many: update apparmor to 4.0.1 #14150
Conversation
zyga
force-pushed
the
feature/apparmor-bump
branch
from
d0f7415
to
6a9b038
Compare
zyga
force-pushed
the
feature/apparmor-bump
branch
from
6a9b038
to
0dd1f7b
Compare
|
Thanks @zyga - so like the original PR, we still see failures in |
Signed-off-by: Alex Murray <[email protected]>
Unlike the Launchpad tarball, the one from apparmor gitlab tarball requires this to be present as it is just a snapshot of the git tree, not a release tarball like those provided by Launchpad. Signed-off-by: Alex Murray <[email protected]>
This was already included upstream as part of the 3.1.0 release and hence is included in the 4.0.1 release which we are now vendoring. Signed-off-by: Alex Murray <[email protected]>
They are already included in apparmor 4.x release. Signed-off-by: Zygmunt Krynicki <[email protected]>
All local patches are now merged in the 4.x release. Signed-off-by: Zygmunt Krynicki <[email protected]>
Signed-off-by: Alex Murray <[email protected]>
Signed-off-by: Alex Murray <[email protected]>
Signed-off-by: Alex Murray <[email protected]>
This is helpful when trying to debug why certain features may not be supported. Signed-off-by: Alex Murray <[email protected]>
Signed-off-by: Alex Murray <[email protected]>
…)" (canonical#13765) This reverts commit ce29886.
zyga
force-pushed
the
feature/apparmor-bump
branch
from
cde583d
to
c52a550
Compare
| @@ -1,13 +1,16 @@ | |||
| /* | |||
| this file was generated on a Ubuntu kinetic install from the upstream | |||
There was a problem hiding this comment.
We should probably remove this file once we have moved to using core24 as build base. Right?
There was a problem hiding this comment.
This is a bit of an annoying part. The parser looks at the host's socket.h file to determine what kind of sockets one can create and to know their names.
If the snap is built on an old system, where the definition of old is always inaccurate. In theory we could drop it but we'd alwayd be at the risk of compiling but silently failing to understand specific network types.
Signed-off-by: Zygmunt Krynicki <[email protected]>
There was a problem hiding this comment.
Have this been considered: https://github.com/snapcore/snapd/blob/master/sandbox/apparmor/apparmor.go#L786-L788
Not covered by test: https://github.com/snapcore/snapd/blob/master/sandbox/apparmor/apparmor.go#L790
Maybe a test for external parser abi options: 4.0, 3.0, other?
cmd/snapd-apparmor TestLoadAppArmorProfiles is exercising 3.0 abi, is this still sufficient?
There was a problem hiding this comment.
Can you clarify the 2nd link to a diff that's about not covered by test? Either the link is wonky or I don't understand what the question is.
I'll look into 4.0 testing in snapd-apparmor, thanks!
There was a problem hiding this comment.
I've made a separate patch to enable apparmor 4.0 ABI when using the host compiler. I do not want to introduce it here as it's something we cannot easily synchronize with. It should be considered and reviewed separately. I also write some tests in the same pass.
The follow-up is: #14167
| if tryAppArmorParserFeature(cmd, fp.flags, fp.probe) { | ||
| err := tryAppArmorParserFeature(cmd, fp.flags, fp.probe) | ||
| if err != nil { | ||
| logger.Debugf("cannot probe apparmor feature %q: %v", fp.feature, err) |
| @@ -816,9 +819,9 @@ func tryAppArmorParserFeature(cmd *exec.Cmd, flags []string, rule string) bool { | |||
| // older versions of apparmor_parser can exit with success even | |||
| // though they fail to parse | |||
| if err != nil || strings.Contains(string(output), "parser error") { | |||
| return false | |||
| return fmt.Errorf("apparmor_parser failed: %v: %s", err, output) | |||
|
There's a number of failures that need investigation. Please don't merge this yet @ernestl |
|
This is hitting the /dev/mqueue issue with apparmor on the host. |
|
AppArmor 4.0.1 SRU has been released to Noble. |
It seems that mediation of mqueue is miscompiled by apparmor_parser 4.0.0~beta3 that was present in Ubuntu 24.04 until the 10th of July 2024. Detect this and mask the presence of mqueue unless apparmor parser 4.0.1, or newer, is used. Signed-off-by: Zygmunt Krynicki <[email protected]>
|
Various tests are now failing on: I have a hunch that this is because apparmor on the host and in snapd is the same version. Perhaps we need to fake the version to "+1" or fix the tests to cope? |
|
The test |
Mirror the logic used in apparmor-from-the-host to apparmor-from-snapd-snap. This mainly fixes tests that repackage old snapd snap without touching apparmor, but in general seems like the right thing to do. The logic is such, that abi 4 is preferred. Signed-off-by: Zygmunt Krynicki <[email protected]>
Signed-off-by: Zygmunt Krynicki <[email protected]>
|
I've improved the code a little so that tests might actually pass now. |
|
If tests are happy this needs a re-review. |
ernestl
changed the title
Signed-off-by: Zygmunt Krynicki <[email protected]>
Signed-off-by: Zygmunt Krynicki <[email protected]>
This is a rebase of #13354
This is replacement for older attempt by Alex M: #13354
Bug reports and fixes to consider: https://ubuntu-archive-team.ubuntu.com/pending-sru.html