[Bug 2052789] Re: AppArmor profiles missing in kernel 5.15.0-1051+ release
Andreas Hasenack
2052789 at bugs.launchpad.net
Thu Mar 28 17:27:41 UTC 2024
Hi all, I'm looking at the focal upload in unapproved.
I see it has this additional change in live-build/functions that is not mentioned in d/changelog:
--- a/live-build/functions
+++ b/live-build/functions
@@ -726,13 +726,44 @@ snap_preseed() {
snap_validate_seed() {
local CHROOT_ROOT=$1
-
+ local kern_major_min=undefined
+ local boot_filename=undefined
+
+ # ppc64el still uses /boot/vmlinux so we need to determine the boot file name as non ppc64el use /boot/vmlinuz
+ # We don't need to query the arch as we can use existence of the file to determine the boot file name. Both
+ # will never be present at the same time.
+ if [ -e ${CHROOT_ROOT}/boot/vmlinuz ]; then
+ boot_filename=vmlinuz
+ elif [ -e ${CHROOT_ROOT}/boot/vmlinux ]; then
+ boot_filename=vmlinux
+ fi
+ if [ ${boot_filename} != undefined ]; then # we have a known boot file so we can proceed with checking for features to mount
+ kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/${boot_filename} | grep --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+')
+ if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then
+ # if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels
+ # a snap pre-seeding issue can occur, where the incorrect apparmor features are reported
+ # basic copy of a directory structure overriding the "generic" feature set
+ # which is tied to the LTS kernel
+
+ # Bind kernel apparmor directory to feature directory for snap preseeding
+ umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+ mount --bind /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+ fi
+ fi
+
if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
/usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")
/usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}")
chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose -j `nproc` /etc/apparmor.d
fi
+
+ # Unmount kernel specific apparmor feature
+ # mount generic apparmor feature again (cleanup)
+ if [ -d /build/config/hooks.d/extra/apparmor/${kern_major_min} ]; then
+ umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+ mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+ fi
}
snap_from_seed() {
Looking at the jammy code changes and changelog, this seems to fix LP: #2038957):
* Enable snap preseeding with ppc64el images where /boot/vmlinux is used
instead of /boot/vmlinuz. (LP: #2038957)
That bug has a focal task, but it was marked as "won't fix" in
https://bugs.launchpad.net/ubuntu/+source/livecd-
rootfs/+bug/2038957/comments/4. Yet here we are with the change.
What do you want to do?
- include this change, and therefore fix #2038957. Then please update d/changelog, and also update the focal task in that other bug and check if its test plan still applies here
- not include the change
- something else because I completely misunderstood this.
Please advise. In the meantime, I'm marking the focal task as
incomplete.
** Changed in: livecd-rootfs (Ubuntu Focal)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2052789
Title:
AppArmor profiles missing in kernel 5.15.0-1051+ release
Status in livecd-rootfs package in Ubuntu:
Fix Committed
Status in livecd-rootfs source package in Focal:
Incomplete
Status in livecd-rootfs source package in Jammy:
Fix Committed
Bug description:
After the kernel roll to linux-gcp-5.15 to version
5.15.0-1051.59_20.04.1 the public cloud team pre publication test were
failing on our snap_preseed_optimized test which checks to ensure that
snaps are preseeded correctly
This test checks the output of `snap debug seeding` to assert `seed-
completion` is present and not empty.
``
❯ snap debug seeding
seeded: true
preseeded: true
image-preseeding: 39.367s
seed-completion: 1.335s
```
If `/var/lib/snapd/seed/seed.yaml` exists it also asserts that
`preseeded` is present and not empty.
With the recent kernel update this test is failing which indicates a kernel feature mismatch between
the running kernel and the feature set hard-coded in livecd-rootfs for this image.
Boot will be slowed by ~200ms until this is resolved in livecd-rootfs.
This solution is to add a 5.15 apparmor configuration to the focal
branch of livecd-rootfs
The issue is also present with the recent 5.15 kernels in Jammy.
Related bugs LP: #2031943 and LP: #2045384
[ Impact ]
Boot will be slowed by ~200ms until this is resolved in livecd-rootfs
[ Test Plan ]
* for focal build any cloud image with preseeded snaps with HWE 5.15 kernel
* for jammy build any cloud image with preseeded snaps with up to date 5.15 kernel
* boot
* run `snap debug seeding`
* assert the test described above passes
[ Where problems could occur ]
* Similar patches already exist for later releases 6.2, 6.5 kernel
etc. and have been used on other private customer kernels and all
kernels released after 22.04, so there is already a good track record
for this patchset and it shouldn't create any issues.
[ Other Info ]
* This is a time-sensitive issue for a paying customer
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2052789/+subscriptions
More information about the foundations-bugs
mailing list