Bugzilla – Bug 1226031
apparmor stops working due to "aa-logprof ERROR: Can't parse mount rule mount "" -> "/","
Last modified: 2024-06-14 06:56:25 UTC
Recently noticed that my dovecot server was not accessible anymore. Checking the logs showed: Jun 06 09:27:27 papa3 dovecot[6023]: auth: Error: Jun 06 09:27:27 service(auth): Fatal: execv(/usr/lib/dovecot/auth) failed: Permission denied After some investigation I found the culprit, Apparmor was not working properly: papa3:/etc/apparmor.d/abstractions # aa-logprof ERROR: Can't parse mount rule mount "" -> "/", Root cause are these statements in /etc/apparmor.d/abstractions/[passt|pasta]: passt: mount options=(rw, runbindable) -> /, #mount "" -> "/", #mount "" -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", #umount "/", pasta: #mount "" -> "/proc/", Current version of PASST : passt-20240523.765eb0b-1.1.x86_64
If the double-quotation marks are removed, like this: Orig: mount options=(rw, runbindable) -> /, mount "" -> "/", mount "" -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", Change: mount options=(rw, runbindable) -> /, mount -> "/", mount -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", aa-logprof does not complain.
After some AppArmor upstream discussion, this bug turns out to be two bugs: - pivot_root "/tmp/" -> "/tmp/", triggers a bug (in apparmor_parser and/or the kernel) which prevents loading the profile. Upstream bugreport: https://gitlab.com/apparmor/apparmor/-/issues/400 - the mount rules (even with the quote chars) are accepted by apparmor_parser, which also means they are valid rules. This also means aa-logprof is too strict, and needs to be changed so that it accepts these rules as valid. No upstream ticket for that yet, I'll either open one or submit a fix myself.
I opened https://gitlab.com/apparmor/apparmor/-/merge_requests/1258 for handling mount rules with empty source (""). While working on it, it turned out that handling quoted paths in mount rules was missing - it's included in the MR.
SR 1180048 sent to fix handling the mount rules in aa-logprof. The ptrace issue (see comment 2) is still open upstream.
This is an autogenerated message for OBS integration: This bug (1226031) was mentioned in https://build.opensuse.org/request/show/1180048 Factory / apparmor
The ptrace issue (see comment 2) turned out to be a kernel bug, therefore reassigning to the kernel team. @kernel team: https://gitlab.com/apparmor/apparmor/-/issues/400 says this gets fixed with https://gitlab.com/georgiag/apparmor-kernel/-/commit/cd1948c0660b0e8b24a78288651d7e4f1a88c921 Can you please add that patch to the openSUSE kernel? If you want to test yourself: a reproducer is in the description of https://gitlab.com/apparmor/apparmor/-/issues/400 I can also do the testing - just tell me where I can find a test kernel ;-)
(In reply to Christian Boltz from comment #6) > The ptrace issue (see comment 2) turned out to be a kernel bug, therefore > reassigning to the kernel team. > > @kernel team: https://gitlab.com/apparmor/apparmor/-/issues/400 says this > gets fixed with > https://gitlab.com/georgiag/apparmor-kernel/-/commit/ > cd1948c0660b0e8b24a78288651d7e4f1a88c921 > > Can you please add that patch to the openSUSE kernel? I don't see this on the apparmor ML or in the maintainer kernel git repository yet. I'd prefer to see it "on its way" before merging it locally. > If you want to test yourself: a reproducer is in the description of > https://gitlab.com/apparmor/apparmor/-/issues/400 > > I can also do the testing - just tell me where I can find a test kernel ;-) Sure, I'll prepare a test kernel with the change. As always, thanks for looking into this and raising it upstream, Christian.
(In reply to David Disseldorp from comment #7) > (In reply to Christian Boltz from comment #6) > > The ptrace issue (see comment 2) turned out to be a kernel bug, therefore > > reassigning to the kernel team. > > > > @kernel team: https://gitlab.com/apparmor/apparmor/-/issues/400 says this > > gets fixed with > > https://gitlab.com/georgiag/apparmor-kernel/-/commit/ > > cd1948c0660b0e8b24a78288651d7e4f1a88c921 > > > > Can you please add that patch to the openSUSE kernel? > > I don't see this on the apparmor ML or in the maintainer kernel git > repository yet. I'd prefer to see it "on its way" before merging it locally. > > > If you want to test yourself: a reproducer is in the description of > > https://gitlab.com/apparmor/apparmor/-/issues/400 > > > > I can also do the testing - just tell me where I can find a test kernel ;-) I've prepared a tumbleweed kernel with cd1948c0660b0e8b24a78288651d7e4f1a88c921 applied at: https://download.opensuse.org/repositories/home:/ddiss:/bsc1226031_aa_policy_unpack_changes_tw/standard/ Test feedback appreciated.
(In reply to David Disseldorp from comment #8) > I've prepared a tumbleweed kernel with > cd1948c0660b0e8b24a78288651d7e4f1a88c921 applied at: Just tested - that kernel fixes the bug, and successfully loads the test profile.
(In reply to Christian Boltz from comment #9) > (In reply to David Disseldorp from comment #8) > > I've prepared a tumbleweed kernel with > > cd1948c0660b0e8b24a78288651d7e4f1a88c921 applied at: > > Just tested - that kernel fixes the bug, and successfully loads the test > profile. Great, I'll merge it once it's queued up for mainline kernel. flagging needinfo for this.
I can confirm the fix(es) solve the issue. Just perfect !!!