Ubuntu
livecd-rootfs package

mantic kernel 6.5.0.1006 Adds io_uring apparmor feature

Bug #2037567 reported by John Chittum
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
livecd-rootfs (Ubuntu)
Fix Released
Undecided
John Chittum
Jammy
Fix Released
Undecided
Unassigned

Bug Description

starting with kernel package(s) 6.5.0.1006, currently in mantic-proposed, `io_uring` is added as a apparmor feature. This change results in preseeded snaps being unoptimized, as the mounted apparmor features in the chroot do not match the 6.5.0.1006 kernels. On a system running with the kernel

cat /sys/kernel/security/apparmor/features/io_uring/mask
sqpoll override_creds

1. ensure that this is correct with kernel and security teams
2. ~~ensure that this is the default going forward~~ : Create a 6.5 feature directory as it was pointed out by xnox that Mantic has more than 6.5 kernels at this time.

if 1 and 2, then set the default in `livecd-rootfs` for mounted apparmor features to include io_uring

SRU [Jammy]
====

[ Impact ]

 * Users of the 6.5 kernel will have un-optimized first boot experiences due to snaps not preseeding with the correct apparmor setup. This directly affects clouds, leading to boot speed degradation of anywhere from 10-30s (depending on snaps installed)

[ Test Plan ]

 * Create images with livecd-rootfs:ubuntu/jammy with the SRU'd change (the 6.5 directory in live-build/apparmor)
   * image must use an "edge" kernel or another forward pointing kernel as the HWE and cloud kernels have not rolled yet.
 * boot image(s)
 * check `snap debug seeding`. This should show successful seeding
   * if a long json output is observed, check the restart-key to see what features are missing. compare to 6.5 in ubuntu/master. check with security, apparmor, and kernel teams

[ Where problems could occur ]

 * If there is a difference in rules of 6.5 in mantic and 6.5 being released to Jammy
 *

[ Other Info ]

 * testing may be difficult, as we're trying to catch this before it lands. the codepath selecting kernel version is stable, so adding the configuration area should be safe, even if testing is not easily possible.

See original description

Related branches

~jchittum/livecd-rootfs:backport-apparmor65-lp2037567
Steve Langasek: Approve
Gauthier Jolly (community): Approve
Diff: 267 lines (+43/-0)
37 files modified
debian/changelog (+7/-0)
live-build/apparmor/6.5/capability (+1/-0)
live-build/apparmor/6.5/caps/mask (+1/-0)
live-build/apparmor/6.5/dbus/mask (+1/-0)
live-build/apparmor/6.5/domain/attach_conditions/xattr (+1/-0)
live-build/apparmor/6.5/domain/change_hat (+1/-0)
live-build/apparmor/6.5/domain/change_hatv (+1/-0)
live-build/apparmor/6.5/domain/change_onexec (+1/-0)
live-build/apparmor/6.5/domain/change_profile (+1/-0)
live-build/apparmor/6.5/domain/computed_longest_left (+1/-0)
live-build/apparmor/6.5/domain/fix_binfmt_elf_mmap (+1/-0)
live-build/apparmor/6.5/domain/post_nnp_subset (+1/-0)
live-build/apparmor/6.5/domain/stack (+1/-0)
live-build/apparmor/6.5/domain/version (+1/-0)
live-build/apparmor/6.5/file/mask (+1/-0)
live-build/apparmor/6.5/io_uring/mask (+1/-0)
live-build/apparmor/6.5/ipc/posix_mqueue (+1/-0)
live-build/apparmor/6.5/mount/mask (+1/-0)
live-build/apparmor/6.5/namespaces/mask (+1/-0)
live-build/apparmor/6.5/namespaces/pivot_root (+1/-0)
live-build/apparmor/6.5/namespaces/profile (+1/-0)
live-build/apparmor/6.5/network/af_mask (+1/-0)
live-build/apparmor/6.5/network/af_unix (+1/-0)
live-build/apparmor/6.5/network_v8/af_mask (+1/-0)
live-build/apparmor/6.5/policy/outofband (+1/-0)
live-build/apparmor/6.5/policy/set_load (+1/-0)
live-build/apparmor/6.5/policy/versions/v5 (+1/-0)
live-build/apparmor/6.5/policy/versions/v6 (+1/-0)
live-build/apparmor/6.5/policy/versions/v7 (+1/-0)
live-build/apparmor/6.5/policy/versions/v8 (+1/-0)
live-build/apparmor/6.5/policy/versions/v9 (+1/-0)
live-build/apparmor/6.5/ptrace/mask (+1/-0)
live-build/apparmor/6.5/query/label/data (+1/-0)
live-build/apparmor/6.5/query/label/multi_transaction (+1/-0)
live-build/apparmor/6.5/query/label/perms (+1/-0)
live-build/apparmor/6.5/rlimit/mask (+1/-0)
live-build/apparmor/6.5/signal/mask (+1/-0)
~jchittum/livecd-rootfs:add-65-apparmor-feat
Utkarsh Gupta: Approve
Thomas Bechtold (community): Approve
Philip Roche (community): Approve
Jess Jang (community): Approve
Canonical Foundations Team: Pending requested
Diff: 252 lines (+36/-0)
36 files modified
live-build/apparmor/6.5/capability (+1/-0)
live-build/apparmor/6.5/caps/mask (+1/-0)
live-build/apparmor/6.5/dbus/mask (+1/-0)
live-build/apparmor/6.5/domain/attach_conditions/xattr (+1/-0)
live-build/apparmor/6.5/domain/change_hat (+1/-0)
live-build/apparmor/6.5/domain/change_hatv (+1/-0)
live-build/apparmor/6.5/domain/change_onexec (+1/-0)
live-build/apparmor/6.5/domain/change_profile (+1/-0)
live-build/apparmor/6.5/domain/computed_longest_left (+1/-0)
live-build/apparmor/6.5/domain/fix_binfmt_elf_mmap (+1/-0)
live-build/apparmor/6.5/domain/post_nnp_subset (+1/-0)
live-build/apparmor/6.5/domain/stack (+1/-0)
live-build/apparmor/6.5/domain/version (+1/-0)
live-build/apparmor/6.5/file/mask (+1/-0)
live-build/apparmor/6.5/io_uring/mask (+1/-0)
live-build/apparmor/6.5/ipc/posix_mqueue (+1/-0)
live-build/apparmor/6.5/mount/mask (+1/-0)
live-build/apparmor/6.5/namespaces/mask (+1/-0)
live-build/apparmor/6.5/namespaces/pivot_root (+1/-0)
live-build/apparmor/6.5/namespaces/profile (+1/-0)
live-build/apparmor/6.5/network/af_mask (+1/-0)
live-build/apparmor/6.5/network/af_unix (+1/-0)
live-build/apparmor/6.5/network_v8/af_mask (+1/-0)
live-build/apparmor/6.5/policy/outofband (+1/-0)
live-build/apparmor/6.5/policy/set_load (+1/-0)
live-build/apparmor/6.5/policy/versions/v5 (+1/-0)
live-build/apparmor/6.5/policy/versions/v6 (+1/-0)
live-build/apparmor/6.5/policy/versions/v7 (+1/-0)
live-build/apparmor/6.5/policy/versions/v8 (+1/-0)
live-build/apparmor/6.5/policy/versions/v9 (+1/-0)
live-build/apparmor/6.5/ptrace/mask (+1/-0)
live-build/apparmor/6.5/query/label/data (+1/-0)
live-build/apparmor/6.5/query/label/multi_transaction (+1/-0)
live-build/apparmor/6.5/query/label/perms (+1/-0)
live-build/apparmor/6.5/rlimit/mask (+1/-0)
live-build/apparmor/6.5/signal/mask (+1/-0)
John Chittum (jchittum)
Changed in livecd-rootfs (Ubuntu):
assignee: nobody → John Chittum (jchittum)
Revision history for this message
John Chittum (jchittum) wrote :
Download full text (5.0 KiB)

