Unfortunately even the /**/bitbake/bin/bitbake mask doesn't always work
since bitbake's server can be triggered by other commands such as
devtool or recipetool. In those cases, the glob doesn't match and you
hit weird failures. It also has interesting problems with using
BB_SERVER_TIMEOUT=60 since
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
An updated aa-notify that can prompt the user to create a profile is
available in oracular, and for noble via
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-backports.
The plan is to get more testing on it and then SRU to noble.
it can be install via
sudo apt install apparmor-notif
FWIW I don't think this proposed profile should be shipped upstream or
in Ubuntu for bitbake - it allows any file anywhere on the filesystem
under a path bitbake/bin/bitbake to use unprivileged user namespaces -
ie. if I was a malware author I would have my malware create a second
stage malware fil
@bkhuugeicp can you send a patch to bitbake-devel?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056555
Title:
Allow bitbake to create user namespace
To manage notifications about this bug go to:
Able to confirm that I can at least work around the issue for now.
In case anyone need a convenient enough copy pastable command, this is the
sequenced I was able to use.
```bash
# Workaround for ubuntu issue [Allow bitbake to create user
namespace](https://bugs.launchpad.net/ubuntu/+source/appa
@richard-purdie-1:
I can completely agree that its sad that security is stopping what
amounts to better security. We are open to suggestions on how to improve
the situation.
Distro specific hacks are ugly, an additional burden and aren't a
desirable solution. The end goal is to make it so the use
@ross: yes the plan is to enable unshare and bwrap with custom profiles.
It is possible to test if this would work for your use case by copying
these profiles to the system and loading them.
Whether it will work really depends on whether unshare can do all the
necessary privileged operations. The
Trying to recreate our own execution environment inside this executable
will likely be a bit painful and awkward.
it isn't impossible but we'd likely have to add a new execution
environment to our list at the top level in the way we have fakeroot and
non-fakeroot environments today with new networ
If I understood right, this would be a wrapper script, shipped by
Ubuntu. Bitbake would detect its presence and run it with the name of
the executabable that would be run by the script and get restricted
network access. No?
--
You received this bug notification because you are a member of Ubuntu
Who would be shipping this trusted app? Bitbake can run at arbitrary
locations because it isn't something you install at a distro level, but
something the user fetches and runs.
I think we'll have to fallback to spawning inside unshare assuming a
future point release of apparmour allows unshare to
I think it would, yes. @ross, can you point RP to this ticket please?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056555
Title:
Allow bitbake to create user namespace
To manage notifications abo
So let's say the trusted app is just a shell script with it's own
profile enabled. And the script calls unshare with a fixed set of CLI
parameters that only allow safe operations or even just disconnect
networking for its childs.
Then we decouple the unsafe operations from unshare that are disallo
@ross:
atm, correct unshare does Not work as it does not have a profile enabled
by default. However this will be partially fixed via SRU. The SRU for
apparmor 4.0.1 includes an example profile for unshare*, that will allow
unshare to create user namespaces and even have capabilities within the
use
I like the idea of a trusted app. We can add support for that easily.
I agree that asking users with popups is not the right direction. It
won't work in non-graphical sessions (and bitbake in particular is used
that way a lot), and will only condition users to click 'Allow' without
reading the tex
If I'm reading the comments in apparmor correctly (I don't have a 2404
machine myself) then unshare doesn't work out of the box either:
# This profile allows almost everything and only exists to allow
# unshare to work on a system with user namespace restrictions
# being enforced.
# unshare is all
Like unshare(1)?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056555
Title:
Allow bitbake to create user namespace
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/
Yes, it seems what we need is an app in a non-user writable area (i.e.
as part of the system) that disables the network for a child process and
an apparmor profile that allows it to do so. Then call that app from
bitbake.
That sounds a lot better than asking user's 100's permissions they don't
und
What we're after is disabling the network for any child processes. It
doesn't matter specifically how that gets done.
If this can be done some other way with some other facility that doesn't
clash with efforts to harden the host distributions, I'm all ears.
--
You received this bug notification
@kanavin:
Bitbake could indeed do that, it will depend on if it is considered
worthwhile to carry said exception code. As I mentioned above both
capabilities and SELinux are working towards limiting of unprivileged
user namespaces, and the solutions needed to handle there restrictions
will be diff
We'll probably have to wrap that code in an exception handler that would
instruct the user to install an apparmor profile as root, yes.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056555
Title:
A
@kanavin:
Thanks, we don't have an issue with bitbake, the issue comes down to
running code out of a user writable location.
1. The location of bitbake will vary by user. Making any profile we
could ship only functional for a subset of bitbak users. For the others
it would require a privileged ac
@milev-philip:
containers are a difficult case. Unfortunately containers share the same
kernel as the host. An application running in the container (docker
image) can use unprivileged user namespaces to compromise not just the
container but the host as well.
There is the ability to turn the restr
It does seem that way. The problem is the design of unprivileged user
namespaces, it gives unprivileged applications access to a lot of kernel
surface that they usually don't have access to. This has been used to
elevate kernel bugs from root exploitable to being exploitable by
unprivileged users.
For reference, the specific implementation in bitbake that disables
networking is here:
https://git.openembedded.org/bitbake/tree/lib/bb/utils.py?h=2.8.2#n1673
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
I get the same error when building an image even in a Docker container
(crops) when ran on 24.04.
```
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/builds/yocto/shared/sources/core/bitbake/bin/bitbake-worker", line
278, in child
Something doesn't feel right in the overall design here.
Bitbake wants to take away the ability to connect to network from its
child processes (which generally makes things more secure), and is not
allowed to do so by the system. Isn't this... backwards?
--
You received this bug notification bec
** Summary changed:
- Python can't write to /proc files
+ Allow bitbake to create user namespace
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056555
Title:
Allow bitbake to create user namespace
28 matches
Mail list logo
