify pulled python3-notify2 (and its Depends) into main. For now, I've demoted apparmor-notify to universe and adjusted the seed (in practical terms, the security team will fix bugs in apparmor-notify regardless of where it lives). We might revisit promoting apparmor-notify at a future date. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
Sorry, while being about evaluating the new apparmor this got posted to the wrong bug :-/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
I knew from my former tests: 1. apparmor 3.0 = bad 2. downgrading to 2.13.3-7ubuntu6 and back up to 3.0 = good 3. aa-enforce + service restart = good I checked the logs on the affected systems how this got into the bad state: $ grep -E 'configure (lib)?(apparmor|libvirt)' /var/log/dpkg.log 2020-09-16 05:56:09 configure libapparmor1:amd64 3.0.0~beta1-0ubuntu1 2020-09-16 05:56:18 configure apparmor:amd64 3.0.0~beta1-0ubuntu1 2020-09-16 05:57:31 configure libvirt-daemon-system-systemd:amd64 6.6.0-1ubuntu2 2020-09-16 05:57:31 configure libvirt0:amd64 6.6.0-1ubuntu2 2020-09-16 05:57:33 configure libvirt-clients:amd64 6.6.0-1ubuntu2 2020-09-16 05:57:36 configure libvirt-daemon:amd64 6.6.0-1ubuntu2 2020-09-16 05:57:36 configure libvirt-daemon-driver-qemu:amd64 6.6.0-1ubuntu2 2020-09-16 05:57:36 configure libvirt-daemon-system:amd64 6.6.0-1ubuntu2 2020-09-16 05:58:05 configure apparmor-utils:amd64 3.0.0~beta1-0ubuntu1 2020-09-17 14:04:17 configure libvirt-daemon-system-dbgsym:amd64 6.6.0-1ubuntu2 2020-09-17 14:04:17 configure libvirt0-dbgsym:amd64 6.6.0-1ubuntu2 2020-09-17 14:04:17 configure libvirt-daemon-driver-qemu-dbgsym:amd64 6.6.0-1ubuntu2 2020-09-17 14:04:17 configure libvirt-clients-dbgsym:amd64 6.6.0-1ubuntu2 2020-09-17 14:04:17 configure libvirt-daemon-dbgsym:amd64 6.6.0-1ubuntu2 2020-09-22 06:56:34 configure apparmor:amd64 3.0.0~beta1-0ubuntu5 It seems I had: 1. groovy container 2. upgrade to proposed (including libapparmor1 / apparmor 3.0) 3. install libvirt I was trying to recreate the above with a new container as of today: 1. groovy container (2.13.3-7ubuntu6, all still confined) 2. upgrade to proposed (3.0.0~beta1-0ubuntu5, all still confined) 3. install libvirt (confinement working well) Hmm, something must have been different. I know I have used container snapshots when I ran into that - I need to sort out in what order that happened and if it would occur again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
Thanks! Uploaded: https://launchpad.net/ubuntu/+source/apparmor/3.0.0~beta1-0ubuntu5 ** Changed in: apparmor (Ubuntu) Status: Confirmed => Fix Committed ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu) Milestone: None => ubuntu-20.10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
OK, go for it! ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
Yes (barring bugs), there is no intention to break anything :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
Just to confirm, your intention (barring bugs) is that there should be no breakage for existing apparmor profiles and consumers of the rewritten tools? If so, I think this should still be fine at this stage. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
FYI, I accidentally violated the FFe process and uploaded (with a subsequent binary copy) to groovy-proposed. None of that migrated, so I deleted what was in groovy-proposed and am now attaching the debdiff, which has patches to pass proposed migration (we believe). Sorry for the snafu. ** Patch added: "apparmor_2.13.3-7ubuntu6_to_3.0.0~beta1-0ubuntu5.debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+attachment/5412212/+files/apparmor_2.13.3-7ubuntu6_to_3.0.0~beta1-0ubuntu5.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
FYI, 3.0.0~beta1-0ubuntu3 should address the dbus autopkgtest issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
FYI, the fix for the dbus issue is https://gitlab.com/apparmor/apparmor/-/merge_requests/625. We're preparing an ubuntu2 upload now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
FYI, we're looking at the autopkgtest dbus issue now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
