[SRU] - fixes for apparmor on noble

Status changed to 'Confirmed' because the bug affects multiple users.

I have just uploaded apparmor 4.0.1-0ubuntu0.24.04.1 from georgiag's PPA to noble - it is sitting in the unapproved queue.

Please forgive me as I am unfamiliar with Ubuntu's release process.

What are the next steps to releasing this fix? And how soon could it appear in the normal distribution?

@smoelius:

If you are interested in learning more of the processes, you can read about it at https://wiki.ubuntu.com/StableReleaseUpdates

To summarize the upload is at step 4 of the procedures. It has been uploaded but has not been promoted to the -proposed pocket. Once it has been accepted it will be in the -proposed pocket for a minimum of 7 days, the absolute earliest this SRU could land in updates is mid next week, but it will likely take a little longer.

It is available earlier either through the ppa (https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru), or the -proposed pocket (user opt in by enabling proposed) once promoted.

@jjohansen Thank you very much for your detailed explanation!

> add profile for bwrap utility

Please check that this doesn't make `flatpak run --unshare=network $APP_ID` regress.

Explanation:

Some Flatpak apps (the ones that have no legitimate reason to use networking) have `--unshare=network` by default, as a way to prevent them from contacting the internet if they are malicious or compromised. This sandboxing feature requires bwrap to use CAP_NET_ADMIN to bring up a loopback device inside the new network namespace, before it drops privileges and executes the actual sandboxed code. Otherwise, there would be no `lo` device and no 127.0.0.1 or ::1, breaking apps' reasonable expectations.

Many apps *normally* allow networking, but they can all be run with `--unshare=network` to force the no-network code path, for example `flatpak run --unshare=network org.gnome.Recipes`. Of course, some or all features of the app will not work when run like this, but it should at least start.

I'm hoping that either the new bwrap profile allows this, or the flatpak profile (previously added) takes precedence and allows CAP_NET_ADMIN to be used (briefly!) during the switch from the TCB to the sandboxed environment.

Hi Simon,

The use of --unshare=network does not cause a regression with the bwrap profile.
This is the full profile: https://gitlab.com/apparmor/apparmor/-/blob/aa74b9b12d9ed55909489403a0c2514b9ea6a95f/profiles/apparmor/profiles/extras/bwrap-userns-restrict

If you look at the bwrap profile itself, you can see that it allows the use of all capabilities, but that on execs, it transitions to a profile that does not allow capabilities. That's bwrap can, briefly, use CAP_NET_ADMIN.

profile bwrap /usr/bin/bwrap ... {
  allow capability,
  ...
  allow px /** -> bwrap//&unpriv_bwrap,
}

To be clear, I tested `flatpak run --unshare=network org.gnome.Recipes` specifically and it worked as expected.

It shouldn't but we do need to make sure it works.

Previously flatpak was getting around the bwrap restriction by using the flatpak unconfined profile. But the unconfined profile uses pix which means it will now use the bwrap profile, when calling bwrap.

If this does cause breakage we will need to move flatpak to using just ix when calling bwrap.

@smcv: do you have a specific app in mind to test.

An upload of apparmor to noble-proposed has been rejected from the upload queue for the following reason: "dpkg-source: warning: diff 'apparmor-4.0.1/debian/patches/ubuntu/profiles-fix-wike-profile-location-to-apparmor.d.patch' doesn't contain any patch - you can't rename files in a diff!".

Ok, I've reviewed the upload in the queue. I've rejected it, as one of the patches was broken, but apart from that the diff looks OK (although there's a *lot* of it, most of it is removal of autogenerated autoconf stuff).

If we're going to use just this bug for verification, please update the other bugs making it clear that they don't need to be verified as per https://wiki.ubuntu.com/StableReleaseUpdates#Bug_references_in_changelogs

Also, it looks like the verification test plan needs to be augmented? From the above discussion there seems to be a requirement to test some specific bubblewrap functionality, which should be added to the test plan.