Did the following to ensure that current features, as listed in the files, are the same:

1. uploaded livecd-rootfs/live-build/apparmor/generic to test machine
2. ran following snippet
for dirn in ./*; do
 for filename in ${dirn}/*; do
  if [[ -f $filename ]]; then
   diffname=$(realpath $filename)
   echo "diffing $diffname to /sys/kernel/security/apparmor/features/${filename:2}"
   diff $diffname /sys/kernel/security/apparmor/features/${filename:2}
  fi
 done
done

diffing /home/ubuntu/caps/mask to /sys/kernel/security/apparmor/features/caps/mask
diffing /home/ubuntu/dbus/mask to /sys/kernel/security/apparmor/features/dbus/mask
diffing /home/ubuntu/domain/change_hat to /sys/kernel/security/apparmor/features/domain/change_hat
diffing /home/ubuntu/domain/change_hatv to /sys/kernel/security/apparmor/features/domain/change_hatv
diffing /home/ubuntu/domain/change_onexec to /sys/kernel/security/apparmor/features/domain/change_onexec
diffing /home/ubuntu/domain/change_profile to /sys/kernel/security/apparmor/features/domain/change_profile
diffing /home/ubuntu/domain/computed_longest_left to /sys/kernel/security/apparmor/features/domain/computed_longest_left
diffing /home/ubuntu/domain/fix_binfmt_elf_mmap to /sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap
diffing /home/ubuntu/domain/post_nnp_subset to /sys/kernel/security/apparmor/features/domain/post_nnp_subset
diffing /home/ubuntu/domain/stack to /sys/kernel/security/apparmor/features/domain/stack
diffing /home/ubuntu/domain/version to /sys/kernel/security/apparmor/features/domain/version
diffing /home/ubuntu/file/mask to /sys/kernel/security/apparmor/features/file/mask
diffing /home/ubuntu/ipc/posix_mqueue to /sys/kernel/security/apparmor/features/ipc/posix_mqueue
diffing /home/ubuntu/mount/mask to /sys/kernel/security/apparmor/features/mount/mask
diffing /home/ubuntu/namespaces/mask to /sys/kernel/security/apparmor/features/namespaces/mask
diffing /home/ubuntu/namespaces/pivot_root to /sys/kernel/security/apparmor/features/namespaces/pivot_root
diffing /home/ubuntu/namespaces/profile to /sys/kernel/security/apparmor/features/namespaces/profile
diffing /home/ubuntu/network/af_mask to /sys/kernel/security/apparmor/features/network/af_mask
diffing /home/ubuntu/network/af_unix to /sys/kernel/security/apparmor/features/network/af_unix
diffing /home/ubuntu/network_v8/af_mask to /sys/kernel/security/apparmor/features/network_v8/af_mask
diffing /home/ubuntu/policy/outofband to /sys/kernel/security/apparmor/features/policy/outofband
diffing /home/ubuntu/policy/set_load to /sys/kernel/security/apparmor/features/policy/set_load
diffing /home/ubuntu/ptrace/mask to /sys/kernel/security/apparmor/features/ptrace/mask
diffing /home/ubuntu/rlimit/mask to /sys/kernel/security/apparmor/features/rlimit/mask
diffing /home/ubuntu/signal/mask to /sys/kernel/security/apparmor/features/signal/mask

