sandbox/apparmor: do not skip ABI 4.0 from host parser #14167
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zyga
added
⛔ Blocked
Needs security review
zyga
force-pushed
the
feature/use-host-apparmor-4-abi
branch
from
6853098
to
ddfcb2d
Compare
zyga
force-pushed
the
feature/use-host-apparmor-4-abi
branch
from
ddfcb2d
to
82d73c9
Compare
zyga
changed the title
|
Consider for 2.64 |
alexmurray
approved these changes
Jul 18, 2024
alexmurray
removed
the
Needs security review
The state of AppArmor 4 in Ubuntu 24.04 and 24.10 is now sufficient for using in snapd. The recently-added version-aware feature check guarantee that features such as mqueue are not used when the parser is not sufficiently up-to-date. Signed-off-by: Zygmunt Krynicki <[email protected]>
zyga
force-pushed
the
feature/use-host-apparmor-4-abi
branch
from
82d73c9
to
0cf5d26
Compare
|
I've rebased on master to give tests a chance to pass. |
ernestl
pushed a commit
to ernestl/snapd
that referenced
this pull request
Jul 19, 2024
The state of AppArmor 4 in Ubuntu 24.04 and 24.10 is now sufficient for using in snapd. The recently-added version-aware feature check guarantee that features such as mqueue are not used when the parser is not sufficiently up-to-date. Signed-off-by: Zygmunt Krynicki <[email protected]>
zyga
added a commit
to zyga/snapd
that referenced
this pull request
Jul 22, 2024
…ical#14167)" This reverts commit fa03549. We cannot use host AppArmor with 4.0 ABI as there's no control mechanism to shield us from broken implementation of mqueue mediation class. We look for the right version of apparmor parser and correctly not emit the mqueue permission but since the host parser (4.0.0~beta3) looks at host's ABI file which contains: ipc {posix_mqueue {create read write open delete setattr getattr} And similarly the kernel supports posix_mqueue, then the parser (with the bug or without the bug) will correctly not emit anything related to mqueue mediation class, causing the kernel to rightfully deny operations: [Mon Jul 22 12:43:40 2024] audit: type=1400 audit(1721652220.385:212): apparmor="DENIED" operation="unlink" class="posix_mqueue" profile="snap.docker.dockerd" name="/" pid=35290 comm="runc:[2:INIT]" requested="getattr" denied="getattr"class="posix_mqueue" fsuid=0 ouid=0 As such we need to do one of two things to allow host apparmor to be used in a world with re-executing snapd: - Create our own ABI feature files that understand broken features and mask them, so that from the point of view of the kernel mqueue is _not_ mediated by the binary profile. - Detect presence of 4.0 ABI but ignore it on known-broken parser versions, effectively doing the same thing as the earlier approach but without creating a new ABI file that only snapd uses (possibly experiencing fewer bugs). Signed-off-by: Zygmunt Krynicki <[email protected]>
zyga
added a commit
to zyga/snapd
that referenced
this pull request
Jul 22, 2024
…ical#14167)" This reverts commit fa03549. We cannot use host AppArmor with 4.0 ABI as there's no control mechanism to shield us from broken implementation of mqueue mediation class. We look for the right version of apparmor parser and correctly not emit the mqueue permission but since the host parser (4.0.0~beta3) looks at host's ABI file which contains: ipc {posix_mqueue {create read write open delete setattr getattr} And similarly the kernel supports posix_mqueue, then the parser (with the bug or without the bug) will correctly not emit any permissions related to mqueue mediation class, while emitting the mediation class root element, causing the kernel to rightfully deny operations: [Mon Jul 22 12:43:40 2024] audit: type=1400 audit(1721652220.385:212): apparmor="DENIED" operation="unlink" class="posix_mqueue" profile="snap.docker.dockerd" name="/" pid=35290 comm="runc:[2:INIT]" requested="getattr" denied="getattr"class="posix_mqueue" fsuid=0 ouid=0 As such we need to do one of two things to allow host apparmor to be used in a world with re-executing snapd: - Create our own ABI feature files that understand broken features and mask them, so that from the point of view of the kernel mqueue is _not_ mediated by the binary profile. - Detect presence of 4.0 ABI but ignore it on known-broken parser versions, effectively doing the same thing as the earlier approach but without creating a new ABI file that only snapd uses (possibly experiencing fewer bugs). Signed-off-by: Zygmunt Krynicki <[email protected]>
|
This was reverted, there are issues: #14223 |
ernestl
pushed a commit
that referenced
this pull request
Jul 23, 2024
…" (#14223) This reverts commit fa03549. We cannot use host AppArmor with 4.0 ABI as there's no control mechanism to shield us from broken implementation of mqueue mediation class. We look for the right version of apparmor parser and correctly not emit the mqueue permission but since the host parser (4.0.0~beta3) looks at host's ABI file which contains: ipc {posix_mqueue {create read write open delete setattr getattr} And similarly the kernel supports posix_mqueue, then the parser (with the bug or without the bug) will correctly not emit any permissions related to mqueue mediation class, while emitting the mediation class root element, causing the kernel to rightfully deny operations: [Mon Jul 22 12:43:40 2024] audit: type=1400 audit(1721652220.385:212): apparmor="DENIED" operation="unlink" class="posix_mqueue" profile="snap.docker.dockerd" name="/" pid=35290 comm="runc:[2:INIT]" requested="getattr" denied="getattr"class="posix_mqueue" fsuid=0 ouid=0 As such we need to do one of two things to allow host apparmor to be used in a world with re-executing snapd: - Create our own ABI feature files that understand broken features and mask them, so that from the point of view of the kernel mqueue is _not_ mediated by the binary profile. - Detect presence of 4.0 ABI but ignore it on known-broken parser versions, effectively doing the same thing as the earlier approach but without creating a new ABI file that only snapd uses (possibly experiencing fewer bugs). Signed-off-by: Zygmunt Krynicki <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The state of AppArmor 4 in Ubuntu 24.04 and 24.10 is now sufficient for
using in snapd. The recently-added version-aware feature check guarantee
that features such as mqueue are not used when the parser is not
sufficiently up-to-date.