|
Bugzilla – Full Text Bug Listing |
| Summary: | apparmor stops working due to "aa-logprof ERROR: Can't parse mount rule mount "" -> "/"," | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Martin Jedamzik <martin.jedamzik> |
| Component: | AppArmor | Assignee: | David Disseldorp <ddiss> |
| Status: | NEW --- | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Major | ||
| Priority: | P5 - None | CC: | ddiss, felix.niederwanger, martin.jedamzik, rbranco, suse-beta, ulf.volmer |
| Version: | Current | Flags: | ddiss:
needinfo?
|
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | openSUSE Tumbleweed | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Martin Jedamzik
2024-06-06 08:43:02 UTC
If the double-quotation marks are removed, like this: Orig: mount options=(rw, runbindable) -> /, mount "" -> "/", mount "" -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", Change: mount options=(rw, runbindable) -> /, mount -> "/", mount -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", aa-logprof does not complain. After some AppArmor upstream discussion, this bug turns out to be two bugs: - pivot_root "/tmp/" -> "/tmp/", triggers a bug (in apparmor_parser and/or the kernel) which prevents loading the profile. Upstream bugreport: https://gitlab.com/apparmor/apparmor/-/issues/400 - the mount rules (even with the quote chars) are accepted by apparmor_parser, which also means they are valid rules. This also means aa-logprof is too strict, and needs to be changed so that it accepts these rules as valid. No upstream ticket for that yet, I'll either open one or submit a fix myself. I opened https://gitlab.com/apparmor/apparmor/-/merge_requests/1258 for handling mount rules with empty source (""). While working on it, it turned out that handling quoted paths in mount rules was missing - it's included in the MR. SR 1180048 sent to fix handling the mount rules in aa-logprof. The ptrace issue (see comment 2) is still open upstream. This is an autogenerated message for OBS integration: This bug (1226031) was mentioned in https://build.opensuse.org/request/show/1180048 Factory / apparmor The ptrace issue (see comment 2) turned out to be a kernel bug, therefore reassigning to the kernel team. @kernel team: https://gitlab.com/apparmor/apparmor/-/issues/400 says this gets fixed with https://gitlab.com/georgiag/apparmor-kernel/-/commit/cd1948c0660b0e8b24a78288651d7e4f1a88c921 Can you please add that patch to the openSUSE kernel? If you want to test yourself: a reproducer is in the description of https://gitlab.com/apparmor/apparmor/-/issues/400 I can also do the testing - just tell me where I can find a test kernel ;-) (In reply to Christian Boltz from comment #6) > The ptrace issue (see comment 2) turned out to be a kernel bug, therefore > reassigning to the kernel team. > > @kernel team: https://gitlab.com/apparmor/apparmor/-/issues/400 says this > gets fixed with > https://gitlab.com/georgiag/apparmor-kernel/-/commit/ > cd1948c0660b0e8b24a78288651d7e4f1a88c921 > > Can you please add that patch to the openSUSE kernel? I don't see this on the apparmor ML or in the maintainer kernel git repository yet. I'd prefer to see it "on its way" before merging it locally. > If you want to test yourself: a reproducer is in the description of > https://gitlab.com/apparmor/apparmor/-/issues/400 > > I can also do the testing - just tell me where I can find a test kernel ;-) Sure, I'll prepare a test kernel with the change. As always, thanks for looking into this and raising it upstream, Christian. (In reply to David Disseldorp from comment #7) > (In reply to Christian Boltz from comment #6) > > The ptrace issue (see comment 2) turned out to be a kernel bug, therefore > > reassigning to the kernel team. > > > > @kernel team: https://gitlab.com/apparmor/apparmor/-/issues/400 says this > > gets fixed with > > https://gitlab.com/georgiag/apparmor-kernel/-/commit/ > > cd1948c0660b0e8b24a78288651d7e4f1a88c921 > > > > Can you please add that patch to the openSUSE kernel? > > I don't see this on the apparmor ML or in the maintainer kernel git > repository yet. I'd prefer to see it "on its way" before merging it locally. > > > If you want to test yourself: a reproducer is in the description of > > https://gitlab.com/apparmor/apparmor/-/issues/400 > > > > I can also do the testing - just tell me where I can find a test kernel ;-) I've prepared a tumbleweed kernel with cd1948c0660b0e8b24a78288651d7e4f1a88c921 applied at: https://download.opensuse.org/repositories/home:/ddiss:/bsc1226031_aa_policy_unpack_changes_tw/standard/ Test feedback appreciated. (In reply to David Disseldorp from comment #8) > I've prepared a tumbleweed kernel with > cd1948c0660b0e8b24a78288651d7e4f1a88c921 applied at: Just tested - that kernel fixes the bug, and successfully loads the test profile. (In reply to Christian Boltz from comment #9) > (In reply to David Disseldorp from comment #8) > > I've prepared a tumbleweed kernel with > > cd1948c0660b0e8b24a78288651d7e4f1a88c921 applied at: > > Just tested - that kernel fixes the bug, and successfully loads the test > profile. Great, I'll merge it once it's queued up for mainline kernel. flagging needinfo for this. I can confirm the fix(es) solve the issue. Just perfect !!! |