Provide full AppArmor confinement for snaps on 14.04

Adding a dbus task because its AppArmor mediation patches need to be updated to provide unrequested reply protection to prevent two D-Bus connections from bypassing security policies by communicating via reply and/or error D-Bus messages.

Tyler, are there any packages shipping apparmor profiles in 14.04 that have /not/ been covered by this test plan?

Does the dbus task imply that there need to be any versioned Breaks/Depends between these two SRUs, or are the two packages bidirectionally compatible? (i.e. dbus is needed because the new functionality is not completely enabled until both are updated, but upgrading either one without the other does not introduce any regressions)

On 11/12/2016 12:24 PM, Steve Langasek wrote:
> Tyler, are there any packages shipping apparmor profiles in 14.04 that
> have /not/ been covered by this test plan?

There are some that are not covered. Using the output of
`reverse-depends -br trusty dh-apparmor`, the remainders are:

akonadi
digikam
fwknop
pollen
quassel
telepathy-mission-control-5
tlsdate
tor
vidalia

I feel like the extensive regression testing that is being performed
upstream, along with my QRT changes that run the new parser and kernel
through the old Trusty package's parser and regression tests are
sufficient enough that these remaining packages do not need to be
individually tested. Those test results indicate that the parser is
still putting out the same policy before and after this SRU update.

> Does the dbus task imply that there need to be any versioned
> Breaks/Depends between these two SRUs, or are the two packages
> bidirectionally compatible? (i.e. dbus is needed because the new
> functionality is not completely enabled until both are updated, but
> upgrading either one without the other does not introduce any
> regressions)

Upgrading either one without the other does not introduce any
regressions so there is no need for versioned Breaks/Depeneds between
the two. No AppArmor policy needs to be changed for the dbus SRU.

Moving the apparmor task back to "incomplete" while I gather info for https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1628285/comments/10.

The old apparmor upload has been rejected and I'll be uploading a new version shortly.

Hello Tyler, or anyone else affected,

Accepted dbus into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dbus/1.6.18-0ubuntu4.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Tyler, or anyone else affected,

Accepted apparmor into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.5~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I've completed my verification of the apparmor 2.10.95-0ubuntu2.5~14.04.1 SRU. Testing very went well and I did not uncover any issues. I completed the entire Test Case as documented in the bug description. The AppArmor test plan was completed on the 14.04 release and HWE kernels as well as all of the regression tests from QRT. The manual testing of evince was also performed on the release and HWE kernels. Additionally, I ran test-apparmor.py on the i386 release and HWE kernels (all other tests were ran on amd64).

On the HWE kernel, I was able to test apparmor with the snapd in trusty-proposed. The pwgen-tyhicks, hello-world, and lxd snaps all seemed to be working correctly. I created a 16.04 LXD container and verified that confinement was working as intended. I also verified that confinement was working properly with hello-world.sh.

As for the 12.04 -> 14.04 upgrade testing, it also went very well. I installed most major 12.04 packages containing an AppArmor profile, in addition to what's present in a default desktop install, and performed an upgrade:

$ sudo apt-get install slapd mysql-server clamav tcpdump ntp
...

$ sudo aa-status
...
26 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//launchpad_integration
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//launchpad_integration
   /usr/bin/evince//sanitized_helper
   /usr/bin/freshclam
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//pxgsettings
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/lib/telepathy/telepathy-ofono
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/mysqld
   /usr/sbin/ntpd
   /usr/sbin/slapd
   /usr/sbin/tcpdump
...

There were a couple denials logged but they didn't affect the upgrade:

$ grep DENIED /var/log/syslog
Dec 16 18:00:41 sec-precise-amd64 kernel: [ 8267.110822] type=1400 audit(1481911241.875:29): apparmor="DENIED" operation="open" parent=6862 profile="/usr/sbin/slapd" name="/etc/pkcs11/modules/" pid=6873 comm="slapd" requested_mask="r" denied_mask="r" fsuid=118 ouid=0
Dec 16 18:32:21 sec-precise-amd64 kernel: [ 1766.776830] type=1400 audit(1481913141.561:35): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/mysqld" name="/proc/sys/vm/overcommit_memory" pid=29835 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=116 ouid=0

I then performed the same 12.04 -> 14.04 upgrade test except that I didn't use the new apparmor from trusty-proposed and it turns out that I see the same two AppArmor denials:

$ grep DENIED /var/log/syslog
Dec 16 21:03:18 sec-precise-amd64 kernel: [ 739.903410] type=1400 audit(1481922198.702:34): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/mysqld" name="/proc/sys/vm/overcommit_memory" pid=1679 comm="mysqld" requested_mask="r" de...

