Mailinglist Archive: opensuse-factory (394 mails)

< Previous Next >
Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)
  • From: Aleksa Sarai <asarai@xxxxxxx>
  • Date: Thu, 4 Jan 2018 10:17:21 +1100
  • Message-id: <20180103231719.qx27rjl2psqdrxa4@gordon>
On 2018-01-03, Christian Boltz <opensuse@xxxxxxxxx> wrote:
==== apparmor ====
Version update (2.11.1 -> 2.12)

I should probably highlight this change:
There are more important changes: errors during loading of profiles
are no longer ignored, which makes this bugs now really problematic
and apparmor unuseable/non-functional with a read-only root
filesystem: bsc#1074429 - AppArmor cannot be started in Kubic
bsc#1069906 - Race: systemd remounts filesystems while apparmor loads
profiles

I just installed the latest Kubic in a VM [1] and can confirm the
problem - only the "docker-default" profile gets loaded, but not the
other profiles in /etc/apparmor.d/. That leads to the question if the
"docker-default" gets loaded or reloaded in a different way - any ideas?

Docker loads the profile manually using apparmor_parser. The reason for
this is that Docker needs to reload the profile if the system unloads it
for some reason (which happens on Ubuntu on certain upgrades).

As a complete aside -- there is also currently an AppArmor design flaw,
where unloading a profile (ie. restarting the "AppArmor service") will
make all previously confined processes unconfined -- with no way for an
administrator to re-confine them (other than attaching to each process
with GDB and executing aa_changehat from the context of the process).

Is there a reason that restarting the "apparmor service" does anything
at all? We really should not be removing profiles automatically given
this fairly glaring security problem.

- disable the "write-cache" option in /etc/apparmor/parser.conf - but
let me warn you that this slows down profile loading 5 to 10 times,
so this is nothing I want to do for the "normal" distribution.
(If there is a build condition to match only Kubic, I'm willing to
accept that in the AppArmor package as a hotfix. Technically we just
have to disable a patch ;-)

Docker uses apparmor_parser with the write cache disabled, specifically
so that it can work on a read-only root with Kubic[1].

[1]: https://github.com/moby/moby/pull/33250

--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
< Previous Next >
Follow Ups