update AppArmor to 2.5.1 (for upstream and backported maverick kernels)

Subscribing ubuntu-sru so they know not to pocket copy the backported kernel without this update.

The timing of the backported maverick kernel caught me a little off-guard so I will be preparing/uploading the SRU AppArmor packages within the next few days.

What are the changes between 2.5.0 and 2.5.1? In particular, any abstraction and profile changes? We absolutely must avoid any regression that happens with the standard lucid kernel.

Yes, there are abstraction and profile changes, but they should only allow for more access, not less. The plan is to prepare packages for maverick first (since there are a number of SRU bugs in maverick, but since maverick has 2.5.1rc1, it is very close to 2.5.1 already), and then use this package on lucid, with some changes. Maverick does have some profiling features backported from the 2.6 branch that I plan to leave out of lucid (eg chromium-browser profile, local/, and abstractions/ubuntu-browsers.d/). I will be providing detailed analysis of the changes as well as my testing when I upload for review.

Uploaded 2.5.1-0ubuntu0.10.10.1 to maverick-proposed. This is the 'master' bug for the SRU, but this update fixes the following bugs in maverick: bug #652211, bug #652674, bug #654841, bug #654841, bug #655529 and bug #657091. All of those bugs have an official SRU request.

Attached is a diff between 2.5.1~rc1 and 2.5.1, minus the removed kernel-patches directory and autotools differences. I will also attach the diff between the debian/ directories.

This bug was fixed in the package apparmor - 2.5.1-0ubuntu1

---------------
apparmor (2.5.1-0ubuntu1) natty; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
 -- Jamie Strandboge <email address hidden> Fri, 15 Oct 2010 12:23:00 -0500

Uploaded 2.5.1-0ubuntu0.10.04.1 to lucid-proposed. Attached is a diff between profiles/ on 2.5-0ubuntu3 and 2.5.1. I will also attach the diff between the debian/ directories.

For the most part, I have removed features when they were implemented in packaging. Ie:
* I have dropped the backported from 2.6 local/ and ubuntu-browsers.d/ changes
* I have dropped the chromium-browser profile in apparmor-profiles (it depends on the above)
* I have dropped the aa-update-browser tool (also depends on the above)
* I removed use of dh_apparmor

In terms of abstractions, there are many abstraction bug fixes allowing additional access. There were three changes that were noteworthy:
1. machine-id moved from dbus to dbus-session. I added 0009-lucid-compat-dbus.patch to move it back
2. kde4-config was removed from the kde abstraction. I added 0010-lucid-compat-kde.patch to put it back (with PUx instead of Ux)
3. user-tmp uses 'owner' match in 2.5.1. This is a highly desirable security improvement (see bug #578922) for an LTS, and should not affect any applications in the default Ubuntu install. I have added text to the changelog to explain this in detail.

I also made sure that shipped profiles/abstractions shipped in the same package (eg, the apache2* abstraction shipped in apparmor in Lucid, but libapache2-mod-apparmor in Maverick. I reverted that change.

I have tested locally on a default amd64 install against QRT (which includes package test, initscript tests, apport, non-build testsuites, and more) and it passes. Once the packages build in -proposed, I will retest them on i386 and amd64, and will test all packages that ship a confined binary. I also tested linux-image-generic-lts-backport-maverick against QRT on amd64 and it works great. I plan to coordinate more testing with the kernel-team once the packages are in -proposed.

It was pointed out to me today that bug #539441 was reintroduced in maverick, so I have reuploaded the maverick package with the fix for that. Attached is the diff from the last upload to this one. This change was well tested on Lucid and its omission in maverick was simply an oversight.

In comment #7 I mentioned that I reverted the changes between lucid and maverick regarding the apache2-common profile. Since I reverted this in the last maverick upload (comment #10), I updated the lucid changelog and reuploaded to remove any potential confusion.

Accepted apparmor into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Just getting back to this now. The maverick-proposed upload FTBFS due to the new tests in the parser testsuite which require the AppArmor securityfs introspection directory to be mounted, which it isn't on the buildd. Added a patch to skip this test if the directory is not available.

I also added a patch to the ubuntu-browsers abstraction that was accidentally omitted from the previous upload. This uses 'Pix' instead of 'Pux' for sensible-browser. Only evince uses the ubuntu-browsers abstraction and it is verified to work correctly with this change (ie, setting the preferred browser to sensible-browser opens the browser configured for use with sensible-browser).

