Mailinglist Archive: opensuse-factory (745 mails)

< Previous Next >
Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)

Am Mittwoch, 3. Januar 2018, 14:30:46 CET schrieb Thorsten Kukuk:
On Wed, Jan 03, Christian Boltz wrote:
Am Mittwoch, 3. Januar 2018 schrieb Dominique Leuenberger:
==== apparmor ====
Version update (2.11.1 -> 2.12)

I should probably highlight this change:
There are more important changes: errors during loading of profiles
are no longer ignored, which makes this bugs now really problematic
and apparmor unuseable/non-functional with a read-only root
filesystem: bsc#1074429 - AppArmor cannot be started in Kubic
bsc#1069906 - Race: systemd remounts filesystems while apparmor loads

I just installed the latest Kubic in a VM [1] and can confirm the
problem - only the "docker-default" profile gets loaded, but not the
other profiles in /etc/apparmor.d/. That leads to the question if the
"docker-default" gets loaded or reloaded in a different way - any ideas?

The most surprising thing is that it "errors out more" than in 2.11.x.
Most 2.12 changes were in the python tools. A review of the 2.12 changes
together with the upstream developers didn't bring up many changes in
apparmor_parser or libapparmor that could cause this change, and the few
commits that are somewhat related to this look harmless.

I'll probably build 2.11.1 packages tomorrow to cross-check if this was
really introduced in 2.12, even if looking at the upstream commits
indicates it's unlikely.

For now, I can offer two workarounds:
- rcapparmor reload while /var/lib/apparmor is writeable to build or
update the cache (which also means no more write attemps on boot until
you install a new kernel) - or -
- disable the "write-cache" option in /etc/apparmor/parser.conf - but
let me warn you that this slows down profile loading 5 to 10 times,
so this is nothing I want to do for the "normal" distribution.
(If there is a build condition to match only Kubic, I'm willing to
accept that in the AppArmor package as a hotfix. Technically we just
have to disable a patch ;-)

The long-term fix is to make cache write failures a warning instead of
an error, but to make things more interesting, there are also situations
where this needs to be an error. This is solvable by adding a new config
option (think of -Werror), but needs a bit more work.

Another option might be to pre-compile the profiles during installation.
I know this is possible (AFAIK it was done for Ubuntu Phone), but I'll
have to check the details with upstream. One funny detail is that we hit
this issue too early ;-) - there are plans to support multiple caches
for different kernel versions, but unfortunately, well, _plans_ ;-)


Christian Boltz

[1] my infrastructure test VMs don't feel alone anymore now ;-)
Code like this is the reason for alcoholism running rampant
with Java developers [Kristian Köhntopp onöhntopp/posts/K5DDeDMYr1e ]

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >