Ubuntu
apparmor package

Merge ~sergiodj/ubuntu/+source/apparmor:bug1872564-boot_id-rule-missing into ubuntu/+source/apparmor:ubuntu/groovy-devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/apparmor
  3. bug1872564-boot_id-rule-missing
  4. Merge into ubuntu/groovy-devel
Proposed by Sergio Durigan Junior
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 2d16cbb2663ef2ea0e88d89f87eef8b40eed8e20
Merged at revision: 2d16cbb2663ef2ea0e88d89f87eef8b40eed8e20
Proposed branch: ~sergiodj/ubuntu/+source/apparmor:bug1872564-boot_id-rule-missing
Merge into: ubuntu/+source/apparmor:ubuntu/groovy-devel
Diff against target: 169 lines (+124/-0)
6 files modified
debian/apparmor.install (+1/-0)
debian/changelog (+14/-0)
debian/patches/series (+3/-0)
debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch (+37/-0)
debian/patches/upstream-commit-454fca7-Add-run-variable.patch (+47/-0)
debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch (+22/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Steve Beattie (community) Approve
Canonical Server Pending
Canonical Server Core Reviewers Pending
Review via email: mp+383686@code.launchpad.net

Description of the change

apparmor shipped on groovy lacks a rule to allow accessing the file '/proc/sys/kernel/random/boot_id', which systemd needs to be able to read in order to start some types of services. Specifically, if a service performs a nsswitch query in order to, e.g., drop privileges, or if a service's Type is "notify", then systemd will attempt to read the value of the 'boot_id' file and apparmor will not allow it.

The fix, which is cherry-picked from upstream, is to extend the current 'abstractions/nameservice' profile and add the necessary entry to allow read access to the 'boot_id' file. While at it, and for completeness sake, I kept the full commit content intact, which means that two other systemd-related rules will be added (needed to access files under '/run/systemd').

Another simple upstream commit had to be cherry-picked in order to import the definition of the variable '@{run}'.

The upstream commits are:

https://gitlab.com/apparmor/apparmor/-/commit/454fca7
https://gitlab.com/apparmor/apparmor/-/commit/1f319c3

There's a PPA with the changes here:

https://launchpad.net/~sergiodj/+archive/ubuntu/apparmor-bug1872564

autopkgtest is still happy:

autopkgtest [20:43:50]: test command1: /bin/true
autopkgtest [20:43:50]: test command1: [-----------------------
autopkgtest [20:43:50]: test command1: -----------------------]
autopkgtest [20:43:51]: test command1: - - - - - - - - - - results - - - - - - - - - -
command1 PASS (superficial)
autopkgtest [20:43:51]: @@@@@@@@@@@@@@@@@@@@ summary
compile-policy PASS
test-installed PASS (superficial)
command1 PASS (superficial)

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Generally LGTM, I also added a focal task to the bug to later SRU it once groovy is fixed.

Changelog, patch headers and such look good.

The only thing that I found is that there was a follow on fix which IMHO should be included as well:
=> https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253
Due to that the state is "needs fixing", but other than this is already seems to be good.

Finally I'll add a review-slot for Ubuntu-security. That isn't strictly needed, but usually a good practice on security related changes.

review: Needs Fixing
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Monday, May 11 2020, Christian Ehrhardt  wrote:

> Generally LGTM, I also added a focal task to the bug to later SRU it once groovy is fixed.

Thanks, Christian. I was going to ask if we should mark the bug as
"found in focal" as well.

> The only thing that I found is that there was a follow on fix which IMHO should be included as well:
> => https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253
> Due to that the state is "needs fixing", but other than this is already seems to be good.

Ops, good catch. Thanks, I'll make sure to cherry-pick this patch as well.

> Finally I'll add a review-slot for Ubuntu-security. That isn't strictly needed, but usually a good practice on security related changes.

This was something I was also planning to ask. Andreas mentioned that
it'd be good to add a slot for ubuntu-security, but I was sure if it was
for this upload specifically.

Thanks, I'll force-push an update soon.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Monday, May 11 2020, Christian Ehrhardt  wrote:

> The only thing that I found is that there was a follow on fix which IMHO should be included as well:
> => https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253
> Due to that the state is "needs fixing", but other than this is already seems to be good.

