** Also affects: apparmor (Ubuntu Plucky)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2110236
Title:
[SRU] fixes for AppArmor in Plucky
Status in apparmor package in Ubuntu:
New
Status in apparmor source package in Plucky:
New
Bug description:
[ Impact ]
This SRU contains fixes for a number of bugs:
* The unprivileged_userns profile did not have access to the root directory
(https://gitlab.com/apparmor/apparmor/-/issues/505)
* lsblk could not list DASD devices on IBM System Z (LP: #2107402)
* Various commands segfaulted when run from a confined context due to
missing permissions on the binary execution path (LP: #2107455,
https://gitlab.com/apparmor/apparmor/-/merge_requests/1637)
* The plasmashell profile was missing new path to QtWebEngineProcess,
causing breakage of Web Browser widget (LP: #2107723)
* fusermount3 lacked permissions to mount to /cvmfs
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1587)
* openvpn lacked permissions to manage DNS settings for pushed DHCP settings
(LP: #2107596)
* openvpn lacked permissions to perform mDNS lookups (LP: #2109029)
* remmina broke due to missing permissions (LP: #2107723)
* fusermount3 lacked permissions to mount with noatime, needed for
fuse_overlayfs (https://gitlab.com/apparmor/apparmor/-/merge_requests/1673)
* iotop-c failed to launch at all due to permission denials in nl_init (LP:
#2107727)
* The parser did not handle the norelatime mount flag correctly
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1679)
* The apparmor.d man page contained incorrect information about the
combination of mount options=(list) options in (list)
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1674).
* This SRU also includes a regression test update
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1672) that is not part
of the built package but that 1) ensures that the documented behavior lines up
with the actual behavior, and 2) serves as a test for the parser patch
[ Test Plan ]
After installation of the new AppArmor version, the machine might need
to be rebooted. If a reboot between installation and test plan
execution is needed for a test to pass, please mention it in the test
plan execution notes so that we can determine if this is cause for
verification test failure, expected behavior, or the result of an
unrelated bug that we are not attempting to fix with this SRU.
Bug-specific test plans, followed by a generic test plan:
Test plan for the unprivileged_userns bug:
* Ensure that the sysctl kernel.apparmor_restrict_unprivileged_unconfined is
set to 1
* Run unshare -U ls /
* Without the fix:
- Command above does not list the directory successfully
- apparmor generates a denial log blocking opening of / under
profile="unprivileged_userns"
* With the fix: the above error+logging should not occur
Test plan for the lsblk bug:
* Run lsblk on an IBM System Z system
* Without the fix:
- Command fails to list DASD devices
- apparmor generates denial logs blocking access to a path starting with
/sys/devices/css
* With the fix: the above error+logging should not occur
Test plan for command execution from confined context:
* Add the following to a new file and use `apparmor_parser path/to/file` to
load it as a profile:
abi <abi/4.0>,
include <tunables/global>
profile allow_all {
allow all,
priority=1 /** px,
}
* Choose a subset of the applications confined by profiles under
profiles/apparmor.d modified by
debian/patches/ubuntu/profiles_ensure_access_to_attach_path.patch, and for each
selected application:
- Run `aa-exec -p allow_all -- the_application`, under sudo if the
application needs root privileges
- Verify that the application does not segfault on launch
- If application segfaults on launch only when run under confinement,
check for apparmor="DENIED" log entry denying read or mmap operations on the
binary path, and report verification test failure
Test plan for the plasmashell bug:
* This test needs to be executed on a freshly provisioned Kubuntu machine
with the new AppArmor installed. Testers might want to install `openssh-server`
on the Kubuntu machine first in order to make extraction of relevant logs
easier in case of test failure
* Add an empty panel and click on "+ Add Widgets"
* Add the "Web Browser" -> widget is added to panel -> click on "Exit Edit
Mode"
* Click on icon "Web Browser" or logout/login
* Without the fix:
- The desktop environment turns black, flickers a few times due to
attempted restarts, and doesn't return
- AppArmor generates denial logs such as apparmor="DENIED"
operation="exec" class="file" info="no new privs" error=-1
profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=2069
comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
target="unconfined"
+ The important parts to match are 'operation="exec"' and 'info="no new
privs"', and the path under 'name'. If such a log appears, report test
verification failure
+ If a different apparmor log involving QtWebEngineProcess appears, note
it in the test report so that we can evaluate if the tester encountered an
unrelated plasmashell confinement bug
* With the fix: the above error+logging should not occur
Test plan for the fusermount3 cvmfs bug:
* The following instructions are adapted from
https://cvmfs.readthedocs.io/en/stable/cpt-quickstart.html
- Install the cvmfs packages
+ `wget
https://cvmrepo.s3.cern.ch/cvmrepo/apt/cvmfs-release-latest_all.deb`
+ `sudo dpkg -i cvmfs-release-latest_all.deb`
+ `sudo apt-get -y update`
+ `sudo apt-get -y install cvmfs`
- Set up autofs configs by running `sudo cvmfs_config setup` and `sudo
systemctl restart autofs`
- Create `/etc/cvmfs/default.local` and add the lines
"CVMFS_REPOSITORIES=cvmfs-config.cern.ch", "CVMFS_CLIENT_PROFILE=single" to it
- Attempt to mount by running `cvmfs_config probe`
* Without the fix:
- The mount step fails with a permission denial error
- AppArmor generates denial logs for fusermount3 denying the mount syscall
* With the fix: the mount should succeed with no AppArmor logs being
generated
Test plan for the openvpn bugs:
* This test description assumes no access to existing machines that use
OpenVPN. Additional testing of OpenVPN in related configurations (other
virtualization solutions, specifying the server location via IPs or actual
domains, etc.) is encouraged.
