[apparmor] [Bug 2049099] Re: AppArmor blocking snap install nested in LXD container

[John Johansen]

On 1/29/24 10:17, Marc Oppenheimer wrote:
> What would cause the divergence in behavior on different host OS's do
> you think?
> 
> When using a pinned snap revision for everything, the behavior is
> different between Ubuntu and Arch, so I am not sure it's LXD's profile
> differences, if I understood correctly.
> 

There could be LXD profile differences, unfortunately grabbing those is
harder than it should be. LXD does some dynamic profile generation based
on kernel and apparmor version.

So even when LXD is fixed, the apparmor policy compiler version and kernel
come into play. AppArmor will also likely be adapting policy to what is
supported in the kernel so, even if the text policy LXD generates is
the same between hosts, what the kernel enforces could be different.

LXD might also be doing some setup of the container differently based on
the kernel, so its not just apparmor policy setup that might vary.


Being more familiar with apparmor, I would start with comparing the
text and the binary policy. I don't remember where LXD stores the policy
it generates, I will need to dig. The binaries that are loaded into
the kernel can be found through

/sys/kernel/security/apparmor/policy/profiles/

eg.
/sys/kernel/security/apparmor/policy/profiles/snap.cups.gs.59/raw_data

or just the hash
/sys/kernel/security/apparmor/policy/profiles/snap.cups.gs.59/raw_sha1


then I would start looking for differences in what the kernels support.
If the kernels are the same version that helps narrow the difference
down.