** Attachment added: "groovy-proposed-apparmor-install.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+attachment/5411197/+files/groovy-proposed-apparmor-install.log ** Description changed: As per the draft upstream release notes: AppArmor 3.0 is a major new release of the AppArmor user space that makes an important change to policy development and support. Its focus is transitioning policy to the new features ABI and as such other new features have been limited. Apprmor 3.0 is a bridge release between older AppArmor 2.x policy and the newer AppArmor 3 style policy which requires the declaration of a features abi. As such AppArmor 3.0 will be a short lived release, and will not receive long term support. The following AppArmor 3.1 feature release is planned to be a regular release, please take this into account when including AppArmor 3.0 into a distro release. As such, Ubuntu 20.10 provides a great opportunity to introduce AppArmor3 to Ubuntu and provide these new capabilities to users and system administrators. The short support lifespan of Ubuntu 20.10 ensures that there is alignment with the limited support lifetime of AppArmor 3.0 from upstream, whilst giving good exposure and opportunity to test and exercise the new features in AppArmor 3.x on the road to Ubuntu 22.04. A highlight of new features provided by AppArmor 3.0 include: - Policy now must declare the feature abi it was developed for if it is to - use any new features. This ensures that old policy will not become - incompatible with new kernels that support additional AppArmor features. + use any new features. This ensures that old policy will not become + incompatible with new kernels that support additional AppArmor features. - The use of profile names that are based on pathnames are deprecated. - Support for new kernel features (requires appropriate features abi - tagging in policy) - - upstream v8 network socket rules - - xattr attachment conditionals - - capabilities PERFMON and BPF + tagging in policy) + - upstream v8 network socket rules + - xattr attachment conditionals + - capabilities PERFMON and BPF - Improved compiler warnings and semantic checks - aa-status rewritten in C (previously was python) with additional features - - supports use in systems/images where python is not available - - supports kill, unconfined and mixed profile modes + - supports use in systems/images where python is not available + - supports kill, unconfined and mixed profile modes - Rewritten aa-notify (previously was perl, now python3) - - shared backend with other python tools - - support use of aa.CONFDIR instead of hard coded /etc/apparmor - - improved message layout + - shared backend with other python tools + - support use of aa.CONFDIR instead of hard coded /etc/apparmor + - improved message layout - Improved support for kernels that support LSM stacking - New utility aa-features-abi to extract and work with kernel abi features - New utility aa-load to load binary policy without calling the - apparmor_parser + apparmor_parser - Support for profile modes - - enforce (default when no mode flag is supplied) - - kill (experimental) - - unconfined (experimental) + - enforce (default when no mode flag is supplied) + - kill (experimental) + - unconfined (experimental) The use of the new AppArmor profile feature ABI includes a default configuration (for the Ubuntu packaged version of AppArmor proposed in this FFE) for the AppArmor features within the 5.4 Linux kernel - this ensures that all profiles provided in AppArmor3 for groovy will conform to this feature set and that upgrades to the kernel version (say to 5.8) that may include newer AppArmor confinement features will not result in additional policy denials as a result (since say the existing profile did not specify a rule for a new AppArmor feature which is now supported by the upgraded kernel). This ensures that there will be no regressions in application behaviour as a result of AppArmor kernel feature upgrades. TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan for AppArmor and the extensive QA Regression Tests for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. BUILD LOGS This is currently uploaded to groovy-proposed, build logs can be found on Launchpad at: https://launchpad.net/ubuntu/+source/apparmor/3.0.0~beta1-0ubuntu1 INSTALL LOG - See attached for a log showing install of the packages from groovy- - proposed + See attached +
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
Apologies for posting the description as a comment above... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895060 Title: [FFe] apparmor 3 upstream release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895060] Re: [FFe] apparmor 3 upstream release
