octavia-diskimage-retrofit unit fails CIS hardening rule "Ensure all AppArmor Profiles are enforcing"

The profiles in complain mode come from the 0.9.x version of the `octavia-diskimage-retrofit` snap used by the currently released charm.

The upcoming charm on the latest/edge channel uses the 1.0/stable version of the `octavia-diskimage-retrofit` snap which has been granted classic confinement.

Would it be possible for you to check again using the charm from latest/edge and snap from 1.0/stable?

hi @fnordahl, I deployed octavia-diskimage-retrofit from channel latest/edge, which bings the octavia-diskimage-retrofit snap version 1.0.0. But I can still see the profiles in complain mode.

ubuntu@juju-18876a-3-lxd-9:~$ sudo aa-status | grep -A2 'profiles are in complain mode'
2 profiles are in complain mode.
   snap.octavia-diskimage-retrofit.hook.install
   snap.octavia-diskimage-retrofit.octavia-diskimage-retrofit

ubuntu@juju-18876a-3-lxd-9:~$ snap info octavia-diskimage-retrofit
name: octavia-diskimage-retrofit
summary: Turn stock cloud image into Octavia Amphora image
publisher: Canonical✓
store-url: https://snapcraft.io/octavia-diskimage-retrofit
license: unset
description: |
  The purpose of this tool is to take a stock Ubuntu Cloud Image,
  apply OpenStack Diskimage-builder elements from OpenStack Octavia,
  to retrofit the image so that it is suitable for use as Octavia HAProxy
  amphora.

  Example Usage:

      sudo snap install --classic octavia-diskimage-retrofit
      cd /var/snap/octavia-diskimage-retrofit/common/tmp
      wget https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img
      sudo octavia-diskimage-retrofit \
          jammy-server-cloudimg-amd64.img \
          ubuntu-amphora-haproxy-amd64.qcow2

  **NOTE** The tool will use KVM acceleration when available.
commands:
  - octavia-diskimage-retrofit
snap-id: yCj6FSPhvWd5NavdyOTtbtN62zpMt6HZ
tracking: 1.0/stable
refresh-date: today at 14:38 UTC
channels:
  latest/stable: –
  latest/candidate: –
  latest/beta: 0.9.12 2021-07-16 (236) 185MB devmode
  latest/edge: 1.0.0+git1.g6de2a47 2022-09-07 (331) 277MB classic
  1.0/stable: 1.0.0 2022-09-06 (322) 277MB classic
  1.0/candidate: ↑
  1.0/beta: ↑
  1.0/edge: 1.0.0 2022-09-06 (322) 277MB classic
installed: 1.0.0 (322) 277MB classic

$ juju status octavia-diskimage-retrofit | grep latest
octavia-diskimage-retrofit 1.0.0 active 1 octavia-diskimage-retrofit latest/edge 63 no Unit is ready

It is also not possible to retrofit the image with octavia-diskimage-retrofit snap from 1.0/stable channel, see bug https://bugs.launchpad.net/snap-octavia-diskimage-retrofit/+bug/1993266.

Great, thank you for checking.

So looking further into this, it is expected that a classically confined snap will have its apparmor profiles set to complain mode.

There is nothing to be done with this until the reason for classic confinement has been fixed by implementation of the missing interfaces in snapd.

The reasoning behind that can be found here:
https://forum.snapcraft.io/t/classic-confinement-for-octavia-diskimage-retrofit/28355