Although, since it seems like the wike fix was accidentally not applied, maybe we should also test to ensure that the new profiles work, at least the more important applications?

Thanks for reviewing, Chris. I have updated the test plan with your suggestions, and I also updated the ppa containing a new version of the package with the wike profile location fixed. I'll also make sure to comment on the bugs in the changelog that verification is not required.

Hello Georgia, or anyone else affected,

Accepted apparmor into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/4.0.1-0ubuntu0.24.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

@raof I've installed the proposed package, and so far it seems to be working. Thank you!

(Apologies if you receive telemetry, and this message is just spam.)

On a clean install of 24.04 with Ubuntu (gnome) desktop. Updated as of June 27, 24.04.

0. Enabled proposed, updated, upgrade and installed apparmor packages via

$ sudo apt install apparmor apparmor-profiles apparmor-utils libapparmor-dev libapparmor1 libpam-apparmor python3-apparmor python3-libapparmor -t noble-proposed

Full test plan executed for Ubuntu Desktop, Kubuntu Desktop, Budgie Desktop,

[ Test Plan ]

Test QA Regression Testing

The final test output was:

----------------------------------------------------------------------
Ran 62 tests in 903.834s

OK (skipped=3)

$ apt policy apparmor
apparmor:
  Installed: 4.0.1-0ubuntu0.24.04.2
  Candidate: 4.0.1-0ubuntu0.24.04.2
  Version table:
 *** 4.0.1-0ubuntu0.24.04.2 100
        100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.0.0-beta3-0ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages

Run additional tests:

1. test wike$ apt policy apparmor
apparmor:
  Installed: 4.0.1-0ubuntu0.24.04.2
  Candidate: 4.0.1-0ubuntu0.24.04.2
  Version table:
 *** 4.0.1-0ubuntu0.24.04.2 100
        100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.0.0-beta3-0ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages

run from terminal, works with no apparmor rejections
run from gnome activities, works no apparmor rejections

2. test foliate
run from terminal, works with no apparmor rejections
run from gnome activities, works with no apparmor rejections

3. test transmission
run from terminal, works with no apparmor rejections
run from gnome activites, works with no apparmor rejections

4. test bwrap

4.1 setzer
run from terminal, works with no apparmor rejections
run from gnome activites, works with no apparmor rejections

4.2 flatpak gnome.recepieces
works as expected

In addition to the test plan using the gnome desktop, the Kubuntu, and Budgie desktop were brought up and tested. To ensure no regressions, around widgets (), applications or previously reported bugs.

See https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 for tracked list of applications. See next comment for results from testing each application.

Thanks for the verification, John. I updated the tags based on the results of your tests.

List of Applications tested for regression

Tellico
Supercollider
steam
rssguard
qutebrowser
qmapshack
plasma-welcome
plasma-desktop
pageedit
opam
notepadqq
marble
loupe
kontact
konqueror
kmail
kgeotag
kdeplasma-addons
kchmviewer
kalgebra
goldendict-webengine
ghostwriter
foliate
geary
firefox snap
falkon
evolution
epiphany-browser
digikam
devhelp
cantor

Test Environment 1: kvm virtual machine, clean 24.04 install, updated, then proposed enabled.

Test Environment 2: x86 laptop with nvidia graphics, upgraded to 24.04, updated, then proposed enabled.

Test plan fully executed on both environments.

Notes:
kde, budgie, and kapps: only tested in environment 1

steam: only tested on environment 2.

