Ubuntu
apparmor package

Merge ~sergiodj/ubuntu/+source/apparmor:bug1872564-boot_id-rule-missing-focal into ubuntu/+source/apparmor:ubuntu/focal-devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/apparmor
  3. bug1872564-boot_id-rule-missing-focal
  4. Merge into ubuntu/focal-devel
Proposed by Sergio Durigan Junior
Status: Rejected
Rejected by: Andreas Hasenack
Proposed branch: ~sergiodj/ubuntu/+source/apparmor:bug1872564-boot_id-rule-missing-focal
Merge into: ubuntu/+source/apparmor:ubuntu/focal-devel
Diff against target: 169 lines (+124/-0)
6 files modified
debian/apparmor.install (+1/-0)
debian/changelog (+14/-0)
debian/patches/series (+3/-0)
debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch (+37/-0)
debian/patches/upstream-commit-454fca7-Add-run-variable.patch (+47/-0)
debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch (+22/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Needs Fixing
Canonical Server Core Reviewers Pending
Canonical Server Pending
Review via email: mp+383796@code.launchpad.net

Description of the change

apparmor shipped on groovy lacks a rule to allow accessing the file '/proc/sys/kernel/random/boot_id', which systemd needs to be able to read in order to start some types of services. Specifically, if a service performs a nsswitch query in order to, e.g., drop privileges, or if a service's Type is "notify", then systemd will attempt to read the value of the 'boot_id' file and apparmor will not allow it.

The fix, which is cherry-picked from upstream, is to extend the current 'abstractions/nameservice' profile and add the necessary entry to allow read access to the 'boot_id' file. While at it, and for completeness sake, I kept the full commit content intact, which means that two other systemd-related rules will be added (needed to access files under '/run/systemd').

Another simple upstream commit had to be cherry-picked in order to import the definition of the variable '@{run}'.

The upstream commits are:

https://gitlab.com/apparmor/apparmor/-/commit/454fca7
https://gitlab.com/apparmor/apparmor/-/commit/1f319c3

There's a PPA with the changes here:

https://launchpad.net/~sergiodj/+archive/ubuntu/apparmor-bug1872564

The groovy MP has been approved here:

https://code.launchpad.net/~sergiodj/ubuntu/+source/apparmor/+git/apparmor/+merge/383686

autopkgtest is still happy:

autopkgtest [12:37:56]: test command1: /bin/true
autopkgtest [12:37:56]: test command1: [-----------------------
autopkgtest [12:37:57]: test command1: -----------------------]
autopkgtest [12:37:57]: test command1: - - - - - - - - - - results - - - - - - - - - -
command1 PASS (superficial)
autopkgtest [12:37:57]: @@@@@@@@@@@@@@@@@@@@ summary
compile-policy PASS
test-installed PASS (superficial)
command1 PASS (superficial)

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I've just written the SRU for the bug.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

apparmor (2.13.3-7ubuntu6) focal; urgency=medium

On an SRU that has to be

apparmor (2.13.3-7ubuntu5.1) focal; urgency=medium

See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Other than that it LGTM

review: Needs Fixing
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Wednesday, May 13 2020, Christian Ehrhardt  wrote:

> apparmor (2.13.3-7ubuntu6) focal; urgency=medium
>
> On an SRU that has to be
>
> apparmor (2.13.3-7ubuntu5.1) focal; urgency=medium
>
> See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging
>
>
> Other than that it LGTM

Ahh, I knew I was missing something :-/. I have to remember that this
would be an equivalent to an "NMU" on Debian.

Thanks for the review. I force-pushed the branch with the fix now.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Note that this was uploaded to focal-proposed in the meantime:

http://launchpadlibrarian.net/480473812/apparmor_2.13.3-7ubuntu5_2.13.3-7ubuntu5.1.diff.gz

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Going to reject this since it was uploaded already.

