[Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04
Launchpad Bug Tracker
1641243 at bugs.launchpad.net
Wed Jan 18 17:28:28 UTC 2017
This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.5~14.04.1
---------------
apparmor (2.10.95-0ubuntu2.5~14.04.1) trusty; urgency=medium
* Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04.
- This allows for proper snap confinement on Ubuntu 14.04 when using the
hardware enablement kernel (LP: #1641243)
* Changes made on top of 2.10.95-0ubuntu2.5:
- debian/apparmor.upstart: Remove the upstart job and continue using the
init script in 14.04
- debian/apparmor.postinst, debian/apparmor-profiles.postinst,
debian/apparmor-profiles.postrm, debian/rules: Revert to using
invoke-rc.d to load the profiles, rather than reloading them directly,
since 14.04 will continue using the init script rather than the upstart
job.
- debian/apparmor.init, debian/lib/apparmor/functions,
debian/apparmor.postinst, debian/apparmor.postrm: Remove functionality
dealing with AppArmor policy in system image based environments since
this 14.04 package will not need to handle such environments. This
removes the handle_system_policy_package_updates(),
compare_previous_version(), compare_and_save_debsums() functions and
their callers.
- debian/apparmor.init: Continue using running-in-container since
systemd-detect-virt doesn't exist on 14.04
- debian/lib/apparmor/functions, debian/apparmor.init: Remove the
is_container_with_internal_policy() function and adjust its call sites
in apparmor.init so that AppArmor policy is not loaded inside of 14.04
LXD containers (avoids bug #1641236)
- debian/lib/apparmor/profile-load, debian/apparmor.install: Remove
profile-load as upstart's apparmor-profile-load is used in 14.04
- debian/patches/libapparmor-mention-dbus-method-in-getcon-man.patch:
Continue applying this patch since the dbus version in 14.04 isn't new
enough to support fetching the AppArmor context from
org.freedesktop.DBus.GetConnectionCredentials().
- debian/patches/libapparmor-force-libtoolize-replacement.patch: Force
libtoolize to replace existing files to fix a libapparmor FTBFS issue on
14.04.
- debian/control: Retain the original 14.04 Breaks and ignore the new
Breaks from 2.10.95-0ubuntu2.5 since they were put in place as part of
the enablement of UNIX domain socket mediation. They're not needed in
this upload since UNIX domain socket mediation is disabled by default so
updates to the profiles included in those packages are not needed.
- Preserve the profiles and abstractions from 14.04's
2.8.95~2430-0ubuntu5.3 apparmor package by recreating them in the
top-level profiles-14.04/ directory of the source. They'll be installed
to debian/tmp/etc/apparmor.d/ during the build process and then to
/etc/apparmor.d/ on package install so that there are no changes to the
shipped profiles or abstractions. The abstractions from
2.10.95-0ubuntu2.5 will be installed into
debian/tmp/snap/etc/apparmor.d/ during the build process and then into
/etc/apparmor.d/snap/abstractions/ on package install for use with snap
confinement. Snap confinement profiles, which includes AppArmor profiles
loaded by snapd and profiles loaded by snaps that are allowed to manage
AppArmor policy, will use the snap abstractions. All other AppArmor
profiles will continue to use the 14.04 abstractions.
- debian/rules: Adjust for new profiles-14.04/ directory
- debian/apparmor-profiles.install: Adjust to install the profiles that
were installed in the 2.8.95~2430-0ubuntu5.3 package
- debian/apparmor.install: Install the abstractions from the
2.10.95-0ubuntu2.5 package into /etc/apparmor.d/snap/abstractions/
- debian/patches/14.04-profiles.patch: Preserve the 14.04 profiles and
abstractions from the 2.8.95~2430-0ubuntu5.3 apparmor package.
- debian/patches/conditionalize-post-release-features.patch: Disable new
mediation features, implemented after the Ubuntu 14.04 release, unless
the profile is for snap confinement. If the profile is for snap
confinement, the abstractions from /etc/apparmor.d/snap/abstractions
will be used and all of the mediation features will be enabled.
