[SRU] - fixes for apparmor on noble

Bug #2064672 reported by Georgia Garcia
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
In Progress
Undecided
Unassigned
Noble
In Progress
Undecided
Unassigned

Bug Description

[ Impact ]

This SRU has several fixes:

add unconfined profile for tuxedo-control-center (Bug 2046844)
fix issues appointed by coverity
fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386)
fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387)
add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814)
add network inet mediation documentation to apparmor.d
fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384)
add unconfined wike profile (Bug 2060810)
add unconfined foliate profile (Bug 2060767)
fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208)
add profiles for Transmission family of Bittorrent clients
add profile for unshare utility (Bug 2046844)
add profile for bwrap utility (Bug 2046844)
fix unconfined firefox profile to support mozilla.org download (Bug 2056297)
fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378)
fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376)
fix sshd profile (Bug 2060100)
fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381)
fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380)
move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032)
fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32
relax mount rules in utils to fix use of virtiofs and other file-system types

[ Test Plan ]

* Make sure to reboot after upgrading (Bug 2072811)
This has been extensively tested via the AppArmor regression test
script in the QA Regression Testing repo:
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

Steps:
$ git clone https://git.launchpad.net/qa-regression-testing
$ ./scripts/make-test-tarball ./scripts/test-apparmor.py
Copying: test-apparmor.py
Copying: testlib.py
Copying: install-packages
Copying: packages-helper
Copying: apparmor/

Test files: /tmp/qrt-test-apparmor.tar.gz

To run, copy the tarball somewhere, then do:
$ tar -zxf qrt-test-apparmor.tar.gz
$ cd ./qrt-test-apparmor
$ sudo ./install-packages test-apparmor.py
$ ./test-apparmor.py -v

This script runs various tests against the installed apparmor
package, as well as building and running the various upstream
regression and other test suites against this installed package:
  - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads
  - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads
  - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads
  - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads

The final test output was:

----------------------------------------------------------------------
Ran 62 tests in 1977.045s

OK (skipped=3)

georgia@sec-noble-amd64:~$ apt policy apparmor
apparmor:
  Installed: 4.0.1really4.0.1-0ubuntu0.24.04.3
  Candidate: 4.0.1really4.0.1-0ubuntu0.24.04.3

Run additional tests:

1. Install wike and make sure the wike window opens when executed:
$ sudo apt install wike
$ wike

2. Install foliate, download test epub and make sure it opens as expected:
$ sudo apt install foliate
$ wget https://github.com/daisy/epub-accessibility-tests/releases/download/fundamental-2.0/Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub
$ foliate Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub

3. Install transmission and make sure it starts properly:
$ sudo apt install transmission
$ transmission-gtk

4. test bwrap profile is no longer enabled by default:
- Install setzer and it will not open because the bwrap profile is not loaded:
$ sudo apt install setzer
$ setzer

This is not a regression since it's the current behavior for 4.0.1really4.0.0-beta3-0ubuntu0.1

- Check if the following flatpak apps still work:
$ sudo apt install flatpak
$ sudo flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
$ sudo flatpak install flathub org.gnome.Recipes
$ flatpak run --unshare=network org.gnome.Recipes
$ sudo flatpak install org.keepassxc.KeePassXC
$ flatpak run org.keepassxc.KeePassXC

[ Where problems could occur ]

There could still be more applications affected by the
restriction of the creation of unpriviliged user namespaces. They
might require the creation of new unconfined profiles which could
be mitigated in a later SRU.

[ Other Info ]

The SRU is available in:

https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1really4.0.1-0ubuntu0.24.04.3

Note that the previous SRU was reverted because of the regression in Bug 2072811.
This SRU has the same contents except for the enablement of the bwrap profile by default. The bwrap profile is available only under the apparmor-profiles package.
The regression on the SRU version 4.0.1-0ubuntu0.24.04.2 happened because we don't have enough tests covering flatpak/bubblewrap. We created the profile to be as broad as possible for bwrap to work as expected but prevent applications running inside it to be able to bypass the unprivileged user namespace restriction. The profile worked for the applications we received reports for but unfortunately it wasn't as thorough, in terms of the variety of apps, as we would have liked.

description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Alex Murray (alexmurray) wrote (last edit ):

I have just uploaded apparmor 4.0.1-0ubuntu0.24.04.1 from georgiag's PPA to noble - it is sitting in the unapproved queue.

