[SRU] - fixes for apparmor on noble

Status changed to 'Confirmed' because the bug affects multiple users.

I have just uploaded apparmor 4.0.1-0ubuntu0.24.04.1 from georgiag's PPA to noble - it is sitting in the unapproved queue.

Please forgive me as I am unfamiliar with Ubuntu's release process.

What are the next steps to releasing this fix? And how soon could it appear in the normal distribution?

@smoelius:

If you are interested in learning more of the processes, you can read about it at https://wiki.ubuntu.com/StableReleaseUpdates

To summarize the upload is at step 4 of the procedures. It has been uploaded but has not been promoted to the -proposed pocket. Once it has been accepted it will be in the -proposed pocket for a minimum of 7 days, the absolute earliest this SRU could land in updates is mid next week, but it will likely take a little longer.

It is available earlier either through the ppa (https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru), or the -proposed pocket (user opt in by enabling proposed) once promoted.

@jjohansen Thank you very much for your detailed explanation!

> add profile for bwrap utility

Please check that this doesn't make `flatpak run --unshare=network $APP_ID` regress.

Explanation:

Some Flatpak apps (the ones that have no legitimate reason to use networking) have `--unshare=network` by default, as a way to prevent them from contacting the internet if they are malicious or compromised. This sandboxing feature requires bwrap to use CAP_NET_ADMIN to bring up a loopback device inside the new network namespace, before it drops privileges and executes the actual sandboxed code. Otherwise, there would be no `lo` device and no 127.0.0.1 or ::1, breaking apps' reasonable expectations.

Many apps *normally* allow networking, but they can all be run with `--unshare=network` to force the no-network code path, for example `flatpak run --unshare=network org.gnome.Recipes`. Of course, some or all features of the app will not work when run like this, but it should at least start.

I'm hoping that either the new bwrap profile allows this, or the flatpak profile (previously added) takes precedence and allows CAP_NET_ADMIN to be used (briefly!) during the switch from the TCB to the sandboxed environment.

Hi Simon,

The use of --unshare=network does not cause a regression with the bwrap profile.
This is the full profile: https://gitlab.com/apparmor/apparmor/-/blob/aa74b9b12d9ed55909489403a0c2514b9ea6a95f/profiles/apparmor/profiles/extras/bwrap-userns-restrict

If you look at the bwrap profile itself, you can see that it allows the use of all capabilities, but that on execs, it transitions to a profile that does not allow capabilities. That's bwrap can, briefly, use CAP_NET_ADMIN.

profile bwrap /usr/bin/bwrap ... {
  allow capability,
  ...
  allow px /** -> bwrap//&unpriv_bwrap,
}

To be clear, I tested `flatpak run --unshare=network org.gnome.Recipes` specifically and it worked as expected.

It shouldn't but we do need to make sure it works.

Previously flatpak was getting around the bwrap restriction by using the flatpak unconfined profile. But the unconfined profile uses pix which means it will now use the bwrap profile, when calling bwrap.

If this does cause breakage we will need to move flatpak to using just ix when calling bwrap.

@smcv: do you have a specific app in mind to test.

An upload of apparmor to noble-proposed has been rejected from the upload queue for the following reason: "dpkg-source: warning: diff 'apparmor-4.0.1/debian/patches/ubuntu/profiles-fix-wike-profile-location-to-apparmor.d.patch' doesn't contain any patch - you can't rename files in a diff!".

Ok, I've reviewed the upload in the queue. I've rejected it, as one of the patches was broken, but apart from that the diff looks OK (although there's a *lot* of it, most of it is removal of autogenerated autoconf stuff).

If we're going to use just this bug for verification, please update the other bugs making it clear that they don't need to be verified as per https://wiki.ubuntu.com/StableReleaseUpdates#Bug_references_in_changelogs

Also, it looks like the verification test plan needs to be augmented? From the above discussion there seems to be a requirement to test some specific bubblewrap functionality, which should be added to the test plan.

Although, since it seems like the wike fix was accidentally not applied, maybe we should also test to ensure that the new profiles work, at least the more important applications?

Thanks for reviewing, Chris. I have updated the test plan with your suggestions, and I also updated the ppa containing a new version of the package with the wike profile location fixed. I'll also make sure to comment on the bugs in the changelog that verification is not required.