Ubuntu
apparmor package

Merge ~sergiodj/ubuntu/+source/apparmor:bug1872564-boot_id-rule-missing into ubuntu/+source/apparmor:ubuntu/groovy-devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/apparmor
  3. bug1872564-boot_id-rule-missing
  4. Merge into ubuntu/groovy-devel
Proposed by Sergio Durigan Junior
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 2d16cbb2663ef2ea0e88d89f87eef8b40eed8e20
Merged at revision: 2d16cbb2663ef2ea0e88d89f87eef8b40eed8e20
Proposed branch: ~sergiodj/ubuntu/+source/apparmor:bug1872564-boot_id-rule-missing
Merge into: ubuntu/+source/apparmor:ubuntu/groovy-devel
Diff against target: 169 lines (+124/-0)
6 files modified
debian/apparmor.install (+1/-0)
debian/changelog (+14/-0)
debian/patches/series (+3/-0)
debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch (+37/-0)
debian/patches/upstream-commit-454fca7-Add-run-variable.patch (+47/-0)
debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch (+22/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Steve Beattie (community) Approve
Canonical Server Pending
Canonical Server Core Reviewers Pending
Review via email: mp+383686@code.launchpad.net

Description of the change

apparmor shipped on groovy lacks a rule to allow accessing the file '/proc/sys/kernel/random/boot_id', which systemd needs to be able to read in order to start some types of services. Specifically, if a service performs a nsswitch query in order to, e.g., drop privileges, or if a service's Type is "notify", then systemd will attempt to read the value of the 'boot_id' file and apparmor will not allow it.

The fix, which is cherry-picked from upstream, is to extend the current 'abstractions/nameservice' profile and add the necessary entry to allow read access to the 'boot_id' file. While at it, and for completeness sake, I kept the full commit content intact, which means that two other systemd-related rules will be added (needed to access files under '/run/systemd').

Another simple upstream commit had to be cherry-picked in order to import the definition of the variable '@{run}'.

The upstream commits are:

https://gitlab.com/apparmor/apparmor/-/commit/454fca7
https://gitlab.com/apparmor/apparmor/-/commit/1f319c3

There's a PPA with the changes here:

https://launchpad.net/~sergiodj/+archive/ubuntu/apparmor-bug1872564

autopkgtest is still happy:

autopkgtest [20:43:50]: test command1: /bin/true
autopkgtest [20:43:50]: test command1: [-----------------------
autopkgtest [20:43:50]: test command1: -----------------------]
autopkgtest [20:43:51]: test command1: - - - - - - - - - - results - - - - - - - - - -
command1 PASS (superficial)
autopkgtest [20:43:51]: @@@@@@@@@@@@@@@@@@@@ summary
compile-policy PASS
test-installed PASS (superficial)
command1 PASS (superficial)

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Generally LGTM, I also added a focal task to the bug to later SRU it once groovy is fixed.

Changelog, patch headers and such look good.

The only thing that I found is that there was a follow on fix which IMHO should be included as well:
=> https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253
Due to that the state is "needs fixing", but other than this is already seems to be good.

Finally I'll add a review-slot for Ubuntu-security. That isn't strictly needed, but usually a good practice on security related changes.

review: Needs Fixing
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Monday, May 11 2020, Christian Ehrhardt  wrote:

> Generally LGTM, I also added a focal task to the bug to later SRU it once groovy is fixed.

Thanks, Christian. I was going to ask if we should mark the bug as
"found in focal" as well.

> The only thing that I found is that there was a follow on fix which IMHO should be included as well:
> => https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253
> Due to that the state is "needs fixing", but other than this is already seems to be good.

Ops, good catch. Thanks, I'll make sure to cherry-pick this patch as well.

> Finally I'll add a review-slot for Ubuntu-security. That isn't strictly needed, but usually a good practice on security related changes.

This was something I was also planning to ask. Andreas mentioned that
it'd be good to add a slot for ubuntu-security, but I was sure if it was
for this upload specifically.

Thanks, I'll force-push an update soon.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Monday, May 11 2020, Christian Ehrhardt  wrote:

> The only thing that I found is that there was a follow on fix which IMHO should be included as well:
> => https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253
> Due to that the state is "needs fixing", but other than this is already seems to be good.

