Updated debdiff with changelog updated based on feedback. ** Description changed:
[ Impact ] This SRU contains fixes for a number of bugs: - * The unprivileged_userns profile did not have access to the root directory (https://gitlab.com/apparmor/apparmor/-/issues/505) + * The unprivileged_userns profile did not have access to the root directory (LP: #2110616) * lsblk could not list DASD devices on IBM System Z (LP: #2107402) - * Various commands segfaulted when run from a confined context due to missing permissions on the binary execution path (LP: #2107455, https://gitlab.com/apparmor/apparmor/-/merge_requests/1637) + * Various commands segfaulted when run from a confined context due to missing permissions on the binary execution path (LP: #2107455, LP: #2110628) * The plasmashell profile was missing new path to QtWebEngineProcess, causing breakage of Web Browser widget (LP: #2107723) - * fusermount3 lacked permissions to mount to /cvmfs (https://gitlab.com/apparmor/apparmor/-/merge_requests/1587) + * fusermount3 lacked permissions to mount to /cvmfs (LP: #2110624) * openvpn lacked permissions to manage DNS settings for pushed DHCP settings (LP: #2107596) * openvpn lacked permissions to perform mDNS lookups (LP: #2109029) * remmina broke due to missing permissions (LP: #2107723) - * fusermount3 lacked permissions to mount with noatime, needed for fuse_overlayfs (https://gitlab.com/apparmor/apparmor/-/merge_requests/1673) + * fusermount3 lacked permissions to mount with noatime, needed for fuse_overlayfs (LP: #2110626) * iotop-c failed to launch at all due to permission denials in nl_init (LP: #2107727) - * The parser did not handle the norelatime mount flag correctly (https://gitlab.com/apparmor/apparmor/-/merge_requests/1679) + * The parser did not handle the norelatime mount flag correctly (LP: #2110688) * The apparmor.d man page contained incorrect information about the combination of mount options=(list) options in (list) - (https://gitlab.com/apparmor/apparmor/-/merge_requests/1674). + (LP: #2110630) * This SRU also includes a regression test update (https://gitlab.com/apparmor/apparmor/-/merge_requests/1672) that is not part of the built package but that 1) ensures that the documented behavior lines up with the actual behavior, and 2) serves as a test for the parser patch [ Test Plan ] - After installation of the new AppArmor version, the machine might need - to be rebooted. If a reboot between installation and test plan execution - is needed for a test to pass, please mention it in the test plan - execution notes so that we can determine if this is cause for - verification test failure, expected behavior, or the result of an - unrelated bug that we are not attempting to fix with this SRU. - - Bug-specific test plans, followed by a generic test plan: - - Test plan for the unprivileged_userns bug: - * Ensure that the sysctl kernel.apparmor_restrict_unprivileged_unconfined is set to 1 - * Run unshare -U ls / - * Without the fix: - - Command above does not list the directory successfully - - apparmor generates a denial log blocking opening of / under profile="unprivileged_userns" - * With the fix: the above error+logging should not occur - - Test plan for the lsblk bug: - * Run lsblk on an IBM System Z system - * Without the fix: - - Command fails to list DASD devices - - apparmor generates denial logs blocking access to a path starting with /sys/devices/css - * With the fix: the above error+logging should not occur - - Test plan for command execution from confined context: - * Add the following to a new file and use `apparmor_parser path/to/file` to load it as a profile: - abi <abi/4.0>, - include <tunables/global> - profile allow_all { - allow all, - priority=1 /** px, - } - * Choose a subset of the applications confined by profiles under profiles/apparmor.d modified by debian/patches/ubuntu/profiles_ensure_access_to_attach_path.patch, and for each selected application: - - Run `aa-exec -p allow_all -- the_application`, under sudo if the application needs root privileges - - Verify that the application does not segfault on launch - - If application segfaults on launch only when run under confinement, check for apparmor="DENIED" log entry denying read or mmap operations on the binary path, and report verification test failure - - Test plan for the plasmashell bug: - * This test needs to be executed on a freshly provisioned Kubuntu machine with the new AppArmor installed. Testers might want to install `openssh-server` on the Kubuntu machine first in order to make extraction of relevant logs easier in case of test failure - * Add an empty panel and click on "+ Add Widgets" - * Add the "Web Browser" -> widget is added to panel -> click on "Exit Edit Mode" - * Click on icon "Web Browser" or logout/login - * Without the fix: - - The desktop environment turns black, flickers a few times due to attempted restarts, and doesn't return - - AppArmor generates denial logs such as apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=2069 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" - + The important parts to match are 'operation="exec"' and 'info="no new privs"', and the path under 'name'. If such a log appears, report test verification failure - + If a different apparmor log involving QtWebEngineProcess appears, note it in the test report so that we can evaluate if the tester encountered an unrelated plasmashell confinement bug - * With the fix: the above error+logging should not occur - - Test plan for the fusermount3 cvmfs bug: - * The following instructions are adapted from https://cvmfs.readthedocs.io/en/stable/cpt-quickstart.html - - Install the cvmfs packages - + `wget https://cvmrepo.s3.cern.ch/cvmrepo/apt/cvmfs-release-latest_all.deb` - + `sudo dpkg -i cvmfs-release-latest_all.deb` - + `sudo apt-get -y update` - + `sudo apt-get -y install