not perfect, but it does show nothing, file to file that i matched, has changed.

From the snap perspective:

snap debug seeding

seeded: true
preseeded: true
image-preseeding: 5.988s
seed-completion: 3.098s
preseed-system-key: {
  "apparmor-features": [
    "caps",
    "dbus",
...

Read more...

description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package livecd-rootfs - 23.10.55

---------------
livecd-rootfs (23.10.55) mantic; urgency=medium

  * fix: add 6.5 kernel appamor features to livecd-rootfs based on
    features pulled from 6.5.0.1006 kernel in proposed (LP: #2037567)

 -- jchittum <email address hidden> Thu, 05 Oct 2023 11:10:43 -0500

Changed in livecd-rootfs (Ubuntu):
status: New → Fix Released
Revision history for this message
Gauthier Jolly (gjolly) wrote :

We need to backport this to 22.04 before HWE kernels roll to 6.5 otherwise we will have a similar issue with 22.04.

John Chittum (jchittum)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Please test proposed package

Hello John, or anyone else affected,

Accepted livecd-rootfs into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/livecd-rootfs/2.765.32 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in livecd-rootfs (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Why is this not needed for lunar? I see mantic has the fix.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello John, or anyone else affected,

Accepted livecd-rootfs into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/livecd-rootfs/2.765.33 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello John, or anyone else affected,

Accepted livecd-rootfs into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/livecd-rootfs/2.765.34 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Philip Roche (philroche) wrote :

This has been verified now using the quoted test plan.

> Test plan
> * Create images with livecd-rootfs:ubuntu/jammy with the SRU'd change (the 6.5 directory in live-build/apparmor)
> * image must use an "edge" kernel or another forward pointing kernel as the HWE and cloud kernels have not rolled yet.
> * boot image(s)
> * check `snap debug seeding`. This should show successful seed

We also have internal tests in the public cloud team that verify that seeding was successful. These tests also passed.

Marking as verification-done-jammy

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package livecd-rootfs - 2.765.34

---------------
livecd-rootfs (2.765.34) jammy; urgency=medium

  * Remove comments in the debian/control dependencies as it was causing the
    package build to fail.

livecd-rootfs (2.765.33) jammy; urgency=medium

  [ Steve Langasek ]
  * Use losetup instead of kpartx to resolve race conditions in riscv64
    image builds. LP: #2045797.

  [ Utkarsh Gupta ]
  * unminimize: Use lxd-installer to install LXD itself (LP: #2036725)

livecd-rootfs (2.765.32) jammy; urgency=medium

  [ Heinrich Schuchardt ]
  * arm: fix console parameter for ARM cloud-images (LP: #2036730)

livecd-rootfs (2.765.31) jammy; urgency=medium

  [ John Chittum ]
  * fix: add 6.5 kernel apparmor features to livecd-rootfs based on
    features of 6.5 in ubuntu/mantic. This will roll as HWE. (LP: #2037567)

livecd-rootfs (2.765.30) jammy; urgency=medium

  * Enable snap preseeding with ppc64el images where /boot/vmlinux is used
    instead of /boot/vmlinuz. (LP: #2038957)

livecd-rootfs (2.765.29) jammy; urgency=medium

  [ Steve Langasek ]
  * The chroot tmpfs mount should only be /var/lib/apt/lists, not
    /var/lib/apt; the latter breaks changes to /var/lib/apt/extended_states.
    (LP: #2036195).

livecd-rootfs (2.765.28) jammy; urgency=medium

  * Fix unminimize to correctly list packages. (LP: #1996489)
  * Install LXD snap from stable/ubuntu-<version> channel. (LP: #2036725)

livecd-rootfs (2.765.27) jammy; urgency=medium

  [ Thomas Bechtold ]
  * Do not modify /etc/ssh/sshd_config for ubuntu-cpc
    project builds (LP: #1968873)

 -- Łukasz 'sil2100' Zemczak <email address hidden> Mon, 15 Jan 2024 16:41:18 +0100

Changed in livecd-rootfs (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for livecd-rootfs has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.