Changed in apparmor (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Samuel Moelius (smoelius) wrote (last edit ):

Please forgive me as I am unfamiliar with Ubuntu's release process.

What are the next steps to releasing this fix? And how soon could it appear in the normal distribution?

Revision history for this message
John Johansen (jjohansen) wrote :

@smoelius:

If you are interested in learning more of the processes, you can read about it at https://wiki.ubuntu.com/StableReleaseUpdates

To summarize the upload is at step 4 of the procedures. It has been uploaded but has not been promoted to the -proposed pocket. Once it has been accepted it will be in the -proposed pocket for a minimum of 7 days, the absolute earliest this SRU could land in updates is mid next week, but it will likely take a little longer.

It is available earlier either through the ppa (https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru), or the -proposed pocket (user opt in by enabling proposed) once promoted.

Revision history for this message
Samuel Moelius (smoelius) wrote :

@jjohansen Thank you very much for your detailed explanation!

Revision history for this message
Simon McVittie (smcv) wrote :

> add profile for bwrap utility

Please check that this doesn't make `flatpak run --unshare=network $APP_ID` regress.

Explanation:

Some Flatpak apps (the ones that have no legitimate reason to use networking) have `--unshare=network` by default, as a way to prevent them from contacting the internet if they are malicious or compromised. This sandboxing feature requires bwrap to use CAP_NET_ADMIN to bring up a loopback device inside the new network namespace, before it drops privileges and executes the actual sandboxed code. Otherwise, there would be no `lo` device and no 127.0.0.1 or ::1, breaking apps' reasonable expectations.

Many apps *normally* allow networking, but they can all be run with `--unshare=network` to force the no-network code path, for example `flatpak run --unshare=network org.gnome.Recipes`. Of course, some or all features of the app will not work when run like this, but it should at least start.

I'm hoping that either the new bwrap profile allows this, or the flatpak profile (previously added) takes precedence and allows CAP_NET_ADMIN to be used (briefly!) during the switch from the TCB to the sandboxed environment.

Revision history for this message
Georgia Garcia (georgiag) wrote :

Hi Simon,

The use of --unshare=network does not cause a regression with the bwrap profile.
This is the full profile: https://gitlab.com/apparmor/apparmor/-/blob/aa74b9b12d9ed55909489403a0c2514b9ea6a95f/profiles/apparmor/profiles/extras/bwrap-userns-restrict

If you look at the bwrap profile itself, you can see that it allows the use of all capabilities, but that on execs, it transitions to a profile that does not allow capabilities. That's bwrap can, briefly, use CAP_NET_ADMIN.

profile bwrap /usr/bin/bwrap ... {
  allow capability,
  ...
  allow px /** -> bwrap//&unpriv_bwrap,
}

To be clear, I tested `flatpak run --unshare=network org.gnome.Recipes` specifically and it worked as expected.

Revision history for this message
John Johansen (jjohansen) wrote :

It shouldn't but we do need to make sure it works.

Previously flatpak was getting around the bwrap restriction by using the flatpak unconfined profile. But the unconfined profile uses pix which means it will now use the bwrap profile, when calling bwrap.

If this does cause breakage we will need to move flatpak to using just ix when calling bwrap.

@smcv: do you have a specific app in mind to test.

Revision history for this message
Chris Halse Rogers (raof) wrote : Proposed package upload rejected

An upload of apparmor to noble-proposed has been rejected from the upload queue for the following reason: "dpkg-source: warning: diff 'apparmor-4.0.1/debian/patches/ubuntu/profiles-fix-wike-profile-location-to-apparmor.d.patch' doesn't contain any patch - you can't rename files in a diff!".

Revision history for this message
Chris Halse Rogers (raof) wrote :

Ok, I've reviewed the upload in the queue. I've rejected it, as one of the patches was broken, but apart from that the diff looks OK (although there's a *lot* of it, most of it is removal of autogenerated autoconf stuff).

If we're going to use just this bug for verification, please update the other bugs making it clear that they don't need to be verified as per https://wiki.ubuntu.com/StableReleaseUpdates#Bug_references_in_changelogs

Also, it looks like the verification test plan needs to be augmented? From the above discussion there seems to be a requirement to test some specific bubblewrap functionality, which should be added to the test plan.

