[SRU] - fixes for apparmor on noble

Status changed to 'Confirmed' because the bug affects multiple users.

I have just uploaded apparmor 4.0.1-0ubuntu0.24.04.1 from georgiag's PPA to noble - it is sitting in the unapproved queue.

Please forgive me as I am unfamiliar with Ubuntu's release process.

What are the next steps to releasing this fix? And how soon could it appear in the normal distribution?

@smoelius:

If you are interested in learning more of the processes, you can read about it at https://wiki.ubuntu.com/StableReleaseUpdates

To summarize the upload is at step 4 of the procedures. It has been uploaded but has not been promoted to the -proposed pocket. Once it has been accepted it will be in the -proposed pocket for a minimum of 7 days, the absolute earliest this SRU could land in updates is mid next week, but it will likely take a little longer.

It is available earlier either through the ppa (https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru), or the -proposed pocket (user opt in by enabling proposed) once promoted.

@jjohansen Thank you very much for your detailed explanation!

> add profile for bwrap utility

Please check that this doesn't make `flatpak run --unshare=network $APP_ID` regress.

Explanation:

Some Flatpak apps (the ones that have no legitimate reason to use networking) have `--unshare=network` by default, as a way to prevent them from contacting the internet if they are malicious or compromised. This sandboxing feature requires bwrap to use CAP_NET_ADMIN to bring up a loopback device inside the new network namespace, before it drops privileges and executes the actual sandboxed code. Otherwise, there would be no `lo` device and no 127.0.0.1 or ::1, breaking apps' reasonable expectations.

Many apps *normally* allow networking, but they can all be run with `--unshare=network` to force the no-network code path, for example `flatpak run --unshare=network org.gnome.Recipes`. Of course, some or all features of the app will not work when run like this, but it should at least start.

I'm hoping that either the new bwrap profile allows this, or the flatpak profile (previously added) takes precedence and allows CAP_NET_ADMIN to be used (briefly!) during the switch from the TCB to the sandboxed environment.

Hi Simon,

The use of --unshare=network does not cause a regression with the bwrap profile.
This is the full profile: https://gitlab.com/apparmor/apparmor/-/blob/aa74b9b12d9ed55909489403a0c2514b9ea6a95f/profiles/apparmor/profiles/extras/bwrap-userns-restrict

If you look at the bwrap profile itself, you can see that it allows the use of all capabilities, but that on execs, it transitions to a profile that does not allow capabilities. That's bwrap can, briefly, use CAP_NET_ADMIN.

profile bwrap /usr/bin/bwrap ... {
  allow capability,
  ...
  allow px /** -> bwrap//&unpriv_bwrap,
}

To be clear, I tested `flatpak run --unshare=network org.gnome.Recipes` specifically and it worked as expected.

It shouldn't but we do need to make sure it works.

Previously flatpak was getting around the bwrap restriction by using the flatpak unconfined profile. But the unconfined profile uses pix which means it will now use the bwrap profile, when calling bwrap.

If this does cause breakage we will need to move flatpak to using just ix when calling bwrap.

@smcv: do you have a specific app in mind to test.

An upload of apparmor to noble-proposed has been rejected from the upload queue for the following reason: "dpkg-source: warning: diff 'apparmor-4.0.1/debian/patches/ubuntu/profiles-fix-wike-profile-location-to-apparmor.d.patch' doesn't contain any patch - you can't rename files in a diff!".

Ok, I've reviewed the upload in the queue. I've rejected it, as one of the patches was broken, but apart from that the diff looks OK (although there's a *lot* of it, most of it is removal of autogenerated autoconf stuff).

If we're going to use just this bug for verification, please update the other bugs making it clear that they don't need to be verified as per https://wiki.ubuntu.com/StableReleaseUpdates#Bug_references_in_changelogs

Also, it looks like the verification test plan needs to be augmented? From the above discussion there seems to be a requirement to test some specific bubblewrap functionality, which should be added to the test plan.

Although, since it seems like the wike fix was accidentally not applied, maybe we should also test to ensure that the new profiles work, at least the more important applications?

Thanks for reviewing, Chris. I have updated the test plan with your suggestions, and I also updated the ppa containing a new version of the package with the wike profile location fixed. I'll also make sure to comment on the bugs in the changelog that verification is not required.

Hello Georgia, or anyone else affected,

Accepted apparmor into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/4.0.1-0ubuntu0.24.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

@raof I've installed the proposed package, and so far it seems to be working. Thank you!

(Apologies if you receive telemetry, and this message is just spam.)

On a clean install of 24.04 with Ubuntu (gnome) desktop. Updated as of June 27, 24.04.

0. Enabled proposed, updated, upgrade and installed apparmor packages via

$ sudo apt install apparmor apparmor-profiles apparmor-utils libapparmor-dev libapparmor1 libpam-apparmor python3-apparmor python3-libapparmor -t noble-proposed

Full test plan executed for Ubuntu Desktop, Kubuntu Desktop, Budgie Desktop,

[ Test Plan ]

Test QA Regression Testing

The final test output was:

----------------------------------------------------------------------
Ran 62 tests in 903.834s

OK (skipped=3)

$ apt policy apparmor
apparmor:
  Installed: 4.0.1-0ubuntu0.24.04.2
  Candidate: 4.0.1-0ubuntu0.24.04.2
  Version table:
 *** 4.0.1-0ubuntu0.24.04.2 100
        100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.0.0-beta3-0ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages

Run additional tests:

1. test wike$ apt policy apparmor
apparmor:
  Installed: 4.0.1-0ubuntu0.24.04.2
  Candidate: 4.0.1-0ubuntu0.24.04.2
  Version table:
 *** 4.0.1-0ubuntu0.24.04.2 100
        100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.0.0-beta3-0ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages

run from terminal, works with no apparmor rejections
run from gnome activities, works no apparmor rejections

2. test foliate
run from terminal, works with no apparmor rejections
run from gnome activities, works with no apparmor rejections

3. test transmission
run from terminal, works with no apparmor rejections
run from gnome activites, works with no apparmor rejections

4. test bwrap

4.1 setzer
run from terminal, works with no apparmor rejections
run from gnome activites, works with no apparmor rejections

4.2 flatpak gnome.recepieces
works as expected

In addition to the test plan using the gnome desktop, the Kubuntu, and Budgie desktop were brought up and tested. To ensure no regressions, around widgets (), applications or previously reported bugs.

See https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 for tracked list of applications. See next comment for results from testing each application.