[pkg-lxc-devel] Bug#1050256: [pkg-apparmor] Bug#1050256: autopkgtest fails on debci

Christian Boltz apparmor at cboltz.de
Mon Sep 4 13:37:00 BST 2023 

Hello,

Am Samstag, 2. September 2023, 01:13:11 CEST schrieb Mathias Gibbens:
>   A minimal reproducer is to install bookworm and create a container
> with a systemd service using a hardening option like
> PrivateNetwork=yes. With the latest bookworm kernel (6.1.38-4), the
> service will fail. But, grab a kernel from testing (6.4.11-1) and then
> things work -- with no other changes required. I tried the "oldest"
> kernel on snapshot.d.o post 6.1 series (6.3.1+1~exp1 [1]) and the
> service works properly with that version as well. So, something
> changed in the kernel (either upstream or in Debian's packaging)
> between 6.1 and      6.3 that "unbreaks" services within lxc containers.

I asked in #apparmor, and John answered

[11:04:33] <cboltz> can someone have a look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050256 ? Short version: Debian gets  unix  denials when running lxc with kernel 6.1.38 from bookwork, but things work with kernel 6.3.1
[19:19:41] <jjohansen> cboltz: ok, I will try and look at it today
[07:00:34] <jjohansen> cboltz: I didn't see anything that would cause unix failures in a first pass. I will take another pass at it tomorrow
[10:01:30] <jjohansen> cboltz: commit 1cf26c3d2c4c apparmor: fix apparmor mediating locking non-fs unix sockets

So you could test if the bookwork kernel with 1cf26c3d2c4c applied on 
top fixes the issue.



To answer a question from a later mail:

Am Sonntag, 3. September 2023, 02:56:05 CEST schrieb Michael Biebl:
> I also tested downgrading apparmor to 2.13.6-10 (i.e. the version from
>  oldstable) on a bookworm system.
> 
> This was also sufficient to unbreak lxc.
> 
> So it "looks" like apparmor 3.x makes assumptions about the kernel
> that are not fulfilled by the kernel 6.1.x in bookworm.

The difference is in the abi levels - without an abi/ include specified, 
unix rules don't get enforced (= allow everything), while with abi/3.0
and AppArmor >= 3.x userspace, unix rules get enforced.

abi/3.0 got introduced in AppArmor 3.0, and my guess is that the abi/3.0
include was also added to the lxc profile.

Actually the explanation might be slightly different (same result, but 
without abi/3.0 in the lxc profile):

It looks like the Debian AppArmor maintainers pinned the abi to
/etc/apparmor.d/abi/kernel-5.4-outoftree-network
which, like abi/3.0, includes enforcing unix rules.

(Note: I'm only looking at https://salsa.debian.org/apparmor-team/apparmor.git/
since I don't have a Debian machine running.)

For completeness: 2.13.x doesn't support abi at all (besides ignoring
abi/* includes if it finds them in a profile) so even if you have a
profile with abi/3.0, unix rules won't be enforced.

There's an exception:  Ubuntu kernels carry some patches to enable unix 
and some other rules even with older AppArmor versions.


Regards,

Christian Boltz
-- 
in my experience it's safe to assume developers never test
[Stephan Kulow in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20230904/d0a2b64f/attachment.sig>

More information about the Pkg-lxc-devel mailing list