[SRU] apparmor - Focal, Jammy

Status changed to 'Confirmed' because the bug affects multiple users.

These have now been uploaded to -proposed and are sitting in UNAPPROVED:

https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=apparmor
https://launchpad.net/ubuntu/focal/+queue?queue_state=1&queue_text=apparmor

> The message queue rules support could cause issues for AppArmor
> policies that were developed before there was support for mqueues,

Please explain in more detail why this is a risk. reading the 'mqueue1-' patch, the documentation reads to me as the default being full access allowed:

  AppArmor Message Queue permissions are implied when a rule does not explicitly
  state an access list. By default, all Message Queue permissions are implied.

Is that not what this means, or is mqueue access actually denied by default and this refers only to how an unqualified 'mqueue' rule is interpreted?

> Jammy already has the abi pinned for a kernel
> that does not have support for mqueue mediation.

In that case how does introducing mqueue support in apparmor benefit users of jammy?

Hi Steve Langasek, thanks for taking a look at the SRU.

> Is that not what this means, or is mqueue access actually denied by
> default and this refers only to how an unqualified 'mqueue' rule is
> interpreted?

Correct, this only refers to how an unqualified 'mqueue' rule is interpreted.

> In that case how does introducing mqueue support in apparmor benefit
> users of jammy?

Users of jammy will now have the ability to mediate message queues in their profile if they want, but they will have to opt-in. There is more than one way to accomplish this, but they can for example add 'abi <kernel>,' to their profile when using a kernel that provides mqueue mediation. That means that older policies that were developed when mqueue mediation was not available will not be broken.

Hi Steve,

Just wanted to mention that this is a very time-critical feature requirement for one of our customers on Core 20, so we would really appreciate this if you could please treat this as very high priority.

Please feel free to reach out to me on MM if you have any questions.

Cheers,
Isaac

Hi Issac, Steve, Georgia,

I think that our customer mainly depends on the Focal patches to be SRU'ed. May be Steve can prioritize them and help us get those reviewed first.

Thank you !
Ijlal

Hi Ijlal,

That's correct - the SRU to focal (and thus core 20) is the important one for the customer.

Cheers,
Isaac

So, I'm not Steve, but as this is a priority and I know Steve is off this week I've taken a look at this to hopefully resolve some review questions before he's back.

A number of the bugs referenced in this upload don't have the relevant SRU information attached, which would be helpful.

The packaging itself looks sane, but my understanding is that this adds new classes of apparmor denials, and *particularly* it appears that this might cause existing apparmor profiles to deny application behaviour that is currently allowed (which is why the ABI patches are backported?). There don't seem to be any explicit tests in the test cases to verify that existing behaviour is preserved, though? That would seem to be necessary.

Is this also contemplating https://bugs.launchpad.net/ubuntu/jammy/+source/apparmor/+bug/1979879 for jammy? I'll try to take a look

Chris, I added the missing SRU information on the bugs that were missing.

> The packaging itself looks sane, but my understanding is that this adds
> new classes of apparmor denials, and *particularly* it appears that this
> might cause existing apparmor profiles to deny application behaviour
> that is currently allowed (which is why the ABI patches are
> backported?).

Exactly.

> There don't seem to be any explicit tests in the test
> cases to verify that existing behaviour is preserved, though? That would
> seem to be necessary.

I created this MR on QRT to add this test case:
https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/433546
They are based on the Test Plan of Bug #1728130
The test added passes.

Fwiw, the code has landed in the upstream git repository in https://gitlab.com/apparmor/apparmor/-/merge_requests/858

Okay, looking at all the comments and discussions, I personally feel that we're getting there. I just have a final less-exciting question:

As mvo mentioned, it looks like the changes got merged upstream. But when I look at the upstream merge, there seems to be less commits in there than patches in the current jammy upload - are those tweaked to be applied to jammy and therefore there's more of them, or is it simply an outdated patchset? I'd like to make sure that what we push to jammy and focal is up-to-date and has all the upstream concerns resolved.

Łukasz, the commits that are "missing" from the upstream merge request had already been merged.

