[SRU] fixes for AppArmor in Plucky
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Plucky |
In Progress
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
This SRU contains fixes for a number of bugs:
* The unprivileged_userns profile did not have access to the root directory (LP: #2110616)
* lsblk could not list DASD devices on IBM System Z (LP: #2107402)
* Various commands segfaulted when run from a confined context due to missing permissions on the binary execution path (LP: #2107455, LP: #2110628)
* The plasmashell profile was missing new path to QtWebEngineProcess, causing breakage of Web Browser widget (LP: #2107723)
* fusermount3 lacked permissions to mount to /cvmfs (LP: #2110624)
* openvpn lacked permissions to manage DNS settings for pushed DHCP settings (LP: #2107596)
* openvpn lacked permissions to perform mDNS lookups (LP: #2109029)
* remmina broke due to missing permissions (LP: #2107723)
* fusermount3 lacked permissions to mount with noatime, needed for fuse_overlayfs (LP: #2110626)
* iotop-c failed to launch at all due to permission denials in nl_init (LP: #2107727)
* The parser did not handle the norelatime mount flag correctly (LP: #2110688)
* The apparmor.d man page contained incorrect information about the combination of mount options=(list) options in (list)
(LP: #2110630)
* This SRU also includes a regression test update (https:/
[ Test Plan ]
Bug-specific test plans can be found in their respective LP bug entries.
Generic test plan (for all AppArmor changes, not specific to this SRU):
AppArmor is also extensively tested via its QRT test suite, which includes execution of the AppArmor test suite.
* To prepare the QRT test suite (can be done on any machine):
- `git clone https:/
- `./scripts/
* To run the QRT test suite:
- Copy the tarball onto the machine with the new AppArmor installed and extract it
- `sudo ./install-packages test-apparmor.py`
- Reboot after dependency installation
- `sudo ./test-apparmor.py -v`
[ Where problems could occur ]
All the profile changes in this SRU are loosening confinement on a profile. However, if a user manually modified the installed profiles, then the package upgrade would cause conflicts, and rejection of the incoming changes (either by hand during an interactive upgrade or automatically during an batch unattended upgrade) would result in end users not getting the complete set of packaged fixes. However, as each of the files updated are independent of each other, a partially fixed state will not be more broken than an unfixed (before upgrade) state.
Remmina profile specific: If a user set up custom profiles that use "peer=remmina" IPC rules, then these rules would break upon the upgrade removing the remmina profile. However, none of the officially shipped profiles include such rules.
The man page update is a documentation-only change. The risk exists that the new packaged man page could be malformed, but this is unlikely since the man page is generated by pod2man, and such issues can be caught during testing by attempting to open the man page after installation of the new version.
The parser fix changes the behavior of mount rules that explicitly specify the norelatime flag. In particular, a custom profile containing `mount options in (norelatime)` will have different, more permissive behavior than before (reducing regression risk as compared to tightening behavior). However, this flag is not used in any of the commonly used profiles (including the ones in our repo and the profile fragments used by snapd), so this will not change the behavior of most profiles being used.
[ Other Info ]
The attached debdiff is identical to the one for the package uploaded to Questing, with the exception of the changelog.
The proposed uploaded for Plucky is also available at https:/ /launchpad. net/~rlee287/ +archive/ ubuntu/ apparmor- staging/ +packages in a PPA.