As per the draft upstream release notes: AppArmor 3.0 is a major new release of the AppArmor user space that makes an important change to policy development and support. Its focus is transitioning policy to the new features ABI and as such other new features have been limited. Apprmor 3.0 is a bridge release between older AppArmor 2.x policy and the newer AppArmor 3 style policy which requires the declaration of a features abi. As such AppArmor 3.0 will be a short lived release, and will not receive long term support. The following AppArmor 3.1 feature release is planned to be a regular release, please take this into account when including AppArmor 3.0 into a distro release. As such, Ubuntu 20.10 provides a great opportunity to introduce AppArmor3 to Ubuntu and provide these new capabilities to users and system administrators. The short support lifespan of Ubuntu 20.10 ensures that there is alignment with the limited support lifetime of AppArmor 3.0 from upstream, whilst giving good exposure and opportunity to test and exercise the new features in AppArmor 3.x on the road to Ubuntu 22.04. A highlight of new features provided by AppArmor 3.0 include: - Policy now must declare the feature abi it was developed for if it is to use any new features. This ensures that old policy will not become incompatible with new kernels that support additional AppArmor features. - The use of profile names that are based on pathnames are deprecated. - Support for new kernel features (requires appropriate features abi tagging in policy) - upstream v8 network socket rules - xattr attachment conditionals - capabilities PERFMON and BPF - Improved compiler warnings and semantic checks - aa-status rewritten in C (previously was python) with additional features - supports use in systems/images where python is not available - supports kill, unconfined and mixed profile modes - Rewritten aa-notify (previously was perl, now python3) - shared backend with other python tools - support use of aa.CONFDIR instead of hard coded /etc/apparmor - improved message layout - Improved support for kernels that support LSM stacking - New utility aa-features-abi to extract and work with kernel abi features - New utility aa-load to load binary policy without calling the apparmor_parser - Support for profile modes - enforce (default when no mode flag is supplied) - kill (experimental) - unconfined (experimental) The use of the new AppArmor profile feature ABI includes a default configuration (for the Ubuntu packaged version of AppArmor proposed in this FFE) for the AppArmor features within the 5.4 Linux kernel - this ensures that all profiles provided in AppArmor3 for groovy will conform to this feature set and that upgrades to the kernel version (say to 5.8) that may include newer AppArmor confinement features will not result in additional policy denials as a result (since say the existing profile did not specify a rule for a new AppArmor feature which is now supported by the upgraded kernel). This ensures that there will be no regressions in application behaviour as a result of AppArmor kernel feature upgrades. TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan for AppArmor and the extensive QA Regression Tests for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. BUILD LOGS This is currently uploaded to groovy-proposed, build logs can be found on Launchpad at: https://launchpad.net/ubuntu/+source/apparmor/3.0.0~beta1-0ubuntu1 INSTALL LOG See attached for a log showing install of the packages from groovy- proposed ** Description changed: - To be filled in + As per the draft upstream release notes: + + AppArmor 3.0 is a major new release of the AppArmor user space that makes + an important change to policy development and support. Its focus is + transitioning policy to the new features ABI and as such other new features + have been limited. + + Apprmor 3.0 is a bridge release between older AppArmor 2.x policy and the + newer AppArmor 3 style policy which requires the declaration of a features + abi. As such AppArmor 3.0 will be a short lived release, and will not + receive long term support. The following AppArmor 3.1 feature release is + planned to be a regular release, please take this into account when + including AppArmor 3.0 into a distro release. + + As such, Ubuntu 20.10 provides a great opportunity to introduce AppArmor3 + to Ubuntu and provide these new capabilities to users and system + administrators. The short support lifespan of Ubuntu 20.10 ensures that + there is alignment with the limited support lifetime of AppArmor 3.0 from + upstream, whilst
