sandbox: Revert "sandbox/apparmor: do not skip ABI 4.0 from host parser (#14167)" #14223
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I meant that the parser emits mqueue mediation class DFA elements but they contain no permissions. EDIT: This has been re-worded to:
|
…ical#14167)" This reverts commit fa03549. We cannot use host AppArmor with 4.0 ABI as there's no control mechanism to shield us from broken implementation of mqueue mediation class. We look for the right version of apparmor parser and correctly not emit the mqueue permission but since the host parser (4.0.0~beta3) looks at host's ABI file which contains: ipc {posix_mqueue {create read write open delete setattr getattr} And similarly the kernel supports posix_mqueue, then the parser (with the bug or without the bug) will correctly not emit any permissions related to mqueue mediation class, while emitting the mediation class root element, causing the kernel to rightfully deny operations: [Mon Jul 22 12:43:40 2024] audit: type=1400 audit(1721652220.385:212): apparmor="DENIED" operation="unlink" class="posix_mqueue" profile="snap.docker.dockerd" name="/" pid=35290 comm="runc:[2:INIT]" requested="getattr" denied="getattr"class="posix_mqueue" fsuid=0 ouid=0 As such we need to do one of two things to allow host apparmor to be used in a world with re-executing snapd: - Create our own ABI feature files that understand broken features and mask them, so that from the point of view of the kernel mqueue is _not_ mediated by the binary profile. - Detect presence of 4.0 ABI but ignore it on known-broken parser versions, effectively doing the same thing as the earlier approach but without creating a new ABI file that only snapd uses (possibly experiencing fewer bugs). Signed-off-by: Zygmunt Krynicki <[email protected]>
zyga
force-pushed
the
fix/revert-host-aa-4
branch
from
b7b1e6e
to
c531ede
Compare
zyga
changed the title
alexmurray
approved these changes
Jul 22, 2024
ernestl
approved these changes
Jul 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This reverts commit fa03549.
We cannot use host AppArmor with 4.0 ABI as there's no control mechanism to shield us from broken implementation of mqueue mediation class.
We look for the right version of apparmor parser and correctly not emit the mqueue permission but since the host parser (4.0.0~beta3) looks at host's ABI file which contains:
And similarly the kernel supports posix_mqueue, then the parser (with
the bug or without the bug) will correctly not emit any permissions
related to mqueue mediation class, while emitting the mediation class
root element, causing the kernel to rightfully deny operations:
As such we need to do one of two things to allow host apparmor to be used in a world with re-executing snapd: