From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from imap.gmail.com [173.194.76.109] by localhost with POP3 (fetchmail-6.3.26) for (single-drop); Tue, 21 May 2024 09:50:50 +0200 (CEST) Received: by 2002:a05:6a10:9148:b0:55f:c3c0:ed08 with SMTP id n8csp891559pxb; Tue, 21 May 2024 00:50:12 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW1uacEbSU7P5f5ZY+FGZIcnvWkMJzD1D9wUuOvhzwT4eorY/AGEYRnJQo+sTzMLlk85rbWcU4ClqX3WEj8LKsMcBk4knS6+lk= X-Google-Smtp-Source: AGHT+IEPoucfeG2vuRTXUbd/yJIglzI+auz8JN6TvwW/LhLGCSmf2SPYFZplNcdRqHqnBCthOmUv X-Received: by 2002:ac8:5fcf:0:b0:43a:fa90:edb6 with SMTP id d75a77b69052e-43dfdd0c03bmr413961971cf.60.1716277812726; Tue, 21 May 2024 00:50:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1716277812; cv=none; d=google.com; s=arc-20160816; b=qZShah7+TaIoQfn2y+3SG1TnjfnYhIV9uubJC0/vnhf4s+kVjeg4GVZ0a+uRKOgwLd Pvqyo+FED9wGQlyXG7icumrywd4JmkwciwiQDVEm6Ed7wwbfC64RlVr50X4qgoiW5Tpx I30EJhz662SXcrKjXAgMbE0Yo2RP3WEhDZHD6rg4IDlzFnSbIR45Cr3DAOTWf3N8ab4U MPW0ndvFmSpatNblxSq/mJ+iLsndgy1O65v7q76nsJqWe79ckWK6biIsYtW6zAgq3ltM rJECCzL7T05LRGV4Wov/3lPUezn4hx3fmxS/4Ov1aHVQ+Eqq5Y+ikfmf9BcmjgX9McU0 Kbdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id :delivered-to; bh=FVztCRjlnAhkDvtTIt5sDBdpXvQMRucyomuv1NkPjSE=; fh=+k3MirzvvpKGzbNJIi0EE31n6ushkSibyQdld1kWDjI=; b=mIdpgpmkPBPVaYO+/GPf1bIUnc136G1OvrF75cJnV+NYIJrX8crlkrWPRdWRaaMdT4 XIUf2LmmZsQqZes7hsIMAv+ayPR5GlpHyTJv0UiTr06uTeZC/e7TqL4YL2Dhc8U4xpt7 /njIbHce3qVb86yCFQc9yS8kHdnw8EhF5AT5clgLo6KIwhMa58CZoy6GiLFZLKAxTYKl Y58TcLT/14vausFkwXD6c8t/OPfvGqCL4kMVK/fiOyQpq5TtiA1EXU8ZrscoDsO27srl OwZvZOOmbML6vSoLM8taHlDet3asPOhRZdyZcgxfGdYUsV/pDWgiUc5/LzjLvtvAMyiL bAXA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of maxime.belair@canonical.com designates 185.125.188.122 as permitted sender) smtp.mailfrom=maxime.belair@canonical.com Return-Path: Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com. [170.10.128.131]) by mx.google.com with ESMTPS id d75a77b69052e-43df56c97f4si102546011cf.632.2024.05.21.00.50.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 May 2024 00:50:12 -0700 (PDT) Received-SPF: pass (google.com: domain of maxime.belair@canonical.com designates 185.125.188.122 as permitted sender) client-ip=185.125.188.122; Authentication-Results: mx.google.com; spf=pass (google.com: domain of maxime.belair@canonical.com designates 185.125.188.122 as permitted sender) smtp.mailfrom=maxime.belair@canonical.com Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-75-zScbjMRHOEiW_DklbeQBmw-1; Tue, 21 May 2024 03:50:11 -0400 X-MC-Unique: zScbjMRHOEiW_DklbeQBmw-1 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 0E4061955EA2 for ; Tue, 21 May 2024 07:50:10 +0000 (UTC) Received: by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) id F2A0B1955D7C; Tue, 21 May 2024 07:50:09 +0000 (UTC) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.33]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id F01521955D7E for ; Tue, 21 May 2024 07:50:09 +0000 (UTC) Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [170.10.128.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9C35019236A9 for ; Tue, 21 May 2024 07:50:09 +0000 (UTC) Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-179-l_9-b6X4P1-rTZJl-lbGew-1; Tue, 21 May 2024 03:50:07 -0400 X-MC-Unique: l_9-b6X4P1-rTZJl-lbGew-1 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id E7C864249F for ; Tue, 21 May 2024 07:50:05 +0000 (UTC) Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-420122cf3eeso47215655e9.0 for ; Tue, 21 May 2024 00:50:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716277805; x=1716882605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=C3tqWZwzqa857dR/5LaGB788aFpSV2Gw0mpGdCSAN1M=; b=rhOlawKYW4Awut/P/lwk2QimR+56J0mc0zcFPSYW+tUN1I/tqLOfsdspmLAtn8u173 AAO6znCxRWu14+cBEtqr4zM8PuLUwSEcRCydHh4HeLnELgillMI3FFYWINF66SECU8Hr kVeHq9NVyU+2x4TtdWS3kpIy5Ztr+dzAHTyWv4RiT5ZFKkfKYY4TwRJ6pD7dgmB8tkEy 99p/6Tfw7CjXW8loIAxgci8ux1Am/6kxcLXFS1iHIn5hUbtDYhKDqqhH6QA2e0oC0HsP EVJlC/4jVP2AVmkZmwp2wu0usOrknSpq0a6mUzGv1dsdKUGyLnqoXmLZ+QDK2PZ6kVTb G3Mg== X-Gm-Message-State: AOJu0YwtK8kqhFJelTYikAwK0QSgtC3PJKEc37b3QarCy0EJj/kMykVo kW0/Z7vx94RV5cCCYCNs/LMmX8KaVQA3PWbt2Tt81U/6Ubi5mqmsV8vbZRebQfo2zB81LRInF94 ufyweiNbyTC2tbmv8vJz+1feK/VCGp0DEt8/Im8+/8UEc6sXyOTnVraddblvEygLN2ZfjC8cr X-Received: by 2002:a05:600c:444c:b0:41c:83aa:18b7 with SMTP id 5b1f17b1804b1-41fead6d1c8mr232316745e9.33.1716277805614; Tue, 21 May 2024 00:50:05 -0700 (PDT) X-Received: by 2002:a05:600c:444c:b0:41c:83aa:18b7 with SMTP id 5b1f17b1804b1-41fead6d1c8mr232316545e9.33.1716277805108; Tue, 21 May 2024 00:50:05 -0700 (PDT) Received: from ?IPV6:2001:861:3280:410:a368:7744:44a8:3c2? ([2001:861:3280:410:a368:7744:44a8:3c2]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42013c5fa61sm352034845e9.40.2024.05.21.00.50.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 21 May 2024 00:50:04 -0700 (PDT) Message-ID: <3485ee18-d053-4e33-b17e-97cf9ea6d46a@canonical.com> Date: Tue, 21 May 2024 09:50:04 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] apparmor: Fix passt abstraction To: Stefano Brivio Cc: passt-dev@passt.top, =?UTF-8?Q?Maxime_B=C3=A9lair?= References: <20240517115053.53072-1-maxime.belair@canonical.com> <20240517142809.265e69f3@elisabeth> From: =?UTF-8?Q?Maxime_B=C3=A9lair?= In-Reply-To: <20240517142809.265e69f3@elisabeth> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=false;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=false;Mimecast Threat Dictionary=false;Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: canonical.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable List-Id: On 5/17/24 14:28, Stefano Brivio wrote: > Hi Maxime, Hi Stefano, > > Commit b686afa2 introduced the invalid apparmor rule `mount options=3D(= rw, runbindable) /,` since runbindable mount rules cannot have a source. > > Therefore running aa-logprof/aa-genprof will trigger errors (see https:= //bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685) > >=20 > > $ sudo aa-logprof > > ERROR: Operation {'runbindable'} cannot have a source. Source =3D A= ARE('/') >=20 > Oops, right, I didn't actually drop the source specification there. :( > Thanks for fixing this. After investigating this issue, I found that this bug stems from the follow= ing restriction not being implemented consistently in aa-* and apparmor_par= ser. $ man 2 mount =20 If mountflags includes one of MS_SHARED, MS_PRIVATE, MS_SLAVE, or MS_UN= BINDABLE [...] The source, and filesystemtype [...] arguments are ignored. Therefore, your rule was valid for apparmor_parser, but not for aa-logprof/= aa-genprof, as explained in https://bugs.launchpad.net/ubuntu/+source/appar= mor/+bug/2065685 . I proposed a fix in https://gitlab.com/apparmor/apparmor= /-/merge_requests/1236 . > I wonder why I don't see this on Debian testing with AppArmor 3.0.13 > (same on openSUSE Tumbleweed). > Is there something in particular I should do to reproduce/check this? These new mount features have been added recently (https://gitlab.com/appar= mor/apparmor/-/merge_requests/1153/diffs#b1394545ea32622b065c679b858c2ffd63= f74480_0_116) : the bug can only be triggered by apparmor 4.0+=20 > > This patch fixes it to the intended behavior. > >=20 > > Signed-off-by: Maxime B=C3=A9lair > > --- > > contrib/apparmor/abstractions/passt | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > >=20 > > diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abs= tractions/passt > > index 61ec32c..d245115 100644 > > --- a/contrib/apparmor/abstractions/passt > > +++ b/contrib/apparmor/abstractions/passt > > @@ -26,7 +26,7 @@ > > capability sys_ptrace, > > =20 > > /=09=09=09=09=09r,=09# isolate_prefork(), isolation.c > > - mount options=3D(rw, runbindable) /, > > + mount options=3D(rw, runbindable) -> /, > > mount=09=09""=09-> "/", > > mount=09=09""=09-> "/tmp/", > > pivot_root=09"/tmp/" -> "/tmp/", > --=20 > Stefano