cvmfs` - - Set up autofs configs by running `sudo cvmfs_config setup` and `sudo systemctl restart autofs` - - Create `/etc/cvmfs/default.local` and add the lines "CVMFS_REPOSITORIES=cvmfs-config.cern.ch", "CVMFS_CLIENT_PROFILE=single" to it - - Attempt to mount by running `cvmfs_config probe` - * Without the fix: - - The mount step fails with a permission denial error - - AppArmor generates denial logs for fusermount3 denying the mount syscall - * With the fix: the mount should succeed with no AppArmor logs being generated - - Test plan for the openvpn bugs: - * This test description assumes no access to existing machines that use OpenVPN. Additional testing of OpenVPN in related configurations (other virtualization solutions, specifying the server location via IPs or actual domains, etc.) is encouraged. - - Spin up two Ubuntu Plucky VMs, one of which will be referred to as openvpn-client and the other of which will be referred to as openvpn-server - - Ensure that the two machines are able to ping each other - - Generate a key using `openvpn --genkey secret secret.key` and transfer this key to both machines, somewhere inside the home directory - - Place the following configuration onto openvpn-server, next to secret.key: - dev tun - proto udp - cipher aes-256-cbc - ifconfig 10.4.13.1 10.4.13.2 - secret static.key - - Place the following configuration onto openvpn-client, next to secret.key, substituting the remote location: - remote openvpn-server.local - dev tun - proto udp - cipher aes-256-cbc - ifconfig 10.4.3.2 10.4.13.1 - secret static.key - - Launch openvpn on both machines by running `openvpn path_to_config` on each - - If (openvpn-client "remote" config line is a domain name (.local or otherwise)) and (openvpn is unable to resolve the domain) and (apparmor is generating denials related to (m)DNS lookups), then report verification test failure - - Ensure that the two machines are able to ping each other through the OpenVPN tunnel - - Stop both openvpn instances and add the line `push "dhcp-option DOMAIN-SEARCH canonical.com"` to the openvpn-server config - - Launch openvpn on both machines again and ensure that the two machines are able to ping each other through the tunnel - - Test plan for the remmina bug: - * Run `sudo aa-status` and look for a loaded remmina profile: it should not be there - * If it is still there after installing the updated AppArmor and rebooting, report verification test failure - * Launch remmina - * Use ps -Zelf | grep -F remmina to locate the running remmina process - * Read the output to verify that remmina is now unconfined - * Fully quit remmina through its menu, its task bar entry, or by Ctrl-C'ing its terminal (closing the GUI window is insufficient) - * Install apparmor-profiles if it wasn't installed already - * Repeat the above steps to verify that remmina is unconfined even when apparmor-profiles is also installed (including reboot if installing apparmor-profiles fresh) - * Warning: remmina writes a .desktop file to automatically start itself upon login, which will complicate profile replacement if investigating remmina test failure - - Test plan for the fusermount3 fuse_overlayfs bug: - * Install fuse-overlayfs - * Inside the home directory, make folders "lower", "upper", "work", and "mountpoint" - * Mount a fuse-overlayfs with `fuse-overlayfs -o lowerdir=lower,upperdir=upper,workdir=work mountpoint` - * Without the fix: the mount fails and apparmor generates a log reporting "failed flags match" - * With the fix: the mount should succeed - - Test plan for the iotop-c bug: - * Launch iotop-c under sudo (make sure to invoke iotop-c directly instead of iotop, which might be symlinked to the distinct iotop-py) - - Without the fix: iotop-c fails to launch due to permission denials in nl_init - - With the fix: iotop-c should launch successfully - * Attempt to set the ionice value of a running process using iotop-c, and verify that the operation succeeds - - Test plan for the parser bug: failures caused by this change will show - up in the regression tests run as part of the generic test plan - - Test plan for the apparmor.d documentation bug: - * Open the apparmor.d man page with `man apparmor.d` and scroll down to the example that starts with `mount options=(ro, atime) options in (nodev, user)` - * Verify that the mount commands listed as matching the rule all include ro and atime - * The regression test that checks that the behavior is as documented will run as part of the QRT test suite described below + Bug-specific test plans can be found in their respective LP bug entries. Generic test plan (for all AppArmor changes, not specific to this SRU): AppArmor is also extensively tested via its QRT test suite, which includes execution of the AppArmor test suite. * To prepare the QRT test suite (can be done on any machine): - `git clone https://git.launchpad.net/qa-regression-testing` - `./scripts/make-test-tarball ./scripts/test-apparmor.py` * To run the QRT test suite: - Copy the tarball onto the machine with the new AppArmor installed and extract it - `sudo ./install-packages test-apparmor.py` + - Reboot after dependency installation - `sudo ./test-apparmor.py -v` [ Where problems could occur ] All the profile changes in this SRU are loosening confinement on a profile. However, if a user manually modified the installed profiles, then the package upgrade would cause conflicts, and rejection of the incoming changes (either by hand during an interactive upgrade or automatically during an batch unattended upgrade) would result in end users not getting the complete set of packaged fixes. However, as each of the files updated are independent of each other, a partially fixed state will not be more broken than an unfixed (before upgrade) state. Remmina profile specific: If a user set up custom profiles that use "peer=remmina" IPC