I've completed my verification of the dbus 1.6.18-0ubuntu4.5 SRU. The documented Test Plan went as expected. It leverages extensive automated tests that were written when the AppArmor D-Bus mediation patch set was upstreamed into the D-Bus project. I am confident of the dbus SRU and feel like it is ready to migrate from proposed.

I'm marking this bug as verification-done since both the apparmor and dbus packages have been verified.

This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.5~14.04.1

---------------
apparmor (2.10.95-0ubuntu2.5~14.04.1) trusty; urgency=medium

  * Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04.
    - This allows for proper snap confinement on Ubuntu 14.04 when using the
      hardware enablement kernel (LP: #1641243)
  * Changes made on top of 2.10.95-0ubuntu2.5:
    - debian/apparmor.upstart: Remove the upstart job and continue using the
      init script in 14.04
    - debian/apparmor.postinst, debian/apparmor-profiles.postinst,
      debian/apparmor-profiles.postrm, debian/rules: Revert to using
      invoke-rc.d to load the profiles, rather than reloading them directly,
      since 14.04 will continue using the init script rather than the upstart
      job.
    - debian/apparmor.init, debian/lib/apparmor/functions,
      debian/apparmor.postinst, debian/apparmor.postrm: Remove functionality
      dealing with AppArmor policy in system image based environments since
      this 14.04 package will not need to handle such environments. This
      removes the handle_system_policy_package_updates(),
      compare_previous_version(), compare_and_save_debsums() functions and
      their callers.
    - debian/apparmor.init: Continue using running-in-container since
      systemd-detect-virt doesn't exist on 14.04
    - debian/lib/apparmor/functions, debian/apparmor.init: Remove the
      is_container_with_internal_policy() function and adjust its call sites
      in apparmor.init so that AppArmor policy is not loaded inside of 14.04
      LXD containers (avoids bug #1641236)
    - debian/lib/apparmor/profile-load, debian/apparmor.install: Remove
      profile-load as upstart's apparmor-profile-load is used in 14.04
    - debian/patches/libapparmor-mention-dbus-method-in-getcon-man.patch:
      Continue applying this patch since the dbus version in 14.04 isn't new
      enough to support fetching the AppArmor context from
      org.freedesktop.DBus.GetConnectionCredentials().
    - debian/patches/libapparmor-force-libtoolize-replacement.patch: Force
      libtoolize to replace existing files to fix a libapparmor FTBFS issue on
      14.04.
    - debian/control: Retain the original 14.04 Breaks and ignore the new
      Breaks from 2.10.95-0ubuntu2.5 since they were put in place as part of
      the enablement of UNIX domain socket mediation. They're not needed in
      this upload since UNIX domain socket mediation is disabled by default so
      updates to the profiles included in those packages are not needed.
    - Preserve the profiles and abstractions from 14.04's
      2.8.95~2430-0ubuntu5.3 apparmor package by recreating them in the
      top-level profiles-14.04/ directory of the source. They'll be installed
      to debian/tmp/etc/apparmor.d/ during the build process and then to
      /etc/apparmor.d/ on package install so that there are no changes to the
      shipped profiles or abstractions. The abstractions from
      2.10.95-0ubuntu2.5 will be installed into
      debian/tmp/snap/etc/apparmor.d/ during the build process and then into
      /etc/apparmor.d/snap/abstractions/ on package install for use wit...

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package dbus - 1.6.18-0ubuntu4.5

---------------
dbus (1.6.18-0ubuntu4.5) trusty; urgency=medium

  * debian/patches/unrequested-reply-mediation.patch: Don't let unrequested
    reply messages through and don't audit them. Unrequested reply messages
    are error or method_return messages that are sent from D-Bus connection A
    to D-Bus connection B that do not correspond to any message ever sent by
    D-Bus connection B. They should be quietly dropped as there's no use for
    them outside of malicious activity. Patch based on upstream patches.
    (LP: #1641243)

 -- Tyler Hicks <email address hidden> Wed, 30 Nov 2016 21:44:48 +0000