- Spin up two Ubuntu Plucky VMs, one of which will be referred to as
openvpn-client and the other of which will be referred to as openvpn-server
- Ensure that the two machines are able to ping each other
- Generate a key using `openvpn --genkey secret secret.key` and transfer
this key to both machines, somewhere inside the home directory
- Place the following configuration onto openvpn-server, next to
secret.key:
dev tun
proto udp
cipher aes-256-cbc
ifconfig 10.4.13.1 10.4.13.2
secret static.key
- Place the following configuration onto openvpn-client, next to
secret.key, substituting the remote location:
remote openvpn-server.local
dev tun
proto udp
cipher aes-256-cbc
ifconfig 10.4.3.2 10.4.13.1
secret static.key
- Launch openvpn on both machines by running `openvpn path_to_config` on
each
- If (openvpn-client "remote" config line is a domain name (.local or
otherwise)) and (openvpn is unable to resolve the domain) and (apparmor is
generating denials related to (m)DNS lookups), then report verification test
failure
- Ensure that the two machines are able to ping each other through the
OpenVPN tunnel
- Stop both openvpn instances and add the line `push "dhcp-option
DOMAIN-SEARCH canonical.com"` to the openvpn-server config
- Launch openvpn on both machines again and ensure that the two machines
are able to ping each other through the tunnel
Test plan for the remmina bug:
* Run `sudo aa-status` and look for a loaded remmina profile: it should not
be there
* If it is still there after installing the updated AppArmor and rebooting,
report verification test failure
* Launch remmina
* Use ps -Zelf | grep -F remmina to locate the running remmina process
* Read the output to verify that remmina is now unconfined
* Fully quit remmina through its menu, its task bar entry, or by Ctrl-C'ing
its terminal (closing the GUI window is insufficient)
* Install apparmor-profiles if it wasn't installed already
* Repeat the above steps to verify that remmina is unconfined even when
apparmor-profiles is also installed (including reboot if installing
apparmor-profiles fresh)
* Warning: remmina writes a .desktop file to automatically start itself upon
login, which will complicate profile replacement if investigating remmina test
failure
Test plan for the fusermount3 fuse_overlayfs bug:
* Install fuse-overlayfs
* Inside the home directory, make folders "lower", "upper", "work", and
"mountpoint"
* Mount a fuse-overlayfs with `fuse-overlayfs -o
lowerdir=lower,upperdir=upper,workdir=work mountpoint`
* Without the fix: the mount fails and apparmor generates a log reporting
"failed flags match"
* With the fix: the mount should succeed
Test plan for the iotop-c bug:
* Launch iotop-c under sudo (make sure to invoke iotop-c directly instead of
iotop, which might be symlinked to the distinct iotop-py)
- Without the fix: iotop-c fails to launch due to permission denials in
nl_init
- With the fix: iotop-c should launch successfully
* Attempt to set the ionice value of a running process using iotop-c, and
verify that the operation succeeds
Test plan for the parser bug: failures caused by this change will show
up in the regression tests run as part of the generic test plan
Test plan for the apparmor.d documentation bug:
* Open the apparmor.d man page with `man apparmor.d` and scroll down to the
example that starts with `mount options=(ro, atime) options in (nodev, user)`
* Verify that the mount commands listed as matching the rule all include ro
and atime
* The regression test that checks that the behavior is as documented will
run as part of the QRT test suite described below
Generic test plan (for all AppArmor changes, not specific to this SRU):
AppArmor is also extensively tested via its QRT test suite, which includes
execution of the AppArmor test suite.
* To prepare the QRT test suite (can be done on any machine):
- `git clone https://git.launchpad.net/qa-regression-testing`
- `./scripts/make-test-tarball ./scripts/test-apparmor.py`
* To run the QRT test suite:
- Copy the tarball onto the machine with the new AppArmor installed and
extract it
- `sudo ./install-packages test-apparmor.py`
- `sudo ./test-apparmor.py -v`
[ Where problems could occur ]
All the profile changes in this SRU are loosening confinement on a profile.
However, if a user manually modified the installed profiles, then the package
upgrade would cause conflicts, and rejection of the incoming changes (either by
hand during an interactive upgrade or automatically during an batch unattended
upgrade) would result in end users not getting the complete set of packaged
fixes. However, as each of the files updated are independent of each other, a
partially fixed state will not be more broken than an unfixed (before upgrade)
state.
Remmina profile specific: If a user set up custom profiles that use
"peer=remmina" IPC rules, then these rules would break upon the upgrade
removing the remmina profile. However, none of the officially shipped profiles
include such rules.
The man page update is a documentation-only change. The risk exists
that the new packaged man page could be malformed, but this is
unlikely since the man page is generated by pod2man, and such issues
can be caught during testing by attempting to open the man page after
installation of the new version.
The parser fix changes the behavior of mount rules that explicitly
specify the norelatime flag. In particular, a custom profile
containing `mount options in (norelatime)` will have different, more
permissive behavior than before (reducing regression risk). However,
this flag is not used in any of the commonly used profiles (including
the ones in our repo and the profile fragments used by snapd), so this
will not change the behavior of most profiles being used.
[ Other Info ]
The attached debdiff is identical to the one for the package uploaded
to Questing, with the exception of the version number and release name
in the changelog entry.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110236/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