I was wondering here how I could have missed the commit above... And
now I know! This commit was only applied to master, but I was only
considering the apparmor-2.13 branch when cherry-picking patches.

So yeah, there you go...

Thanks

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Steve Beattie (sbeattie) wrote :

This all looks good to me, on behalf of the Ubuntu Security team.

(I'm not sure why the second fix, to add a trailing slash to the @run definitions didn't get pulled back upstream; I'll submit a merge request for that. Thanks for pointing it out!)

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Patches are complete now and security review is in as well (Thanks Steve).

+1 Sergio

Do you have any last minute tests to complete on this or is this ready for sponsoring?

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Tuesday, May 12 2020, Christian Ehrhardt  wrote:

> Patches are complete now and security review is in as well (Thanks Steve).
>
> +1 Sergio

Thanks, Christian!

> Do you have any last minute tests to complete on this or is this ready for sponsoring?

Nope, it's all done. Feel free to upload it when you can :-).

Thanks again!

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/ubuntu/+source/apparmor
 * [new tag] upload/2.13.3-7ubuntu6 -> upload/2.13.3-7ubuntu6

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apparmor_2.13.3-7ubuntu6.dsc: done.
  Uploading apparmor_2.13.3-7ubuntu6.debian.tar.xz: done.
  Uploading apparmor_2.13.3-7ubuntu6_source.buildinfo: done.
  Uploading apparmor_2.13.3-7ubuntu6_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apparmor.install b/debian/apparmor.install
index 208b96a..46a3f63 100644
--- a/debian/apparmor.install
+++ b/debian/apparmor.install
@@ -16,6 +16,7 @@ etc/apparmor.d/tunables/kernelvars
16etc/apparmor.d/tunables/multiarch16etc/apparmor.d/tunables/multiarch
17etc/apparmor.d/tunables/multiarch.d17etc/apparmor.d/tunables/multiarch.d
18etc/apparmor.d/tunables/proc18etc/apparmor.d/tunables/proc
19etc/apparmor.d/tunables/run
19etc/apparmor.d/tunables/securityfs20etc/apparmor.d/tunables/securityfs
20etc/apparmor.d/tunables/share21etc/apparmor.d/tunables/share
21etc/apparmor.d/tunables/sys22etc/apparmor.d/tunables/sys
diff --git a/debian/changelog b/debian/changelog
index dd1a5b2..eb99e70 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
1apparmor (2.13.3-7ubuntu6) groovy; urgency=medium
2
3 * Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564)
4 - d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the
5 definition for the "@{run}" variable.
6 - d/p/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch:
7 Add trailing slash to the "@{run}" variable.
8 - d/p/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch:
9 Add a missing rule to allow systemd to access
10 @{PROC}/sys/kernel/random/boot_id and @{run}/systemd/userdb.
11 - d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'.
12
13 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 11 May 2020 09:55:16 -0400
14
1apparmor (2.13.3-7ubuntu5) focal; urgency=medium15apparmor (2.13.3-7ubuntu5) focal; urgency=medium
216
3 * snapd 2.44.3+20.04 introduced an apparmor unit of its own to load snap17 * snapd 2.44.3+20.04 introduced an apparmor unit of its own to load snap
diff --git a/debian/patches/series b/debian/patches/series
index 04a6ed1..4910b2b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -36,3 +36,6 @@ upstream-mr-442-gnome-user-themes.patch
36upstream-mr-443-ecryptfs-dirs.patch36upstream-mr-443-ecryptfs-dirs.patch
37upstream-mr-445-uuidd-request.patch37upstream-mr-445-uuidd-request.patch
38upstream-mr-464-Mesa_i915_perf_interface.patch38upstream-mr-464-Mesa_i915_perf_interface.patch
39upstream-commit-454fca7-Add-run-variable.patch
40upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch
41upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
diff --git a/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch b/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
39new file mode 10064442new file mode 100644
index 0000000..215ac0c
--- /dev/null
+++ b/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
@@ -0,0 +1,37 @@
1From: Sergio Durigan Junior <sergio.durigan@canonical.com>
2Date: Fri, 8 May 2020 10:13:24 -0400