Although, since it seems like the wike fix was accidentally not applied, maybe we should also test to ensure that the new profiles work, at least the more important applications?

description: updated
Revision history for this message
Georgia Garcia (georgiag) wrote :

Thanks for reviewing, Chris. I have updated the test plan with your suggestions, and I also updated the ppa containing a new version of the package with the wike profile location fixed. I'll also make sure to comment on the bugs in the changelog that verification is not required.

description: updated
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello Georgia, or anyone else affected,

Accepted apparmor into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/4.0.1-0ubuntu0.24.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apparmor (Ubuntu Noble):
status: New → Fix Committed
tags: added: verification-needed verification-needed-noble
Revision history for this message
Samuel Moelius (smoelius) wrote :

@raof I've installed the proposed package, and so far it seems to be working. Thank you!

(Apologies if you receive telemetry, and this message is just spam.)

Revision history for this message
John Johansen (jjohansen) wrote :

On a clean install of 24.04 with Ubuntu (gnome) desktop. Updated as of June 27, 24.04.

0. Enabled proposed, updated, upgrade and installed apparmor packages via

$ sudo apt install apparmor apparmor-profiles apparmor-utils libapparmor-dev libapparmor1 libpam-apparmor python3-apparmor python3-libapparmor -t noble-proposed

Full test plan executed for Ubuntu Desktop, Kubuntu Desktop, Budgie Desktop,

[ Test Plan ]

Test QA Regression Testing

The final test output was:

----------------------------------------------------------------------
Ran 62 tests in 903.834s

OK (skipped=3)

$ apt policy apparmor
apparmor:
  Installed: 4.0.1-0ubuntu0.24.04.2
  Candidate: 4.0.1-0ubuntu0.24.04.2
  Version table:
 *** 4.0.1-0ubuntu0.24.04.2 100
        100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.0.0-beta3-0ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages

Run additional tests:

1. test wike$ apt policy apparmor
apparmor:
  Installed: 4.0.1-0ubuntu0.24.04.2
  Candidate: 4.0.1-0ubuntu0.24.04.2
  Version table:
 *** 4.0.1-0ubuntu0.24.04.2 100
        100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.0.0-beta3-0ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages

run from terminal, works with no apparmor rejections
run from gnome activities, works no apparmor rejections

2. test foliate
run from terminal, works with no apparmor rejections
run from gnome activities, works with no apparmor rejections

3. test transmission
run from terminal, works with no apparmor rejections
run from gnome activites, works with no apparmor rejections

4. test bwrap

4.1 setzer
run from terminal, works with no apparmor rejections
run from gnome activites, works with no apparmor rejections

4.2 flatpak gnome.recepieces
works as expected

In addition to the test plan using the gnome desktop, the Kubuntu, and Budgie desktop were brought up and tested. To ensure no regressions, around widgets (), applications or previously reported bugs.

See https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 for tracked list of applications. See next comment for results from testing each application.

Revision history for this message
Georgia Garcia (georgiag) wrote :

Thanks for the verification, John. I updated the tags based on the results of your tests.

tags: added: verification-done verification-done-noble
removed: verification-needed verification-needed-noble
Revision history for this message
John Johansen (jjohansen) wrote :

List of Applications tested for regression

Tellico
Supercollider
steam
rssguard
qutebrowser
qmapshack
plasma-welcome
plasma-desktop
pageedit
opam
notepadqq
marble
loupe
kontact
konqueror
kmail
kgeotag
kdeplasma-addons
kchmviewer
kalgebra
goldendict-webengine
ghostwriter
foliate
geary
firefox snap
falkon
evolution
epiphany-browser
digikam
devhelp
cantor

Revision history for this message
John Johansen (jjohansen) wrote :

Test Environment 1: kvm virtual machine, clean 24.04 install, updated, then proposed enabled.

Test Environment 2: x86 laptop with nvidia graphics, upgraded to 24.04, updated, then proposed enabled.

Test plan fully executed on both environments.

