2023-08-22 05:35:03 |
Alex Murray |
bug |
|
|
added bug |
2023-08-22 05:35:14 |
Alex Murray |
affects |
ubuntu |
apparmor (Ubuntu) |
|
2023-08-22 05:37:40 |
Alex Murray |
description |
As per the spec documented at https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this.
This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required.
This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package:
- https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads |
As per the spec documented at https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this.
This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required.
This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package:
- https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads
The package can be found in https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic
This includes build logs etc (e.g. for amd64 this is found at https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic/+build/26527127)
Note there is no ChangeLog file in upstream apparmor so instead I am attaching the git history between the current version of apparmor in mantic (3.0.8) and 4.0.0-alpha2. |
|
2023-08-22 05:38:19 |
Alex Murray |
attachment added |
|
ChangeLog https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+attachment/5693734/+files/ChangeLog |
|
2023-08-22 05:38:58 |
Alex Murray |
bug |
|
|
added subscriber Ubuntu Release Team |
2023-08-22 05:49:44 |
Alex Murray |
attachment added |
|
apt-dist-upgrade-log.txt https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+attachment/5693735/+files/apt-dist-upgrade-log.txt |
|
2023-08-22 06:32:05 |
Alex Murray |
description |
As per the spec documented at https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this.
This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required.
This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package:
- https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads
The package can be found in https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic
This includes build logs etc (e.g. for amd64 this is found at https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic/+build/26527127)
Note there is no ChangeLog file in upstream apparmor so instead I am attaching the git history between the current version of apparmor in mantic (3.0.8) and 4.0.0-alpha2. |
As per the spec documented at https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this.
This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required.
This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package:
- https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads
The package can be found in https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic
This includes build logs etc (e.g. for amd64 this is found at https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic/+build/26527127)
Note there is no ChangeLog file in upstream apparmor so instead I am attaching the git history between the current version of apparmor in mantic (3.0.8) and 4.0.0-alpha2.
Also note that this new version of apparmor does not actually enable the user namespaces restriction yet - that is planned for a future upload (and hence a future FFe) - however, it lays all the groundwork to enable this, once sufficient testing and integration has been done across the rest of the Ubuntu archive and package ecosystem.
As such, there is no risk of regression at this time due to that change - and the extensive regression testing also supports this conclusion as well. |
|
2023-08-22 06:57:37 |
Alex Murray |
attachment added |
|
test-apparmor-qrt.log https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+attachment/5693745/+files/test-apparmor-qrt.log |
|
2023-08-23 05:20:42 |
Alex Murray |
attachment added |
|
apparmor_4.0.0~alpha2-0ubuntu1_amd64.build https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+attachment/5694054/+files/apparmor_4.0.0~alpha2-0ubuntu1_amd64.build |
|
2023-08-23 05:21:35 |
Alex Murray |
attachment added |
|
ChangeLog.txt https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+attachment/5694055/+files/ChangeLog.txt |
|
2023-08-23 06:37:30 |
Alex Murray |
description |
As per the spec documented at https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this.
This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required.
This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package:
- https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads
The package can be found in https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic
This includes build logs etc (e.g. for amd64 this is found at https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic/+build/26527127)
Note there is no ChangeLog file in upstream apparmor so instead I am attaching the git history between the current version of apparmor in mantic (3.0.8) and 4.0.0-alpha2.
Also note that this new version of apparmor does not actually enable the user namespaces restriction yet - that is planned for a future upload (and hence a future FFe) - however, it lays all the groundwork to enable this, once sufficient testing and integration has been done across the rest of the Ubuntu archive and package ecosystem.
As such, there is no risk of regression at this time due to that change - and the extensive regression testing also supports this conclusion as well. |
As per the spec documented at https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 the Security team is enhancing AppArmor to allow the use of unprivileged user namespaces to be restricted to only those packages which require this.
This change requires changes in both AppArmor within the kernel, as well as the apparmor package in the Ubuntu archive to ensure it supports the new syntax required.
This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package:
- https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads
- https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads
The package can be found in https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic-take2
This includes build logs etc (e.g. for amd64 this is found at https://launchpad.net/~alexmurray/+archive/ubuntu/apparmor-4.0.0-alpha2-for-mantic-take2/+build/26530996)
Note there is no ChangeLog file in upstream apparmor so instead I am attaching the git history between the current version of apparmor in mantic (3.0.8) and 4.0.0-alpha2.
Also note that this new version of apparmor does not actually enable the user namespaces restriction yet - that is planned for a future upload (and hence a future FFe) - however, it lays all the groundwork to enable this, once sufficient testing and integration has been done across the rest of the Ubuntu archive and package ecosystem.
As such, there is no risk of regression at this time due to that change - and the extensive regression testing also supports this conclusion as well. |
|
2023-08-23 21:43:32 |
Steve Langasek |
apparmor (Ubuntu): status |
New |
Triaged |
|
2023-08-30 09:08:05 |
Launchpad Janitor |
apparmor (Ubuntu): status |
Triaged |
Fix Released |
|
2023-10-24 16:47:31 |
Ubuntu Kernel Bot |
tags |
|
kernel-spammed-jammy-linux-azure-6.5-v2 verification-needed-jammy-linux-azure-6.5 |
|
2023-10-24 18:22:26 |
Ubuntu Kernel Bot |
tags |
kernel-spammed-jammy-linux-azure-6.5-v2 verification-needed-jammy-linux-azure-6.5 |
kernel-spammed-jammy-linux-aws-6.5-v2 kernel-spammed-jammy-linux-azure-6.5-v2 verification-needed-jammy-linux-aws-6.5 verification-needed-jammy-linux-azure-6.5 |
|