3Subject: abstractions/nameservice: allow accessing /run/systemd/userdb/
4
5On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .
6
7(cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4)
8Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
9Signed-off-by: nl6720 <nl6720@gmail.com>
10Signed-off-by: John Johansen <john.johansen@canonical.com>
11
12Author: nl6720 <nl6720@gmail.com>
13Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/1f319c3870287b9a2cfa39e92344c9d35875b811
14Bug: https://gitlab.com/apparmor/apparmor/-/issues/82
15Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564
16Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
17Last-Update: 2020-05-08
18---
19 profiles/apparmor.d/abstractions/nameservice | 5 +++++
20 1 file changed, 5 insertions(+)
21
22diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
23index 4ebecfd..a04a30a 100644
24--- a/profiles/apparmor.d/abstractions/nameservice
25+++ b/profiles/apparmor.d/abstractions/nameservice
26@@ -29,6 +29,11 @@
27 /var/lib/extrausers/group r,
28 /var/lib/extrausers/passwd r,
29
30+ # NSS records from systemd-userdbd.service
31+ @{run}/systemd/userdb/ r,
32+ @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
33+ @{PROC}/sys/kernel/random/boot_id r,
34+
35 # When using sssd, the passwd and group files are stored in an alternate path
36 # and the nss plugin also needs to talk to a pipe
37 /var/lib/sss/mc/group r,
diff --git a/debian/patches/upstream-commit-454fca7-Add-run-variable.patch b/debian/patches/upstream-commit-454fca7-Add-run-variable.patch
0new file mode 10064438new file mode 100644
index 0000000..9e14672
--- /dev/null
+++ b/debian/patches/upstream-commit-454fca7-Add-run-variable.patch
@@ -0,0 +1,47 @@
1From: nl6720 <nl6720@gmail.com>
2Date: Thu, 13 Feb 2020 09:58:33 +0200
3Subject: Add "run" variable
4
5Signed-off-by: nl6720 <nl6720@gmail.com>
6(cherry picked from commit 452b5b8735e449cba29a1fb25c9bff38ba8763ec)
7
8Author: nl6720 <nl6720@gmail.com>
9Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/454fca7483eae7b7ee613343c2c02abaa20e37e3
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564
11Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
12Last-Update: 2020-05-08
13---
14 parser/apparmor.d.pod | 1 +
15 profiles/apparmor.d/tunables/global | 1 +
16 profiles/apparmor.d/tunables/run | 1 +
17 3 files changed, 3 insertions(+)
18 create mode 100644 profiles/apparmor.d/tunables/run
19
20diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
21index db904ed..d9dff30 100644
22--- a/parser/apparmor.d.pod
23+++ b/parser/apparmor.d.pod
24@@ -1279,6 +1279,7 @@ provided AppArmor policy:
25 @{apparmorfs}
26 @{sys}
27 @{tid}
28+ @{run}
29 @{XDG_DESKTOP_DIR}
30 @{XDG_DOWNLOAD_DIR}
31 @{XDG_TEMPLATES_DIR}
32diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global
33index 28d6fc6..3b6f99c 100644
34--- a/profiles/apparmor.d/tunables/global
35+++ b/profiles/apparmor.d/tunables/global
36@@ -19,3 +19,4 @@
37 #include <tunables/kernelvars>
38 #include <tunables/xdg-user-dirs>
39 #include <tunables/share>
40+#include <tunables/run>
41diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run
42new file mode 100644
43index 0000000..e535d2f
44--- /dev/null
45+++ b/profiles/apparmor.d/tunables/run
46@@ -0,0 +1 @@
47+@{run}=/run /var/run
diff --git a/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch b/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch
0new file mode 10064448new file mode 100644
index 0000000..97fede3
--- /dev/null
+++ b/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch
@@ -0,0 +1,22 @@
1From: nl6720 <nl6720@gmail.com>
2Date: Thu, 20 Feb 2020 10:40:22 +0200
3Subject: Add trailing slash to the run variable definition
4
5Signed-off-by: nl6720 <nl6720@gmail.com>
6
7Author: nl6720 <nl6720@gmail.com>
8Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253
9Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564
10Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
11Last-Update: 2020-05-08
12---
13 profiles/apparmor.d/tunables/run | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run
17index e535d2f..5b81925 100644
18--- a/profiles/apparmor.d/tunables/run
19+++ b/profiles/apparmor.d/tunables/run
20@@ -1 +1 @@
21-@{run}=/run /var/run
22+@{run}=/run/ /var/run/

Subscribers

People subscribed via source and target branches