Ubuntu
linux package

apparmor abi-feature pinning not working with Disco and Eoan kernels

Bug #1842459 reported by Stoiko Ivanov
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Incomplete
Undecided
John Johansen

Bug Description

When setting a features-file in /etc/apparmor/apparmor.conf (and using policies for this feature-set) certain operations are DENIED, although they should be allowed.
This occurs for example when running an Ubuntu kernel with Debian Buster apparmor.

Steps for reproducing:
* Starting from a minimal Buster VM (apparmor 2.13.2-10)
* Install unbound (one example) - apparmor confinement works as expected
* Install a kernel from Ubuntu (tested with: 5.0.0-25.26 from disco and 5.2.0-15.16 from eoan)
* Reboot - unbound fails to start - the following messages are in `dmesg`:

```
[ 3.109740] audit: type=1400 audit(1567527034.644:9): apparmor="DENIED" operation="create" profile="/usr/sbin/unbound" pid=516 comm="unbound" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[ 3.113969] audit: type=1400 audit(1567527034.652:10): apparmor="DENIED" operation="create" profile="/usr/sbin/unbound" pid=516 comm="unbound" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[ 5.322119] audit: type=1400 audit(1567527036.856:21): apparmor="DENIED" operation="create" profile="/usr/sbin/unbound" pid=549 comm="unbound" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[ 5.324621] audit: type=1400 audit(1567527036.860:22): apparmor="DENIED" operation="create" profile="/usr/sbin/unbound" pid=549 comm="unbound" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[ 5.326335] audit: type=1400 audit(1567527036.860:23): apparmor="DENIED" operation="create" profile="/usr/sbin/unbound" pid=549 comm="unbound" family="inet6" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
```

The problem does not occur when:
* booting the corresponding mainline kernels (5.0.18 and 5.29)
* booting debian kernels (5.2.9-2 from testing+sid and 4.19.0-5-amd64 from buster)
* the features-file is changed to reflect the features present in Ubuntu kernels
* the features-file option is removed (commented out) in /etc/apparmor/apparmor.conf

Opening the bug against linux and not apparmor, because it looks to me like the issue might be in
the Ubuntu patches.

Glad to provide further information and help testing!

Thanks for all your great work!

Tags: apparmor disco
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1842459

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: disco
Revision history for this message
John Johansen (jjohansen) wrote :

Can you please attach the features file you are setting in /etc/apparmor/apparmor.conf

Revision history for this message
Stoiko Ivanov (siv0) wrote :

The feature file is the one currently shipped by buster.

John Johansen (jjohansen)
Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
John Johansen (jjohansen) wrote :

This might be in the compiler

The feature file you are inning supports v8 socket mediation. The user space however does not. The ubuntu kernel supports v7 and v8 socket mediation, but the user space only supports v7. I need to dig into this more but it looks like the user space compiler is generating v7 network rules when using the ubuntu kernel.

2.13 actually uses two feature sets the kernel features (--kernel-features, used to determine cache location and bound compile features to what the kernel can actually load) and the compile features (--compile-features). They can be set separately but the --features-file option is supposed to set both of them to the same value.

There is a a bug in 2.13.2 where --features-file is only setting the compile-features. This was addressed by upstream commit e83fa67edfb534976dc4133e634519084153c0e7.

We should be able to test whether this patch is the fix by set both features-file and kernel-features to the same file.

Revision history for this message
Stoiko Ivanov (siv0) wrote :

AFAICS e83fa67edfb534976dc4133e634519084153c0e7 got backported before 2.13.2 (8661ebcb7910e03bfcdb6fbf99616120a398d576). And the apparmor_parser binary has the --compile-features flag in the version in buster.

I tested with both the versions from buster (2.13.2-10) and sid (2.13.3-4):
apparmor_parser --kernel-features /usr/share/apparmor-features/features --features-file /usr/share/apparmor-features/features -a usr.sbin.unbound

after removing the policy beforehand.

(and various other combinations of --features-file, --compile-features, --kernel-features)

The result with all cases is that apparmor prevents unbound from creating sockets and thus starting.

I hope the test was correct.

Thanks!

Revision history for this message
user8888 (user8888) wrote :

I have this issue using proxmox kernel (based on ubuntu) and debian lxc containers.

Is this a bug with the apparmor debian package or the ubuntu kernel?

Revision history for this message
user8888 (user8888) wrote :

Commenting #features-file in parser.conf in debian 9 (apparmor 2.11) fixes the issue.

But on debian 10 (apparmor 2.13.2), commenting this is not enough as profiles won't load on reboot. Using the 2.13.3 apparmor package from ubuntu seems to fix the problem fully.

Tried with a 5.3 ubuntu kernel.

Hope it helps..

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.