https://bugzilla.suse.com/show_bug.cgi?id=1226031 Martin Jedamzik <martin.jedamzik@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.jedamzik@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 https://bugzilla.suse.com/show_bug.cgi?id=1226031#c1 --- Comment #1 from Martin Jedamzik <martin.jedamzik@suse.com> --- If the double-quotation marks are removed, like this: Orig: mount options=(rw, runbindable) -> /, mount "" -> "/", mount "" -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", Change: mount options=(rw, runbindable) -> /, mount -> "/", mount -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", aa-logprof does not complain. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 https://bugzilla.suse.com/show_bug.cgi?id=1226031#c2 --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> --- After some AppArmor upstream discussion, this bug turns out to be two bugs: - pivot_root "/tmp/" -> "/tmp/", triggers a bug (in apparmor_parser and/or the kernel) which prevents loading the profile. Upstream bugreport: https://gitlab.com/apparmor/apparmor/-/issues/400 - the mount rules (even with the quote chars) are accepted by apparmor_parser, which also means they are valid rules. This also means aa-logprof is too strict, and needs to be changed so that it accepts these rules as valid. No upstream ticket for that yet, I'll either open one or submit a fix myself. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 https://bugzilla.suse.com/show_bug.cgi?id=1226031#c3 --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> --- I opened https://gitlab.com/apparmor/apparmor/-/merge_requests/1258 for handling mount rules with empty source (""). While working on it, it turned out that handling quoted paths in mount rules was missing - it's included in the MR. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ddiss@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 https://bugzilla.suse.com/show_bug.cgi?id=1226031#c4 --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> --- SR 1180048 sent to fix handling the mount rules in aa-logprof. The ptrace issue (see comment 2) is still open upstream. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 https://bugzilla.suse.com/show_bug.cgi?id=1226031#c6 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|containers-bugowner@suse.de |kernel-bugs@opensuse.org --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> --- The ptrace issue (see comment 2) turned out to be a kernel bug, therefore reassigning to the kernel team. @kernel team: https://gitlab.com/apparmor/apparmor/-/issues/400 says this gets fixed with https://gitlab.com/georgiag/apparmor-kernel/-/commit/cd1948c0660b0e8b24a7828... Can you please add that patch to the openSUSE kernel? If you want to test yourself: a reproducer is in the description of https://gitlab.com/apparmor/apparmor/-/issues/400 I can also do the testing - just tell me where I can find a test kernel ;-) -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 Pavel Dostál <pdostal@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pdostal@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 https://bugzilla.suse.com/show_bug.cgi?id=1226031#c13 --- Comment #13 from David Disseldorp <ddiss@suse.com> --- (In reply to Christian Boltz from comment #12)

The patch was upstreamed in the meantime: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/ ?id=e0ff0cff1f6cdce0aa596aac04129893201c4162

Thanks for the ping. I've queued this up for our stable/tw kernel branch. Looks like we'll need the same for 15.6. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 https://bugzilla.suse.com/show_bug.cgi?id=1226031#c15 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(suse-beta@cboltz. | |de) --- Comment #15 from David Disseldorp <ddiss@suse.com> --- (In reply to David Disseldorp from comment #13) ...

Thanks for the ping. I've queued this up for our stable/tw kernel branch.

This was merged as https://github.com/openSUSE/kernel-source/commit/58e734c118cfd259476e1adecc9... .

Looks like we'll need the same for 15.6.

The 15.6 / 6.4-kernel rebase wasn't completely straightforward, due to a lack of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ("apparmor: refcount the pdb"). Would someone be able to test the rebase at: https://build.opensuse.org/package/show/home:ddiss:bsc1226031_aa_policy_unpa... ...or alternatively provide me with a minimal standalone reproducer? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1226031 https://bugzilla.suse.com/show_bug.cgi?id=1226031#c18 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(suse-beta@cboltz. | |de) | --- Comment #18 from Christian Boltz <suse-beta@cboltz.de> --- The reproducer from https://gitlab.com/apparmor/apparmor/-/issues/400 should be minimal enough ;-) I just tested it on a 15.6 VM, and got (with the official kernel) # echo '/t {

pivot_root "/tmp/" -> "/tmp/", }' | apparmor_parser -r Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol

so the fix is indeed needed on 15.6. Unfortunately your test kernel does not fix the bug: # uname -a Linux riesling3 6.4.0-150600.1.g6bf1f90-default #1 SMP PREEMPT_DYNAMIC Sun Aug 4 18:19:32 UTC 2024 (6bf1f90) x86_64 x86_64 x86_64 GNU/Linux # echo '/t { pivot_root "/tmp/" -> "/tmp/", } ' | apparmor_parser -r Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol You can ignore the cache warning - that's expected when loading a profile from stdin. The relevant error is "Profile doesn't conform to protocol". @Martin: note that this bug turned out to actually be two bugs, see comment 2 for details. One half is the kernel issue I tested above, which indeed affects 15.6. The other half is the aa-logprof userspace tool. Leap 15.6 has an older AppArmor version than Tumbleweed (3.1.x vs 4.0.x), and in that old version, aa-logprof doesn't know much about mount rules except "match 'mount .*,', store it, and write exactly the same text back when saving the profile". OTOH, aa-logprof in 4.0 has a much better understanding of mount rules including detailed syntax checks - and half of this bug is that it was too strict. (This also means that aa-logprof in Leap 15.6 doesn't need a fix - it doesn't even have enough code for mount rules to have a bug.) -- You are receiving this mail because: You are on the CC list for the bug.