Notes:
kde, budgie, and kapps: only tested in environment 1

steam: only tested on environment 2.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 4.0.1-0ubuntu0.24.04.2

---------------
apparmor (4.0.1-0ubuntu0.24.04.2) noble; urgency=medium

  [Georgia Garcia]
  * New upstream release. (LP: #2064672)
  * Refresh
    - d/p/u/parser-add-support-for-prompting.patch
      - Add condition in policydb serialization to only encode xtable if
      kernel_supports_permstable32
  * Add patch to add balena-etcher profile (LP: #2046844)
    - d/p/u/profiles-add-unconfined-balena-etcher-profile.patch
  * Fix d/p/u/userns-runtime-disable.patch to work when
    kernel.apparmor_restrict_unprivileged_userns does not exist by adding
    -e to sysctl.
  * d/apparmor.install
    - install new profiles
      - wike - changed installation from apparmor to apparmor.d
      - foliate
      - balena-etcher
      - transmission

  [Alex Murray]
  * Add upstream patch to relax mount rules to fix use of virtiofs and
    other file-system types
    - d/p/u/mountrule-relaxing-constraints-on-fstype.patch
  * Remove patches which got dropped from quilt series earlier
    - d/p/u/parser-support-uin128_t-key-as-a-pair-of-uint64_t-nu.patch
    - d/p/u/Minor-improvements-for-MountRule.patch
  * d/control: Remove obsolete lsb-base Depends and swap pkg-config to
    pkgconf for Build-Depends

apparmor (4.0.0-beta4-0ubuntu1) noble; urgency=medium

  * New upstream release.
    (LP: #2046844, LP: #2060100, LP: #2056297)
  * Refresh
    - d/p/u/samba-systemd-interaction.patch
  * Drop patches which have now been applied updatea
    - d/p/u/parser-fix-issues-appointed-by-coverity.patch
    - d/p/u/profiles-add-unconfined-profile-for-tuxedo-control-c.patch
  * Add patch to enable bwrap profile
    - d/p/u/enable-bwrap-profile.patch
      (LP: #2046844, LP: #2065708)
  * d/apparmor.install
    - install new profile
      - bwrap-userns-restrict
  * d/apparmor-profiles.install
    - install new profile
      - unshare-userns-restrict

 -- Georgia Garcia <email address hidden> Tue, 30 Apr 2024 14:12:01 -0300

Changed in apparmor (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Robie Basak (racb) wrote :

A regression caused by this update has been reported in bug 2072811. If found to be valid, we may revert the fix shortly. If you are or would be affected, your participation in the regression bug would be appreciated.

Revision history for this message
John Johansen (jjohansen) wrote :

The regression is caused by
  d/p/u/enable-bwrap-profile.patch

the bwrap profile is interacting with flatpak, and snapd. The d/p/u/enable-bwrap-profile.patch will need to be dropped, when the 4.0.1 SRU is redone.

The bwrap, flatpak and snapd will need updates to enable bwrap to be used by regular users. Since this change is now known to have potential breakage it should be isolated to its own SRU where it is the only change, allowing easier testing and easier revert knowing it is the only moving piece.

Revision history for this message
Robie Basak (racb) wrote :

Thanks. When the bwrap profile SRU is attempted again, I'd like the Test Plan reconsidered please to ensure that we catch the class of regression that occurred.

On this SRU, before resubmitting it with the bwrap change removed, please revise the Test Plan to ensure that all necessary steps are included so that other developers can run it without problems. As discussed on IRC earlier, I was not able to do this!

Reopening as the change introduced to fix this bug has been reverted.

Changed in apparmor (Ubuntu Noble):
status: Fix Released → Triaged
Revision history for this message
Georgia Garcia (georgiag) wrote (last edit ):

I have updated the description with the information of the SRU version 4.0.1really4.0.1-0ubuntu0.24.04.3
The Test Plan is updated with detailed instructions and I also added an analysis of why the regression happened for the previous SRU. Note that since we have removed the enablement by default of the bwrap profile, some applications are still not going to work properly, which is the case for setzer in the test plan. A fix was already merged upstream [1] and will be present in a later 4.0.2 SRU.

[1] https://gitlab.com/apparmor/apparmor/-/merge_requests/1272

description: updated
tags: removed: verification-done verification-done-noble
Revision history for this message
Alex Murray (alexmurray) wrote :

To clarify on the statement from @georgiag above - "some applications are still not going to work properly" means that some applications *which currently do not work on Ubuntu 24.04 with the current version of apparmor in the archive (4.0.1really4.0.0-beta3-0ubuntu0.1)* are still not going to work properly. ie. this is not a regression from the current behaviour.

I have reviewed the proposed update and ran both the qa-regression-tests and autopkgtests locally and it looks good to me (other than a minor typo in the debian/changelog - s/updatea/upstream/) - I have uploaded it to the unapproved queue for review by the SRU team. Thanks for all your help with this @rbasak.

Changed in apparmor (Ubuntu Noble):
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.