I was wondering here how I could have missed the commit above... And
now I know! This commit was only applied to master, but I was only
considering the apparmor-2.13 branch when cherry-picking patches.

So yeah, there you go...

Thanks

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Steve Beattie (sbeattie) wrote :

This all looks good to me, on behalf of the Ubuntu Security team.

(I'm not sure why the second fix, to add a trailing slash to the @run definitions didn't get pulled back upstream; I'll submit a merge request for that. Thanks for pointing it out!)

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Patches are complete now and security review is in as well (Thanks Steve).

+1 Sergio

Do you have any last minute tests to complete on this or is this ready for sponsoring?

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Tuesday, May 12 2020, Christian Ehrhardt  wrote:

> Patches are complete now and security review is in as well (Thanks Steve).
>
> +1 Sergio

Thanks, Christian!

> Do you have any last minute tests to complete on this or is this ready for sponsoring?

Nope, it's all done. Feel free to upload it when you can :-).

Thanks again!

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/ubuntu/+source/apparmor
 * [new tag] upload/2.13.3-7ubuntu6 -> upload/2.13.3-7ubuntu6

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apparmor_2.13.3-7ubuntu6.dsc: done.
  Uploading apparmor_2.13.3-7ubuntu6.debian.tar.xz: done.
  Uploading apparmor_2.13.3-7ubuntu6_source.buildinfo: done.
  Uploading apparmor_2.13.3-7ubuntu6_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor.install b/debian/apparmor.install
2index 208b96a..46a3f63 100644
3--- a/debian/apparmor.install
4+++ b/debian/apparmor.install
5@@ -16,6 +16,7 @@ etc/apparmor.d/tunables/kernelvars
6 etc/apparmor.d/tunables/multiarch
7 etc/apparmor.d/tunables/multiarch.d
8 etc/apparmor.d/tunables/proc
9+etc/apparmor.d/tunables/run
10 etc/apparmor.d/tunables/securityfs
11 etc/apparmor.d/tunables/share
12 etc/apparmor.d/tunables/sys
13diff --git a/debian/changelog b/debian/changelog
14index dd1a5b2..eb99e70 100644
15--- a/debian/changelog
16+++ b/debian/changelog
17@@ -1,3 +1,17 @@
18+apparmor (2.13.3-7ubuntu6) groovy; urgency=medium
19+
20+ * Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564)
21+ - d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the
22+ definition for the "@{run}" variable.
23+ - d/p/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch:
24+ Add trailing slash to the "@{run}" variable.
25+ - d/p/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch:
26+ Add a missing rule to allow systemd to access
27+ @{PROC}/sys/kernel/random/boot_id and @{run}/systemd/userdb.
28+ - d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'.
29+
30+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 11 May 2020 09:55:16 -0400
31+
32 apparmor (2.13.3-7ubuntu5) focal; urgency=medium
33
34 * snapd 2.44.3+20.04 introduced an apparmor unit of its own to load snap
35diff --git a/debian/patches/series b/debian/patches/series
36index 04a6ed1..4910b2b 100644
37--- a/debian/patches/series
38+++ b/debian/patches/series
39@@ -36,3 +36,6 @@ upstream-mr-442-gnome-user-themes.patch
40 upstream-mr-443-ecryptfs-dirs.patch
41 upstream-mr-445-uuidd-request.patch
42 upstream-mr-464-Mesa_i915_perf_interface.patch
43+upstream-commit-454fca7-Add-run-variable.patch
44+upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch
45+upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
46diff --git a/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch b/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
47new file mode 100644
48index 0000000..215ac0c
49--- /dev/null
50+++ b/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
51@@ -0,0 +1,37 @@
52+From: Sergio Durigan Junior <sergio.durigan@canonical.com>
53+Date: Fri, 8 May 2020 10:13:24 -0400
54+Subject: abstractions/nameservice: allow accessing /run/systemd/userdb/
55+
56+On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .
57+
58+(cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4)
59+Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
60+Signed-off-by: nl6720 <nl6720@gmail.com>