They are:
mqueue8-libapparmor-add-support-for-requested-and-denied-on-.patch
mqueue9-libapparmor-add-support-for-class-in-logparsing.patch

Corresponding commits upstream:
https://gitlab.com/apparmor/apparmor/-/commit/a05c9483f3b1176faf0b31786b12ca8fef750d22
https://gitlab.com/apparmor/apparmor/-/commit/5cc7a26e78326256ba6915cfba0a5751adddf7da

On the description of the MR I added that they were cherry-picked from the message queue merge request:
https://gitlab.com/apparmor/apparmor/-/merge_requests/939

Excellent! Okay, let me have one more look and then possibly get this into -proposed.

Hello Georgia, or anyone else affected,

Accepted apparmor into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/3.0.4-2ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi Łukasz,

Thanks for the update. What's the status of the focal SRU? That's the time-critical one for our customer.

Cheers,
Isaac

Hello Georgia, or anyone else affected,

Accepted apparmor into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.13.3-7ubuntu5.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I accepted this, but would prefer to keep these patches around for some longer testing. Would it be possible to maybe get a call-for-testing out or similar? Also, we need to make sure that the existing behaviour is preserved, so I'd request for https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/433546 to be reviewed, merged and made sure to be executed as part of the verification. Are there other tests we can run to make sure we're not regressing any existing cases?

All autopkgtests for the newly accepted apparmor (3.0.4-2ubuntu2.2) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/249.11-0ubuntu3.6 (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#apparmor

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted apparmor (2.13.3-7ubuntu5.2) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

libreoffice/1:6.4.7-0ubuntu0.20.04.6 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#apparmor

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

@sil2100, there is some additional testing. qa-regression-testing, pulls in the apparmor regression tests. And they contain tests for capabilities and mqueue behavior. These have not shown any regressions. And have been tested on multiple machines.

These patches have also gone through the build and integration testing the upstream project has which runs language parsing (separate from regression tests, this includes tests for capabilities), equivalence tests (to check policy generation hasn't changed), coverage, minimization (another type of policy equivalence regression test), known error, and some valgrind runs.

Tests for jammy worked as expected. The systemd autopkgtest on s390x passed after the test was retriggered.

The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package apparmor - 3.0.4-2ubuntu2.2

---------------
apparmor (3.0.4-2ubuntu2.2) jammy; urgency=medium

  * Add mqueue patches. LP: #1993353
    - u/mqueue1-parser-add-parser-support-for-message-queue-mediatio.patch:
    add parser support for mqueue mediation
    - u/mqueue2-tests-add-posix-message-queue-regression-tests.patch: add
    posix mqueue regression tests
    - u/mqueue3-utils-add-message-queue-rules-parsing-in-python-tool.patch:
    add support in python tools to parse mqueue rules
    - u/mqueue4-parser-add-parser-simple-tests-for-mqueue-rules.patch: add
    parser simple tests for mqueue
    - u/mqueue5-parser-Add-a-set-of-debug-flags-that-can-be-passed-t.patch:
    add debug flags that can be passed to the kernel
    - u/mqueue6-parser-Set-the-DEBUG1-flag-on-profiles-that-use-mque.patch:
    set DEBUG1 on mqueue rules
    - u/mqueue7-parser-place-perm-on-name-as-well-as-name-label-comb.patch:
    add permissions on name and also on name + label
    - u/mqueue8-libapparmor-add-support-for-requested-and-denied-on-.patch:
    add parsing support for "denied" and "requested" from audit logs
    - u/mqueue9-libapparmor-add-support-for-class-in-logparsing.patch: add
    parsing support for "class" from audit logs
    - u/mqueue10-utils-add-logparser-support-for-mqueue.patch: add logparser
    support for mqueue rules
    - u/mqueue11-tests-add-sysv-message-queue-regression-tests.patch: add
    sysv mqueue regression tests
    - debian/rules: create mqueue testcase empty files for libapparmor tests.
  * Closes LP: #1994146

 -- Georgia Garcia <email address hidden> Wed, 19 Oct 2022 11:52:00 -0300