FYI-- 2.5.1-0ubuntu4 is now in natty, and contains all of these patches.

2.5.1-0ubuntu0.10.04.1 has been uploaded again, which has the above fixes.

Successfully installed 2.5.1-0ubuntu0.10.04.1 on my lucid box, seems to be working just fine (and not OOPSing that I can see.)

Accepted apparmor into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Upgraded to 2.5.1-0ubuntu0.10.10.2 in two clean up to date VMs (amd64 and i386). Rebooted, etc and all worked fine. Ran test-apparmor.py QRT tests (which runs the extensive upstream tests as well as a number of other tests) on both it passes.

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.10.2

---------------
apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put apache2 profiles into the -profiles package without
    aa-logprof bailing out. Patch by Marc Deslauriers.
    (LP: #539441)
  * debian/patches/0009-sensible-browser-pix.patch: use Pix with
    sensible-browser
  * debian/patches/0010-ubuntu-buildd.patch: skip parser caching test if
    the AppArmor securityfs introspection directory is not mounted, as
    is the case on Ubuntu buildds.
 -- Jamie Strandboge <email address hidden> Tue, 02 Nov 2010 12:04:06 -0500

To ubuntu-sru,

What is the status of this for Lucid? I believe John Johansen and I have addressed all questions in an offline email. Once the lucid packages hit proposed I can run all the QRT tests and install it on at least 6 different production machines (mix of servers and desktops). Also, Lamont is already using the package in production as well (see comment #16). If you'd like, I can blog about it and send a note to ubuntu-devel.

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

FYI, I upgraded several production desktops and servers with the AppArmor in lucid-proposed and all the upgrades went fine and the confined processes all continue to work fine for the last week after upgrading and also a reboot. The following cumulative list of profiles was tested in real world scenarios:
* apache (non-default with several hats)
* asterisk (non-default)
* chromium (non-default)
* clamd
* cups
* dhclient3
* dhcpd3
* evince
* firefox
* freshclam
* irssi (non-default)
* mt-daapd (non-default)
* mysqld
* named
* ntpd
* openvpn (non-default, with child profile)
* sftp-server (non-default)
* tcpdump

I am continuing with QRT testing now and will report back here when done.

Since test-apparmor.py from QRT is pretty comprehensive, I am going to display its tests results here (both i386 and amd64 passed):

$ sudo ./test-apparmor.py -v --with-parser-stress
Skipping private tests
Test enforce to complain and back with aa-complain/aa-enforce ... ok
Test aa-status ... ok
Test aa-unconfined ... ok
Test add/remove profile ... ok
Test complain profile ... ok
Test enforce profile ... ok
Test moving from enforce to complain and back ... ok
Test initscript ...
 stop
 teardown
 status (unloaded: LP: #654841)
 start
 restart
 reload
 force-reload
 status (loaded)
ok
Test kernel ... ok
Test aa-logprof LP: #652674 ... ok
Test /etc/apparmor.d/disable ... ok
Test /etc/apparmor.d/force-complain ... ok
Test required apport hooks ... ok
Test apport LP: #655529 ... ok
Test pam (order=default,user,group) ...
  adm_group can access default_user's file
  adm_group cannot access adm_group's file
  adm_group cannot access confined_user's file
  adm_group cannot access confined_group's file
  adm_group cannot access unconfined_user's file
  adm_group cannot access unconfined_group's file
  confined_group can access default_user's file
  confined_group cannot access adm_group's file
  confined_group cannot access confined_user's file
  confined_group cannot access confined_group's file
  confined_group cannot access unconfined_user's file
  confined_group cannot access unconfined_group's file
  confined_user can access default_user's file
  confined_user cannot access adm_group's file
  confined_user cannot access confined_user's file
  confined_user cannot access confined_group's file
  confined_user cannot access unconfined_user's file
  confined_user cannot access unconfined_group's file
  default_user can access default_user's file
  default_user cannot access adm_group's file
  default_user cannot access confined_user's file
  default_user cannot access confined_group's file
  default_user cannot access unconfined_user's file
  default_user cannot access unconfined_group's file
  unconfined_group can access default_user's file
  unconfined_group cannot access adm_group's file
  unconfined_group cannot access confined_user's file
  unconfined_group cannot access confined_group's file
  unconfined_group cannot access unconfined_user's file
  unconfined_group cannot access unconfined_group's file
  unconfined_user can access default_user's file
  unconfined_user cannot access adm_group's file
  unconfined_user cannot access confined_user's file
  unconfined_user cannot access confined_group's file
  unconfined_user cannot access unconfined_user's file
  unconfined_user cannot access unconfined_group's file
ok
Test pam (order=group,default,user) ...
  adm_group can access adm_group's file
  adm_group cannot access confined_user's file
  adm_group cannot access default_user's file
  confined_user can access confined_user's file
  confined_user cannot access unconfined_user's file
  default_user can access default_user's file
  default_user cannot access unconfined_user's file
  unconfined_user can access adm_group's file
  unconfined_user can access confined_user's file
  unconfined_user can access confined_group's file
  unconfined_user...

