[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
** Changed in: apparmor (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
@Christian Thank you for pointing this out. After investigation, I found that this bug stems from the following restriction not being implemented consistently in aa-* and apparmor_parser. > $ man 2 mount > > If mountflags includes one of MS_SHARED, MS_PRIVATE, MS_SLAVE, or > MS_UNBINDABLE [...] The source, and filesystemtype [...] arguments are > ignored. - In aa-* : source must be empty, or it will trigger an error (cf. this bug). - In apparmor_parser : source and destination cannot be set simultaneously (leading to the behavior you described). Also setting the source or the destination is equivalent. That means that `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are equivalent This bug should be fixed by https://gitlab.com/apparmor/apparmor/-/merge_requests/1236, which aligns the behavior of aa-* to apparmor_parser, since this the latter is more permissive. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
I'm afraid apparmor_parser is not fully aware of this restriction.
# cat foo
/usr/bin/foo {
# mount options=(rw, runbindable) / -> /bar, # causes error
mount options=(rw, runbindable) -> /bar, # accepted as valid (as
expected)
mount options=(rw, runbindable) /, # accepted as valid, but shouldn't
}
# apparmor_parser -r foo
#
This means a rule with only a source (but no target mountpoint) gets
accepted by the parser and loaded into the kernel, even if it should
raise an error.
.
BTW: The commented-out rule that indeed triggers an error results in a
not-so-useful error message:
Encoding of mount rule failed
ERROR processing policydb rules for profile /usr/bin/foo, failed to load
A more detailed error message that points out the invalid rule would be
nice.
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065685
Title:
aa-logprof fails with 'runbindable' error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
So, the error was related to passt, not apparmor. This is because it uses an incorrect rule in abstractions/passt. By design, rules containing some options, such as runbindable, cannot include a source. I just sent the following patch for passt that should solve your issue https://archives.passt.top/passt- dev/20240517115053.53072-1-maxime.bel...@canonical.com/T/#u , i.e. you need to modify `mount options=(rw, runbindable) /,` in /etc/apparmor.d/abstractions/passt to `mount options=(rw, runbindable) -> /,` That being said, I will probably send a merge request to apparmor so that if in similar cases the source is '/', mount does not fail, thereby preventing similar future errors. ** Changed in: apparmor (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
ubuntu@srv-9vqc0:~$ sudo grep -r "runbindable*/*" /etc/apparmor.d
/etc/apparmor.d/abstractions/passt: mount options=(rw, runbindable) /,
ubuntu@srv-9vqc0:~$ sudo aa-logprof
ERROR: Operation {'runbindable'} cannot have a source. Source =
AARE('/')
HTH
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065685
Title:
aa-logprof fails with 'runbindable' error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
I have implemented a patch for this issue, but before submitting it, I want to understand its origin to determine if other edge cases need to be addressed. Do you know which profile created this issue? Perhaps running sudo grep -r "runbindable*/*" /etc/apparmor.d could help identify the source of this issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065685] Re: aa-logprof fails with 'runbindable' error
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Maxime Bélair (mbelair) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065685 Title: aa-logprof fails with 'runbindable' error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
