On 2018-01-03, Christian Boltz <opensuse@cboltz.de> wrote:
==== apparmor ==== Version update (2.11.1 -> 2.12)
I should probably highlight this change: There are more important changes: errors during loading of profiles are no longer ignored, which makes this bugs now really problematic and apparmor unuseable/non-functional with a read-only root filesystem: bsc#1074429 - AppArmor cannot be started in Kubic bsc#1069906 - Race: systemd remounts filesystems while apparmor loads profiles
I just installed the latest Kubic in a VM [1] and can confirm the problem - only the "docker-default" profile gets loaded, but not the other profiles in /etc/apparmor.d/. That leads to the question if the "docker-default" gets loaded or reloaded in a different way - any ideas?
Docker loads the profile manually using apparmor_parser. The reason for this is that Docker needs to reload the profile if the system unloads it for some reason (which happens on Ubuntu on certain upgrades). As a complete aside -- there is also currently an AppArmor design flaw, where unloading a profile (ie. restarting the "AppArmor service") will make all previously confined processes unconfined -- with no way for an administrator to re-confine them (other than attaching to each process with GDB and executing aa_changehat from the context of the process). Is there a reason that restarting the "apparmor service" does anything at all? We really should not be removing profiles automatically given this fairly glaring security problem.
- disable the "write-cache" option in /etc/apparmor/parser.conf - but let me warn you that this slows down profile loading 5 to 10 times, so this is nothing I want to do for the "normal" distribution. (If there is a build condition to match only Kubic, I'm willing to accept that in the AppArmor package as a hotfix. Technically we just have to disable a patch ;-)
Docker uses apparmor_parser with the write cache disabled, specifically so that it can work on a read-only root with Kubic[1]. [1]: https://github.com/moby/moby/pull/33250 -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>