Err, here are the results with the proper invocation of test-apparmor.py to get the parser stress tests too:
$ sudo ./test-apparmor.py --with-parser-stress -v
...
Run parser stress test ... Generating 1000 profiles...
Loading directory of profiles into buffer cache

real 0m1.448s
user 0m3.648s
sys 0m0.580s
Running preprocess only parser on directory of profiles

real 4m21.596s
user 4m19.216s
sys 0m3.120s
Running full parser on directory of profiles

real 4m27.704s
user 4m25.037s
sys 0m3.676s
Loading equivalent profile into buffer cache

real 0m0.004s
user 0m0.000s
sys 0m0.004s
Running preprocess only parser on single equiv profile

real 4m29.743s
user 4m29.469s
sys 0m0.212s
Running full parser on single equivalent profile

real 4m39.586s
user 4m39.321s
sys 0m0.196s

ok
Run subdomain stress test ... (skipped: use --with-subdomain-stress to enable) ok
Cleanup downloaded source ... ok

----------------------------------------------------------------------
Ran 25 tests in 1387.654s

OK

(FYI, the subdomain stress tests intentionally never complete which is why they aren't run. This may change in a future version of AppArmor).

The following QRT scripts were used to test AppArmor:

qrt-test-apache2.tar.gz: PASS*
qrt-test-avahi.tar.gz: PASS**
qrt-test-bind9.tar.gz: PASS
qrt-test-browser.tar.gz: PASS
qrt-test-clamav.tar.gz: PASS
qrt-test-cups.tar.gz: PASS
qrt-test-dhcp.tar.gz: PASS
qrt-test-dovecot.tar.gz: Skipped***
qrt-test-evince.tar.gz: PASS
qrt-test-libvirt.tar.gz: PASS
qrt-test-mysql.tar.gz: PASS
qrt-test-ntp.tar.gz: PASS
qrt-test-openldap.tar.gz: PASS
qrt-test-samba.tar.gz: PASS****
qrt-test-tcpdump.tar.gz: PASS

* tested with libapache2-mod-apparmor enabled. Also configured hat for phpsysinfo and it worked fine
** works with apparmor-profiles installed with profile in enforce mode
*** too many non-AppArmor script failures
**** smbd and nmbd work as well as before. Specifically, smbd and nmbd needed write access to /var/log/samba/cores/ (bug in Lucid) and smbd needed access to the exported directories and files (like normal)

Based on the QRT script successes and real world testing, it is my opinion that there are no functional regressions in the update in lucid-proposed.

Next up for tomorrow, testing the maverick backport kernel, the guest session and verifying all the various SRU bugs.

Installed linux-image-generic-lts-backport-maverick and apparmor from lucid-proposed and QRT:test-apparmor.py passes on both amd64 and i386 (I also verified the specific bugs that address this configuration).

Final bits of testing:
* Installed all packages provided by the apparmor source and upgraded via update-manager with no problems
* apparmor-notify works
* guest session works and is in enforcing mode

Between this, the other testing documented in this bug, and all the verified fixed bugs I updated todo, I think this is ready. Please let me know if more needs to be done. Thanks!

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

---------------
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    release):
    - don't ship aa-update-browser and its man page (requires
      0004-ubuntu-abstractions-updates.patch)
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
    0002-add-chromium-browser.patch
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...