There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor.install b/debian/apparmor.install
2index 208b96a..46a3f63 100644
3--- a/debian/apparmor.install
4+++ b/debian/apparmor.install
5@@ -16,6 +16,7 @@ etc/apparmor.d/tunables/kernelvars
6 etc/apparmor.d/tunables/multiarch
7 etc/apparmor.d/tunables/multiarch.d
8 etc/apparmor.d/tunables/proc
9+etc/apparmor.d/tunables/run
10 etc/apparmor.d/tunables/securityfs
11 etc/apparmor.d/tunables/share
12 etc/apparmor.d/tunables/sys
13diff --git a/debian/changelog b/debian/changelog
14index dd1a5b2..9a6dd4b 100644
15--- a/debian/changelog
16+++ b/debian/changelog
17@@ -1,3 +1,17 @@
18+apparmor (2.13.3-7ubuntu5.1) focal; urgency=medium
19+
20+ * Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564)
21+ - d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the
22+ definition for the "@{run}" variable.
23+ - d/p/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch:
24+ Add trailing slash to the "@{run}" variable.
25+ - d/p/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch:
26+ Add a missing rule to allow systemd to access
27+ @{PROC}/sys/kernel/random/boot_id and @{run}/systemd/userdb.
28+ - d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'.
29+
30+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 13 May 2020 09:50:52 -0400
31+
32 apparmor (2.13.3-7ubuntu5) focal; urgency=medium
33
34 * snapd 2.44.3+20.04 introduced an apparmor unit of its own to load snap
35diff --git a/debian/patches/series b/debian/patches/series
36index 04a6ed1..4910b2b 100644
37--- a/debian/patches/series
38+++ b/debian/patches/series
39@@ -36,3 +36,6 @@ upstream-mr-442-gnome-user-themes.patch
40 upstream-mr-443-ecryptfs-dirs.patch
41 upstream-mr-445-uuidd-request.patch
42 upstream-mr-464-Mesa_i915_perf_interface.patch
43+upstream-commit-454fca7-Add-run-variable.patch
44+upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch
45+upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
46diff --git a/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch b/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
47new file mode 100644
48index 0000000..215ac0c
49--- /dev/null
50+++ b/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
51@@ -0,0 +1,37 @@
52+From: Sergio Durigan Junior <sergio.durigan@canonical.com>
53+Date: Fri, 8 May 2020 10:13:24 -0400
54+Subject: abstractions/nameservice: allow accessing /run/systemd/userdb/
55+
56+On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .
57+
58+(cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4)
59+Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
60+Signed-off-by: nl6720 <nl6720@gmail.com>
61+Signed-off-by: John Johansen <john.johansen@canonical.com>
62+
63+Author: nl6720 <nl6720@gmail.com>
64+Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/1f319c3870287b9a2cfa39e92344c9d35875b811
65+Bug: https://gitlab.com/apparmor/apparmor/-/issues/82
66+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564
67+Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
68+Last-Update: 2020-05-08
69+---
70+ profiles/apparmor.d/abstractions/nameservice | 5 +++++
71+ 1 file changed, 5 insertions(+)
72+
73+diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
74+index 4ebecfd..a04a30a 100644
75+--- a/profiles/apparmor.d/abstractions/nameservice
76++++ b/profiles/apparmor.d/abstractions/nameservice
77+@@ -29,6 +29,11 @@
78+ /var/lib/extrausers/group r,
79+ /var/lib/extrausers/passwd r,
80+
81++ # NSS records from systemd-userdbd.service
82++ @{run}/systemd/userdb/ r,
83++ @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
84++ @{PROC}/sys/kernel/random/boot_id r,
85++
86+ # When using sssd, the passwd and group files are stored in an alternate path
87+ # and the nss plugin also needs to talk to a pipe
88+ /var/lib/sss/mc/group r,
89diff --git a/debian/patches/upstream-commit-454fca7-Add-run-variable.patch b/debian/patches/upstream-commit-454fca7-Add-run-variable.patch
90new file mode 100644
91index 0000000..9e14672
92--- /dev/null
93+++ b/debian/patches/upstream-commit-454fca7-Add-run-variable.patch
94@@ -0,0 +1,47 @@
95+From: nl6720 <nl6720@gmail.com>
96+Date: Thu, 13 Feb 2020 09:58:33 +0200
97+Subject: Add "run" variable
98+
99+Signed-off-by: nl6720 <nl6720@gmail.com>
100+(cherry picked from commit 452b5b8735e449cba29a1fb25c9bff38ba8763ec)
101+
102+Author: nl6720 <nl6720@gmail.com>
103+Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/454fca7483eae7b7ee613343c2c02abaa20e37e3
104+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564
105+Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
106+Last-Update: 2020-05-08
107+---
108+ parser/apparmor.d.pod | 1 +
109+ profiles/apparmor.d/tunables/global | 1 +
110+ profiles/apparmor.d/tunables/run | 1 +
111+ 3 files changed, 3 insertions(+)
112+ create mode 100644 profiles/apparmor.d/tunables/run
113+
114+diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
115+index db904ed..d9dff30 100644
116+--- a/parser/apparmor.d.pod
117++++ b/parser/apparmor.d.pod
118+@@ -1279,6 +1279,7 @@ provided AppArmor policy:
119+ @{apparmorfs}
120+ @{sys}
121+ @{tid}
122++ @{run}
123+ @{XDG_DESKTOP_DIR}
124+ @{XDG_DOWNLOAD_DIR}
125+ @{XDG_TEMPLATES_DIR}
126+diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global
127+index 28d6fc6..3b6f99c 100644
128+--- a/profiles/apparmor.d/tunables/global
129++++ b/profiles/apparmor.d/tunables/global
130+@@ -19,3 +19,4 @@
131+ #include <tunables/kernelvars>
132+ #include <tunables/xdg-user-dirs>
133+ #include <tunables/share>
134++#include <tunables/run>
135+diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run
136+new file mode 100644
137+index 0000000..e535d2f
138+--- /dev/null
139++++ b/profiles/apparmor.d/tunables/run
140+@@ -0,0 +1 @@
141++@{run}=/run /var/run
142diff --git a/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch b/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch
143new file mode 100644
144index 0000000..97fede3
145--- /dev/null
146+++ b/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch
147@@ -0,0 +1,22 @@
148+From: nl6720 <nl6720@gmail.com>
149+Date: Thu, 20 Feb 2020 10:40:22 +0200
150+Subject: Add trailing slash to the run variable definition
151+
152+Signed-off-by: nl6720 <nl6720@gmail.com>
153+
154+Author: nl6720 <nl6720@gmail.com>
155+Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253
156+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564
157+Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com>
158+Last-Update: 2020-05-08
159+---
160+ profiles/apparmor.d/tunables/run | 2 +-
161+ 1 file changed, 1 insertion(+), 1 deletion(-)
162+
163+diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run
164+index e535d2f..5b81925 100644
165+--- a/profiles/apparmor.d/tunables/run
166++++ b/profiles/apparmor.d/tunables/run
167+@@ -1 +1 @@
168+-@{run}=/run /var/run
169++@{run}=/run/ /var/run/

Subscribers

People subscribed via source and target branches