rules, then these rules would break upon the upgrade removing the remmina profile. However, none of the officially shipped profiles include such rules. The man page update is a documentation-only change. The risk exists that the new packaged man page could be malformed, but this is unlikely since the man page is generated by pod2man, and such issues can be caught during testing by attempting to open the man page after installation of the new version. The parser fix changes the behavior of mount rules that explicitly specify the norelatime flag. In particular, a custom profile containing `mount options in (norelatime)` will have different, more permissive - behavior than before (reducing regression risk). However, this flag is - not used in any of the commonly used profiles (including the ones in our - repo and the profile fragments used by snapd), so this will not change - the behavior of most profiles being used. + behavior than before (reducing regression risk as compared to tightening + behavior). However, this flag is not used in any of the commonly used + profiles (including the ones in our repo and the profile fragments used + by snapd), so this will not change the behavior of most profiles being + used. [ Other Info ] The attached debdiff is identical to the one for the package uploaded to - Questing, with the exception of the version number and release name in - the changelog entry. + Questing, with the exception of the changelog. ** Patch added: "apparmor_4.1.0~beta5-0ubuntu15~25.04.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110236/+attachment/5877608/+files/apparmor_4.1.0~beta5-0ubuntu15~25.04.1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2110236 Title: [SRU] fixes for AppArmor in Plucky Status in apparmor package in Ubuntu: New Status in apparmor source package in Plucky: In Progress Bug description: [ Impact ] This SRU contains fixes for a number of bugs: * The unprivileged_userns profile did not have access to the root directory (LP: #2110616) * lsblk could not list DASD devices on IBM System Z (LP: #2107402) * Various commands segfaulted when run from a confined context due to missing permissions on the binary execution path (LP: #2107455, LP: #2110628) * The plasmashell profile was missing new path to QtWebEngineProcess, causing breakage of Web Browser widget (LP: #2107723) * fusermount3 lacked permissions to mount to /cvmfs (LP: #2110624) * openvpn lacked permissions to manage DNS settings for pushed DHCP settings (LP: #2107596) * openvpn lacked permissions to perform mDNS lookups (LP: #2109029) * remmina broke due to missing permissions (LP: #2107723) * fusermount3 lacked permissions to mount with noatime, needed for fuse_overlayfs (LP: #2110626) * iotop-c failed to launch at all due to permission denials in nl_init (LP: #2107727) * The parser did not handle the norelatime mount flag correctly (LP: #2110688) * The apparmor.d man page contained incorrect information about the combination of mount options=(list) options in (list) (LP: #2110630) * This SRU also includes a regression test update (https://gitlab.com/apparmor/apparmor/-/merge_requests/1672) that is not part of the built package but that 1) ensures that the documented behavior lines up with the actual behavior, and 2) serves as a test for the parser patch [ Test Plan ] Bug-specific test plans can be found in their respective LP bug entries. Generic test plan (for all AppArmor changes, not specific to this SRU): AppArmor is also extensively tested via its QRT test suite, which includes execution of the AppArmor test suite. * To prepare the QRT test suite (can be done on any machine): - `git clone https://git.launchpad.net/qa-regression-testing` - `./scripts/make-test-tarball ./scripts/test-apparmor.py` * To run the QRT test suite: - Copy the tarball onto the machine with the new AppArmor installed and extract it - `sudo ./install-packages test-apparmor.py` - Reboot after dependency installation - `sudo ./test-apparmor.py -v` [ Where problems could occur ] All the profile changes in this SRU are loosening confinement on a profile. However, if a user manually modified the installed profiles, then the package upgrade would cause conflicts, and rejection of the incoming changes (either by hand during an interactive upgrade or automatically during an batch unattended upgrade) would result in end users not getting the complete set of packaged fixes. However, as each of the files updated are independent of each other, a partially fixed state will not be more broken than an unfixed (before upgrade) state. Remmina profile specific: If a user set up custom profiles that use "peer=remmina" IPC rules, then these rules would break upon the upgrade removing the remmina profile. However, none of the officially shipped profiles include such rules. The man page update is a documentation-only change. The risk exists that the new packaged man page could be malformed, but this is unlikely since the man page is generated by pod2man, and such issues can be caught during testing by attempting to open the man page after installation of the new version. The parser fix changes the behavior of mount rules that explicitly specify the norelatime flag. In particular, a custom profile containing `mount options in (norelatime)` will have different, more permissive behavior than before (reducing regression risk as compared to tightening behavior). However, this flag is not used in any of the commonly used profiles (including the ones in our repo and the profile fragments used by snapd), so this will not change the behavior of most profiles being used. [ Other Info ] The attached debdiff is identical to the one for the package uploaded to Questing, with the exception of the changelog. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110236/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
