aa-logprof fails with 'runbindable' error

Bug #2065685 reported by Neil Wilson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Maxime Bélair

Bug Description

On the latest LTS, aa-logprof does nothing other than fail with the error

    ERROR: Operation {'runbindable'} cannot have a source. Source = AARE('/')

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor-utils 4.0.0-beta3-0ubuntu3
ProcVersionSignature: User Name 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
ApparmorStatusOutput:
 Error: command ['/usr/sbin/apparmor_status'] failed with exit code 4: You do not have enough privilege to read the profile set.
 apparmor module is loaded.
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudBuildName: server
CloudID: brightbox
CloudName: brightbox
CloudPlatform: ec2
CloudRegion: gb1s-
CloudSerial: 20240423
CloudSubPlatform: metadata (http://169.254.169.254)
Date: Tue May 14 12:29:17 2024
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-31-generic root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0
SourcePackage: apparmor
Syslog:
 2024-05-13T10:19:58.724594+00:00 srv-9vqc0 dbus-daemon[838]: [system] AppArmor D-Bus mediation is enabled
 2024-05-13T10:22:32.966857+00:00 srv-9vqc0 dbus-daemon[666]: [system] AppArmor D-Bus mediation is enabled
 2024-05-13T10:25:00.210572+00:00 srv-9vqc0 dbus-daemon[1044]: [session uid=1000 pid=1044] AppArmor D-Bus mediation is enabled
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Neil Wilson (neil-aldur) wrote :
Changed in apparmor (Ubuntu):
assignee: nobody → Maxime Bélair (mbelair)
Revision history for this message
Maxime Bélair (mbelair) wrote :

I have implemented a patch for this issue, but before submitting it, I want to understand its origin to determine if other edge cases need to be addressed.

Do you know which profile created this issue?

Perhaps running sudo grep -r "runbindable*/*" /etc/apparmor.d could help identify the source of this issue.

Revision history for this message
Neil Wilson (neil-aldur) wrote :

ubuntu@srv-9vqc0:~$ sudo grep -r "runbindable*/*" /etc/apparmor.d
/etc/apparmor.d/abstractions/passt: mount options=(rw, runbindable) /,
ubuntu@srv-9vqc0:~$ sudo aa-logprof

ERROR: Operation {'runbindable'} cannot have a source. Source = AARE('/')

HTH

Revision history for this message
Maxime Bélair (mbelair) wrote (last edit ):

So, the error was related to passt, not apparmor. This is because it uses an incorrect rule in abstractions/passt.

By design, rules containing some options, such as runbindable, cannot include a source.

I just sent the following patch for passt that should solve your issue https://archives<email address hidden>/T/#u , i.e. you need to modify `mount options=(rw, runbindable) /,` in /etc/apparmor.d/abstractions/passt to `mount options=(rw, runbindable) -> /,`

That being said, I will probably send a merge request to apparmor so that if in similar cases the source is '/', mount does not fail, thereby preventing similar future errors.

Changed in apparmor (Ubuntu):
status: New → Fix Committed
Revision history for this message
Christian Boltz (cboltz) wrote :

I'm afraid apparmor_parser is not fully aware of this restriction.

    # cat foo
    /usr/bin/foo {
      # mount options=(rw, runbindable) / -> /bar, # causes error
      mount options=(rw, runbindable) -> /bar, # accepted as valid (as expected)
      mount options=(rw, runbindable) /, # accepted as valid, but shouldn't
    }

    # apparmor_parser -r foo
    #

This means a rule with only a source (but no target mountpoint) gets accepted by the parser and loaded into the kernel, even if it should raise an error.

.

BTW: The commented-out rule that indeed triggers an error results in a not-so-useful error message:

    Encoding of mount rule failed
    ERROR processing policydb rules for profile /usr/bin/foo, failed to load

A more detailed error message that points out the invalid rule would be nice.

Changed in apparmor (Ubuntu):
status: Fix Committed → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.