This bug was fixed in the package apparmor - 4.0.1-0ubuntu0.24.04.2

---------------
apparmor (4.0.1-0ubuntu0.24.04.2) noble; urgency=medium

  [Georgia Garcia]
  * New upstream release. (LP: #2064672)
  * Refresh
    - d/p/u/parser-add-support-for-prompting.patch
      - Add condition in policydb serialization to only encode xtable if
      kernel_supports_permstable32
  * Add patch to add balena-etcher profile (LP: #2046844)
    - d/p/u/profiles-add-unconfined-balena-etcher-profile.patch
  * Fix d/p/u/userns-runtime-disable.patch to work when
    kernel.apparmor_restrict_unprivileged_userns does not exist by adding
    -e to sysctl.
  * d/apparmor.install
    - install new profiles
      - wike - changed installation from apparmor to apparmor.d
      - foliate
      - balena-etcher
      - transmission

  [Alex Murray]
  * Add upstream patch to relax mount rules to fix use of virtiofs and
    other file-system types
    - d/p/u/mountrule-relaxing-constraints-on-fstype.patch
  * Remove patches which got dropped from quilt series earlier
    - d/p/u/parser-support-uin128_t-key-as-a-pair-of-uint64_t-nu.patch
    - d/p/u/Minor-improvements-for-MountRule.patch
  * d/control: Remove obsolete lsb-base Depends and swap pkg-config to
    pkgconf for Build-Depends

apparmor (4.0.0-beta4-0ubuntu1) noble; urgency=medium

  * New upstream release.
    (LP: #2046844, LP: #2060100, LP: #2056297)
  * Refresh
    - d/p/u/samba-systemd-interaction.patch
  * Drop patches which have now been applied updatea
    - d/p/u/parser-fix-issues-appointed-by-coverity.patch
    - d/p/u/profiles-add-unconfined-profile-for-tuxedo-control-c.patch
  * Add patch to enable bwrap profile
    - d/p/u/enable-bwrap-profile.patch
      (LP: #2046844, LP: #2065708)
  * d/apparmor.install
    - install new profile
      - bwrap-userns-restrict
  * d/apparmor-profiles.install
    - install new profile
      - unshare-userns-restrict

 -- Georgia Garcia <email address hidden> Tue, 30 Apr 2024 14:12:01 -0300

The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

A regression caused by this update has been reported in bug 2072811. If found to be valid, we may revert the fix shortly. If you are or would be affected, your participation in the regression bug would be appreciated.

The regression is caused by
  d/p/u/enable-bwrap-profile.patch

the bwrap profile is interacting with flatpak, and snapd. The d/p/u/enable-bwrap-profile.patch will need to be dropped, when the 4.0.1 SRU is redone.

The bwrap, flatpak and snapd will need updates to enable bwrap to be used by regular users. Since this change is now known to have potential breakage it should be isolated to its own SRU where it is the only change, allowing easier testing and easier revert knowing it is the only moving piece.

Thanks. When the bwrap profile SRU is attempted again, I'd like the Test Plan reconsidered please to ensure that we catch the class of regression that occurred.

On this SRU, before resubmitting it with the bwrap change removed, please revise the Test Plan to ensure that all necessary steps are included so that other developers can run it without problems. As discussed on IRC earlier, I was not able to do this!

Reopening as the change introduced to fix this bug has been reverted.

I have updated the description with the information of the SRU version 4.0.1really4.0.1-0ubuntu0.24.04.3
The Test Plan is updated with detailed instructions and I also added an analysis of why the regression happened for the previous SRU. Note that since we have removed the enablement by default of the bwrap profile, some applications are still not going to work properly, which is the case for setzer in the test plan. A fix was already merged upstream [1] and will be present in a later 4.0.2 SRU.

[1] https://gitlab.com/apparmor/apparmor/-/merge_requests/1272

To clarify on the statement from @georgiag above - "some applications are still not going to work properly" means that some applications *which currently do not work on Ubuntu 24.04 with the current version of apparmor in the archive (4.0.1really4.0.0-beta3-0ubuntu0.1)* are still not going to work properly. ie. this is not a regression from the current behaviour.

I have reviewed the proposed update and ran both the qa-regression-tests and autopkgtests locally and it looks good to me (other than a minor typo in the debian/changelog - s/updatea/upstream/) - I have uploaded it to the unapproved queue for review by the SRU team. Thanks for all your help with this @rbasak.