Client Developer Experience

Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.

Bug #1549369 reported by Andrea Bernabei on 2016-02-24

This bug affects 8 people

	Status	Importance	Assigned to	Milestone
Canonical System Image	Confirmed	Medium	Alejandro J. Cura	Canonical System Image backlog
Client Developer Experience	Confirmed	Medium	Alejandro J. Cura
click (Ubuntu)	Confirmed	Undecided	Unassigned
click-apparmor (Ubuntu)	Won't Fix	Undecided	Unassigned

Bug Description

On Krillin, as of rc-proposed r264,

modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update.

As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package.

Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase.

That is why I believe we should fix this bug as soon as possible, to make life of developers easier.

Reference of a similar bug, which was however more Snappy specific:
https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744

See original description

Andrea Bernabei (faenil) on 2016-02-24

description:	updated
description:	updated
summary:	- Apparmor profiles not updated after deploying an app without increasing - its version + Updating the apparmor manifest and deploying the new code without + increasing the version does not trigger apparmor profile update on the + device.
summary:	Updating the apparmor manifest and deploying the new code without - increasing the version does not trigger apparmor profile update on the + increasing app version does not trigger apparmor profile update on the device.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-02-24:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in click-apparmor (Ubuntu):
status:	New → Confirmed

Pat McGowan (pat-mcgowan) on 2016-03-08

Changed in canonical-devices-system-image:
status:	New → Confirmed
assignee:	nobody → Jamie Strandboge (jdstrand)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-03-08:

AIUI this is not a bug in click-apparmor but click itself. While the hook is being run, click isn't updating the timestamps on the click hook symlink. Ie:

Install the old click:
$ cd old
$ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated
...
$ stat /var/lib/apparmor/clicks/*_0.7.json
...
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-03-08 16:31:16.352376489 -0600
Modify: 2016-03-08 16:31:16.288376439 -0600
Change: 2016-03-08 16:31:16.288376439 -0600
...
$ cat /var/lib/apparmor/clicks/*_0.7.json
{
  "template": "ubuntu-webapp",
  "policy_groups": [
    "audio",
    "location",
    "networking",
    "video"
  ],
  "policy_version": 1.0
}

Install a click with an updated security manifest but same version:
$ cd ../new
$ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated
...
$ stat /var/lib/apparmor/clicks/*_0.7.json
...
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-03-08 16:31:16.352376489 -0600
Modify: 2016-03-08 16:31:16.288376439 -0600
Change: 2016-03-08 16:31:16.288376439 -0600
...

$ cat /var/lib/apparmor/clicks/*_0.7.json
{
  "template": "ubuntu-webapp",
  "policy_groups": [
    "audio",
    "location",
    "networking",
    "video",
    "camera"
  ],
  "policy_version": 1.0
}

Notice that will the contents of the security manifest is updated, the mtime of the symlink was not. click-apparmor currently requires that the mtime be updated. This is due to install_link() in lib/click/hooks.vala:
if (is_symlink (link) && FileUtils.read_link (link) == target)
return;

One way to achieve this would be to recreate the symlink on install if the symlink exists. Alternatively, click-apparmor could also consider the ctime of the target file compared to the symlink's mtime. While it seems like a fix in click is the right choice, I believe only click-apparmor cares about these sorts of things, and a change there would be localized to only click-apparmor and therefore less risky.

AIUI this is not a bug in click-apparmor but click itself. While the hook is being run, click isn't updating the timestamps on the click hook symlink. Ie:

Install the old click:
$ cd old
$ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated
...
$ stat /var/lib/apparmor/clicks/*_0.7.json 
...
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-03-08 16:31:16.352376489 -0600
Modify: 2016-03-08 16:31:16.288376439 -0600
Change: 2016-03-08 16:31:16.288376439 -0600
...
$ cat /var/lib/apparmor/clicks/*_0.7.json
{
  "template": "ubuntu-webapp",
  "policy_groups": [
    "audio",
    "location",
    "networking",
    "video"
  ],
  "policy_version": 1.0
}

Install a click with an updated security manifest but same version:
$ cd ../new
$ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated
...
$ stat /var/lib/apparmor/clicks/*_0.7.json 
...
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-03-08 16:31:16.352376489 -0600
Modify: 2016-03-08 16:31:16.288376439 -0600
Change: 2016-03-08 16:31:16.288376439 -0600
...

$ cat /var/lib/apparmor/clicks/*_0.7.json
{
  "template": "ubuntu-webapp",
  "policy_groups": [
    "audio",
    "location",
    "networking",
    "video",
    "camera"
  ],
  "policy_version": 1.0
}

Notice that will the contents of the security manifest is updated, the mtime of the symlink was not. click-apparmor currently requires that the mtime be updated. This is due to install_link() in lib/click/hooks.vala:
    if (is_symlink (link) && FileUtils.read_link (link) == target)
            return;

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-03-08:

Actually, in examining this more closely, adjusting click-apparmor in this manner will trigger a full policy recompile on first boot after upgrade. Pat, please let me know if this is acceptable. If not, click could be adjusted as I suggested and this would not trigger a policy recompile.

Changed in canonical-devices-system-image:
status:	Confirmed → Incomplete
assignee:	Jamie Strandboge (jdstrand) → nobody
Changed in click-apparmor (Ubuntu):
status:	Confirmed → Incomplete
assignee:	nobody → Pat McGowan (pat-mcgowan)

Revision history for this message

Pat McGowan (pat-mcgowan) wrote on 2016-03-09:

Lets go with the click fix

Changed in canonical-devices-system-image:
assignee:	nobody → Alejandro J. Cura (alecu)
importance:	Undecided → Medium
milestone:	none → backlog
status:	Incomplete → Confirmed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-03-09:

I'm not familiar with the click codebase, but I wanted to explicitly state that when updating the symlink, be sure that you only update the symlink for the package that is being installed and not all symlinks for other installed packages. Otherwise all the symlinks's mtimes will be updated and all policy will be recompiled when an app is installed.

Changed in click-apparmor (Ubuntu):
status:	Incomplete → Won't Fix
assignee:	Pat McGowan (pat-mcgowan) → nobody

Pat McGowan (pat-mcgowan) on 2016-05-19

Changed in canonical-developer-experience:
assignee:	nobody → Alejandro J. Cura (alecu)
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-07-05:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in click (Ubuntu):
status:	New → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.