- 14.04-add-chromium-browser.patch,
14.04-add-debian-integration-to-lighttpd.patch,
14.04-etc-writable.patch,
14.04-update-base-abstraction-for-signals-and-ptrace.patch,
14.04-dnsmasq-libvirtd-signal-ptrace.patch,
14.04-update-chromium-browser.patch,
14.04-php5-Zend_semaphore-lp1401084.patch,
14.04-dnsmasq-lxc_networking-lp1403468.patch,
14.04-profiles-texlive_font_generation-lp1010909.patch,
14.04-profiles-dovecot-updates-lp1296667.patch,
14.04-profiles-adjust_X_for_lightdm-lp1339727.patch: Import all of the
patches, from 14.04's 2.8.95~2430-0ubuntu5.3 apparmor package, which
patched profiles/ and adjust them to patch profiles-14.04/ instead.
- debian/patches/revert-r2550-and-r2551.patch: Revert two upstream changes
to mod_apparmor which could potentially regress existing users of
mod_apparmor in 14.04. These upstream changes are not appropriate for an
SRU.
-- Tyler Hicks <tyhicks at canonical.com> Wed, 30 Nov 2016 16:36:02 +0000
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1641243
Title:
Provide full AppArmor confinement for snaps on 14.04
Status in apparmor package in Ubuntu:
Invalid
Status in dbus package in Ubuntu:
Invalid
Status in apparmor source package in Trusty:
Fix Released
Status in dbus source package in Trusty:
Fix Released
Bug description:
= apparmor SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features
to the 14.04 apparmor package as they're quite complex and have a
large number of dependency patches. Additionally, the AppArmor policy
abstractions from Ubuntu 16.04 are needed to provide proper snap
confinement. Because of these two reasons, the decision to bring
16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to
verify that snap confinement on 14.04 does work. Manual tests include
installing snapd in 14.04 and running simple snaps such as pwgen-
tyhicks and hello-world, as well as a much more complex snap such as
lxd.
The following regression tests from lp:qa-regression-testing (these
packages ship an AppArmor profile) can be used to verify that their
respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have pushed changes to lp:qa-regression-testing which pulls in the
parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3
package currently shipping in Trusty, in addition to the tests in the
2.10.95 based package.
Additionally, manually testing evince, which is confined by an
AppArmor profile, should be done. The manual test should check basic
functionality as well as for proper confinement (`ps auxZ` output).
Finally, we need to test that 12.04 -> 14.04 upgrades continue to
work. Specifically, the apparmor packages in trusty-proposed and the
12.04 kernel need to be tested together.
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are
loaded during the boot process. I also verified that the abstractions
shipped in apparmor and the profiles shipped in apparmor-profiles are
the same across this SRU update.
= dbus SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation for snaps when running under the 16.04 hardware enablement kernel. The dbus package in 14.04 is missing support for blocking unrequested reply messages. This functionality was added to the D-Bus AppArmor mediation patches after 14.04 was released but before the patches were merged upstream in dbus. The idea is to prevent a malicious snap from attacking another snap, over D-Bus, with unrequested reply messages and also to prevent two connections from subverting the snap confinement by communicating via unrequested reply messages.
[Test Case]
The upstream AppArmor userspace project has thorough tests for D-Bus
mediation, including unrequested replies. Its
tests/regression/apparmor/dbus_*.sh tests should be ran before and
after updating to the dbus SRU. Before updating, the
dbus_unrequested_reply.sh should fail and should pass after updating.
To run the dbus_*.sh tests:
$ sudo apt-get install -y bzr libdbus-1-dev
$ bzr branch lp:apparmor # apt-get source apparmor to test the current apparmor
$ cd apparmor/tests/regression/apparmor/
$ make USE_SYSTEM=1 \
dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
$ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
do sudo VERBOSE=1 bash $t || break; done
The exit code should be 0 and all output lines should start with
"ok:".
In addition, the test-dbus.py tests from lp:qa-regression-testing
should be ran to verify basic D-Bus functionality.
This update will go through the Test Plan as well as manual testing to
verify that snap confinement on 14.04 does work. Manual tests include
installing snapd in 14.04 and running simple snaps such as pwgen-
tyhicks and hello-world, as well as a much more complex snap such as
lxd.
[Regression Potential]
Low. There's no use for unrequested D-Bus reply messages and silently dropping them for AppArmor confined applications should have no unintended side effects. The unrequested reply protections have been present in releases after 14.04 and have not caused any issues.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1641243/+subscriptions
More information about the foundations-bugs
mailing list