Ubuntu
apparmor package

[FFe] new apparmor features for 3.0.7

Bug #1989309 reported by Alex Murray
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

We propose two new features for 3.0.7 Apparmor:

1. parser support for user namespace mediation.

Since the last kernel update with commit https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=30bce26855c9171f8dee74d93308fd506730c914
Ubuntu 22.10 mediates user namespaces which allows for confined applications to have unprivileged user namespace creation, instead of disabling it completely.
If we want applications to have this ability, then we need to add support on the parser, which is a feature we are introducing. Bug 1990064 is an example caused by this.

2. userspace support for posix message queue mediation

Kernel also has POSIX message queue mediation with commit https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=44f28e2ccee2000c7da971876dd003d38a8232d8 which indicates that if admins want to allow legitimate use of POSIX message queues, then they will need the support of userspace tools.

We are also adding a fix for Bug 1990692 which will make the AppArmor profiles for samba to be up to date with upstream.

TESTING

This has been extensively tested by the security team - this includes
following the documented Ubuntu merges test plan[1] for AppArmor and the
extensive QA Regression Tests[2] for AppArmor as well. This ensures that
the various applications that make heavy use of AppArmor (LXD, docker,
lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions
have been observed. All tests have passed and demonstrated both apparmor
and the various applications that use it to be working as expected.

BUILD LOGS

This is currently uploaded to https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-kinetic-ffe, build logs can be found on
Launchpad at:
https://launchpad.net/~georgiag/+archive/ubuntu/test2/+build/24518253 for amd64

DEBDIFF

The debdiff can be found in the PPA: https://launchpadlibrarian.net/626954017/apparmor_3.0.7-1ubuntu1_3.0.7-1ubuntu2.diff.gz

INSTALL / UPGRADE LOG

The apt upgrade log is attached in:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5620824/+files/apparmor-3.0.7-1ubuntu2-apt-upgrade.log

[1] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
[2] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

See original description
Alex Murray (alexmurray)
summary: - [FFe] apparmor 3.1.0 upstream release
+ [FFe] apparmor 3.1.1 upstream release
Revision history for this message
Alex Murray (alexmurray) wrote : Re: [FFe] apparmor 3.1.1 upstream release
description: updated
description: updated
description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

The generated changelog for this release is quite big, so it's not really easily parseable. Do you know of any bigger/important features that are part of this apport release? Would be nice to at least know the overview of how many 'new' things are in there, compared to the huge set of fixes.

Łukasz Zemczak (sil2100)
Changed in apparmor (Ubuntu):
status: New → Incomplete
Revision history for this message
John Johansen (jjohansen) wrote :

As you say there are many new things in there. At this point its probably better to just land the two things we care about

1. posix ipc mediation
2. user namespace mediation

on top of the existing 3.0.7. That would give us a clear set of important features, with a we defined set of patches instead of the big 3.1.1 blob.

Georgia Garcia (georgiag)
summary: - [FFe] apparmor 3.1.1 upstream release
+ [FFe] new apparmor features for 3.0.7
Revision history for this message
Georgia Garcia (georgiag) wrote :
description: updated
Revision history for this message
Georgia Garcia (georgiag) wrote :

I updated the description and PPAs to reflect what we are hoping to land: patches on top of 3.0.7 instead of a new 3.1.1 release.

Graham Inggs (ginggs)
Changed in apparmor (Ubuntu):
status: Incomplete → New
Utkarsh Gupta (utkarsh)
description: updated
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Georgia,

Thanks for working through this. Patches on top of 3.0.7 instead of a new 3.1.1 release definitely sounds much better and nice. The debdiff was not pasted correctly, I fixed that. :)

Looking through the diff - whilst it's long but the contents make sense and are reasonable. So therefore, this looks good for FFe. However, please wait for the official release team member's ACK before the upload.

P.S: I hope you're going to take care if there's any fallout as a consequence of the upload. :)

Revision history for this message
Graham Inggs (ginggs) wrote :

Thanks Utkarsh. I agree this looks good, FFe granted.

Changed in apparmor (Ubuntu):
status: New → Triaged
Revision history for this message
Graham Inggs (ginggs) wrote :

Georgia, please also close this bug (LP: #1989309) in debian/changelog when you upload.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

I've sponsored this package for Georgia:

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apparmor_3.0.7-1ubuntu2.dsc: done.
  Uploading apparmor_3.0.7.orig.tar.gz: done.
  Uploading apparmor_3.0.7.orig.tar.gz.asc: done.
  Uploading apparmor_3.0.7-1ubuntu2.debian.tar.xz: done.
  Uploading apparmor_3.0.7-1ubuntu2_source.buildinfo: done.
  Uploading apparmor_3.0.7-1ubuntu2_source.changes: done.
Successfully uploaded packages.

Georgia Garcia (georgiag)
Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.