61+Signed-off-by: John Johansen <john.johansen@canonical.com>
62+
63+Author: nl6720 <nl6720@gmail.com>
64+Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/1f319c3870287b9a2cfa39e92344c9d35875b811
65+Bug: https://gitlab.com/apparmor/apparmor/-/issues/82
66+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564
67+Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
68+Last-Update: 2020-05-08
69+---
70+ profiles/apparmor.d/abstractions/nameservice | 5 +++++
71+ 1 file changed, 5 insertions(+)
72+
73+diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
74+index 4ebecfd..a04a30a 100644
75+--- a/profiles/apparmor.d/abstractions/nameservice
76++++ b/profiles/apparmor.d/abstractions/nameservice
77+@@ -29,6 +29,11 @@
78+ /var/lib/extrausers/group r,
79+ /var/lib/extrausers/passwd r,
80+
81++ # NSS records from systemd-userdbd.service
82++ @{run}/systemd/userdb/ r,
83++ @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
84++ @{PROC}/sys/kernel/random/boot_id r,
85++
86+ # When using sssd, the passwd and group files are stored in an alternate path
87+ # and the nss plugin also needs to talk to a pipe
88+ /var/lib/sss/mc/group r,
89diff --git a/debian/patches/upstream-commit-454fca7-Add-run-variable.patch b/debian/patches/upstream-commit-454fca7-Add-run-variable.patch
90new file mode 100644
91index 0000000..9e14672
92--- /dev/null
93+++ b/debian/patches/upstream-commit-454fca7-Add-run-variable.patch
94@@ -0,0 +1,47 @@
95+From: nl6720 <nl6720@gmail.com>
96+Date: Thu, 13 Feb 2020 09:58:33 +0200
97+Subject: Add "run" variable
98+
99+Signed-off-by: nl6720 <nl6720@gmail.com>
100+(cherry picked from commit 452b5b8735e449cba29a1fb25c9bff38ba8763ec)
101+
102+Author: nl6720 <nl6720@gmail.com>
103+Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/454fca7483eae7b7ee613343c2c02abaa20e37e3
104+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564
105+Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
106+Last-Update: 2020-05-08
107+---
108+ parser/apparmor.d.pod | 1 +
109+ profiles/apparmor.d/tunables/global | 1 +
110+ profiles/apparmor.d/tunables/run | 1 +
111+ 3 files changed, 3 insertions(+)
112+ create mode 100644 profiles/apparmor.d/tunables/run
113+
114+diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
115+index db904ed..d9dff30 100644
116+--- a/parser/apparmor.d.pod
117++++ b/parser/apparmor.d.pod
118+@@ -1279,6 +1279,7 @@ provided AppArmor policy:
119+ @{apparmorfs}
120+ @{sys}
121+ @{tid}
122++ @{run}
123+ @{XDG_DESKTOP_DIR}
124+ @{XDG_DOWNLOAD_DIR}
125+ @{XDG_TEMPLATES_DIR}
126+diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global
127+index 28d6fc6..3b6f99c 100644
128+--- a/profiles/apparmor.d/tunables/global
129++++ b/profiles/apparmor.d/tunables/global
130+@@ -19,3 +19,4 @@
131+ #include <tunables/kernelvars>
132+ #include <tunables/xdg-user-dirs>
133+ #include <tunables/share>
134++#include <tunables/run>
135+diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run
136+new file mode 100644
137+index 0000000..e535d2f
138+--- /dev/null
139++++ b/profiles/apparmor.d/tunables/run
140+@@ -0,0 +1 @@
141++@{run}=/run /var/run
142diff --git a/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch b/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch
143new file mode 100644
144index 0000000..97fede3
145--- /dev/null
146+++ b/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch
147@@ -0,0 +1,22 @@
148+From: nl6720 <nl6720@gmail.com>
149+Date: Thu, 20 Feb 2020 10:40:22 +0200
150+Subject: Add trailing slash to the run variable definition
151+
152+Signed-off-by: nl6720 <nl6720@gmail.com>
153+
154+Author: nl6720 <nl6720@gmail.com>
155+Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253
156+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564
157+Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
158+Last-Update: 2020-05-08
159+---
160+ profiles/apparmor.d/tunables/run | 2 +-
161+ 1 file changed, 1 insertion(+), 1 deletion(-)
162+
163+diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run
164+index e535d2f..5b81925 100644
165+--- a/profiles/apparmor.d/tunables/run
166++++ b/profiles/apparmor.d/tunables/run
167+@@ -1 +1 @@
168+-@{run}=/run /var/run
169++@{run}=/run/ /var/run/

Subscribers

People subscribed via source and target branches