Merge ~ahasenack/ubuntu/+source/rsyslog:lunar-rsyslog-enable-apparmor-dep8-take4-dot-d into ubuntu/+source/rsyslog:ubuntu/devel
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||
Approved revision: | not available | ||||
Merged at revision: | 76271daab8cbf6a7bf649bd3e5a3c2e15139d8c1 | ||||
Proposed branch: | ~ahasenack/ubuntu/+source/rsyslog:lunar-rsyslog-enable-apparmor-dep8-take4-dot-d | ||||
Merge into: | ubuntu/+source/rsyslog:ubuntu/devel | ||||
Diff against target: |
774 lines (+556/-24) 26 files modified
debian/NEWS (+30/-0) debian/README.apparmor (+132/-0) debian/README.apparmor.rsyslog.d (+16/-0) debian/apparmor/rsyslog-gnutls.apparmor (+3/-0) debian/apparmor/rsyslog-mysql.apparmor (+20/-0) debian/apparmor/rsyslog-openssl.apparmor (+3/-0) debian/apparmor/rsyslog-pgsql.apparmor (+9/-0) debian/changelog (+42/-0) debian/reload-apparmor-profile (+14/-0) debian/rsyslog-gnutls.install (+1/-0) debian/rsyslog-mysql.install (+1/-0) debian/rsyslog-openssl.install (+1/-0) debian/rsyslog-pgsql.install (+1/-0) debian/rsyslog.dirs (+1/-1) debian/rsyslog.docs (+1/-0) debian/rsyslog.install (+2/-0) debian/rsyslog.postinst (+7/-0) debian/rsyslog.preinst (+0/-15) debian/rsyslog.service (+2/-0) debian/tests/apparmor-include-mechanism (+92/-0) debian/tests/control (+19/-0) debian/tests/simple-logger (+36/-0) debian/tests/simple-mysql (+42/-0) debian/tests/simple-pgsql (+38/-0) debian/tests/utils (+41/-0) debian/usr.sbin.rsyslogd (+2/-8) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Athos Ribeiro (community) | Approve | ||
Simon Déziel (community) | Approve | ||
Canonical Server Core Reviewers | Pending | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+436955@code.launchpad.net |
Description of the change
Enable apparmor in enforce mode by default on fresh installs. UPDATE: upgrades from older versions (< $this-version) WILL change the confinement status.
PPA: https:/
LP won't run the DEP8 tests because this package never had such tests before, so you will have to run them locally. Bileto also didn't work, they are queued up for days (and against an older version of this work, so don't bother): https:/
This is take 4 of my experiments with enforcing apparmor on rsyslog. How it works is documented in the new d/README.apparmor file.
It's a lot of delta to add at first glance, but I think it's easy to maintain as it's mostly new files, and small touches in existing ones. More importantly, no dependency or packaging changes, and we have tests :)
I checked the whole archive (with apt-file find) for packages that install files in /etc/rsyslog.d, looking for the ones that would violate the current apparmor rules (I know this misses packages that generate those config files in postinst). I found two:
prometheus-
This package adds a rsyslog config that tells it to log mail messages to /var/lib/
The change is simple (I think):
UPDATE 2022-02-11: that is no longer needed, as debian's latest upload of this package gave up on the custom mail.log file and is now using the normal /var/log/mail.log one, which is covered by the normal rsyslog apparmor profile.
octopussy
This one I didn't bother updating, because a) it's removed from debian; b) it's broken even without these apparmor changes. But the change would be the same approach as prometheus-
I still have other bin:rsyslog-* packages (from src:rsyslog) to go over, but the approach is the same, and I think it's time to get this reviewed and hopefully uploaded.
# Sending to debian
Before sending any of this to debian, we need to see how it will work out in practice for us.
# Merge from debian
There is a new debian upload which needs merging, and I commit to that after this branch.
# Take4? What's in take1, 2, and 3?
Just as a summary of what I tried previously, in case you are wondering "why didn't you try X?". If you want more details about those attempts, ask.
## Triggers
Work beautifully, but run too late. I found out many packages (part of rsyslog, and third party ones) restart rsyslog in their postinst, even though there is a trigger for that (just place a file in /etc/rsyslog.d and the trigger will restart rsyslog at the end of the apt/dpkg transaction). This meant that for a while rsyslog would be running without the apparmor changes applied by the trigger, and that was enough to cause it to fail
## Config file analysis
This looked promising, and I can still use it in the future if I want, but as the sole method of adjusting the apparmor profile, it's complicated. I can easily enough get a full dump of the whole config file, with all the included files, but the problem is that rsyslog supports 3 config languages: very old syslog, old syslog, and current rainer script. The last two ones are hard to parse, as can be multi-line and have "if" statements and so on. "grep" only takes me so far. I can still use this for some cases, at least to warn the user that something might not work, like when the "omprog" plugin is used (or pipe), as this one can call out to any binary on the system, anywhere.
Thanks for working on this, I'll happily take it for a test drive!
You cannot include <rsyslog/ include. d/*.apparmor> but you can include a whole directory:
include if exists <rsyslog/ include. d/>
What do you think?