[Bug 2037567] Re: mantic kernel 6.5.0.1006 Adds io_uring apparmor feature

John Chittum 2037567 at bugs.launchpad.net
Wed Sep 27 17:03:18 UTC 2023 

Did the following to ensure that current features, as listed in the
files, are the same:

1. uploaded livecd-rootfs/live-build/apparmor/generic to test machine
2. ran following snippet
for dirn in ./*; do 
	for filename in ${dirn}/*; do 
		if [[ -f $filename ]]; then 
			diffname=$(realpath $filename)
			echo "diffing $diffname to /sys/kernel/security/apparmor/features/${filename:2}"
			diff $diffname /sys/kernel/security/apparmor/features/${filename:2}
		fi 
	done 
done 

diffing /home/ubuntu/caps/mask to /sys/kernel/security/apparmor/features/caps/mask
diffing /home/ubuntu/dbus/mask to /sys/kernel/security/apparmor/features/dbus/mask
diffing /home/ubuntu/domain/change_hat to /sys/kernel/security/apparmor/features/domain/change_hat
diffing /home/ubuntu/domain/change_hatv to /sys/kernel/security/apparmor/features/domain/change_hatv
diffing /home/ubuntu/domain/change_onexec to /sys/kernel/security/apparmor/features/domain/change_onexec
diffing /home/ubuntu/domain/change_profile to /sys/kernel/security/apparmor/features/domain/change_profile
diffing /home/ubuntu/domain/computed_longest_left to /sys/kernel/security/apparmor/features/domain/computed_longest_left
diffing /home/ubuntu/domain/fix_binfmt_elf_mmap to /sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap
diffing /home/ubuntu/domain/post_nnp_subset to /sys/kernel/security/apparmor/features/domain/post_nnp_subset
diffing /home/ubuntu/domain/stack to /sys/kernel/security/apparmor/features/domain/stack
diffing /home/ubuntu/domain/version to /sys/kernel/security/apparmor/features/domain/version
diffing /home/ubuntu/file/mask to /sys/kernel/security/apparmor/features/file/mask
diffing /home/ubuntu/ipc/posix_mqueue to /sys/kernel/security/apparmor/features/ipc/posix_mqueue
diffing /home/ubuntu/mount/mask to /sys/kernel/security/apparmor/features/mount/mask
diffing /home/ubuntu/namespaces/mask to /sys/kernel/security/apparmor/features/namespaces/mask
diffing /home/ubuntu/namespaces/pivot_root to /sys/kernel/security/apparmor/features/namespaces/pivot_root
diffing /home/ubuntu/namespaces/profile to /sys/kernel/security/apparmor/features/namespaces/profile
diffing /home/ubuntu/network/af_mask to /sys/kernel/security/apparmor/features/network/af_mask
diffing /home/ubuntu/network/af_unix to /sys/kernel/security/apparmor/features/network/af_unix
diffing /home/ubuntu/network_v8/af_mask to /sys/kernel/security/apparmor/features/network_v8/af_mask
diffing /home/ubuntu/policy/outofband to /sys/kernel/security/apparmor/features/policy/outofband
diffing /home/ubuntu/policy/set_load to /sys/kernel/security/apparmor/features/policy/set_load
diffing /home/ubuntu/ptrace/mask to /sys/kernel/security/apparmor/features/ptrace/mask
diffing /home/ubuntu/rlimit/mask to /sys/kernel/security/apparmor/features/rlimit/mask
diffing /home/ubuntu/signal/mask to /sys/kernel/security/apparmor/features/signal/mask

not perfect, but it does show nothing, file to file that i matched, has
changed.

>From the snap perspective:

snap debug seeding

seeded:            true
preseeded:         true
image-preseeding:  5.988s
seed-completion:   3.098s
preseed-system-key: {
  "apparmor-features": [
    "caps",
    "dbus",
    "domain",
    "file",
    "ipc",
    "mount",
    "namespaces",
    "network",
    "network_v8",
    "policy",
    "ptrace",
    "query",
    "rlimit",
    "signal"
  ],
  "apparmor-parser-features": [
    "cap-audit-read",
    "cap-bpf",
    "include-if-exists",
    "mqueue",
    "qipcrtr-socket",
    "unsafe",
    "userns",
    "xdp"
  ],
  "apparmor-parser-mtime": 1695367222,
  "build-id": "765f7a61b17d760a5c7e795984d5b56d62914b1f",
  "cgroup-version": "2",
  "nfs-home": false,
  "overlay-root": "",
  "seccomp-compiler-version": "f569c1a46417f88bfa02950c1a3abf5eed6a47ec 2.5.4 c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d bpf-actlog",
  "seccomp-features": [
    "allow",
    "errno",
    "kill_process",
    "kill_thread",
    "log",
    "trace",
    "trap",
    "user_notif"
  ],
  "version": 10
}
seed-restart-system-key: {
  "apparmor-features": [
    "caps",
    "dbus",
    "domain",
    "file",
    "io_uring",
    "ipc",
    "mount",
    "namespaces",
    "network",
    "network_v8",
    "policy",
    "ptrace",
    "query",
    "rlimit",
    "signal"
  ],
  "apparmor-parser-features": [
    "cap-audit-read",
    "cap-bpf",
    "include-if-exists",
    "mqueue",
    "qipcrtr-socket",
    "unsafe",
    "userns",
    "xdp"
  ],
  "apparmor-parser-mtime": 1695367222,
  "build-id": "765f7a61b17d760a5c7e795984d5b56d62914b1f",
  "cgroup-version": "2",
  "nfs-home": false,
  "overlay-root": "",
  "seccomp-compiler-version": "f569c1a46417f88bfa02950c1a3abf5eed6a47ec 2.5.4 c3c9b282ef3c8dfcc3124b2aeaef62f56b813bfd21f8806b30a6c9dbc2e6e58d bpf-actlog",
  "seccomp-features": [
    "allow",
    "errno",
    "kill_process",
    "kill_thread",
    "log",
    "trace",
    "trap",
    "user_notif"
  ],
  "version": 10
}

The comparison is apparmor-features between preseed-system-key and seed-
restart-system-key. Shows io_uring as long diff

** Description changed:

  starting with kernel package(s) 6.5.0.1006, currently in mantic-
  proposed, `io_uring` is added as a apparmor feature. This change results
  in preseeded snaps being unoptimized, as the mounted apparmor features
  in the chroot do not match the 6.5.0.1006 kernels. On a system running
  with the kernel
  
  cat /sys/kernel/security/apparmor/features/io_uring/mask
  sqpoll override_creds
  
  1. ensure that this is correct with kernel and security teams
- 2. ensure that this is the default going forward
+ 2. ~~ensure that this is the default going forward~~  : Create a 6.5 feature directory as it was pointed out by xnox that Mantic has more than 6.5 kernels at this time.
  
  if 1 and 2, then set the default in `livecd-rootfs` for mounted apparmor
  features to include io_uring

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2037567

Title:
  mantic kernel 6.5.0.1006 Adds io_uring apparmor feature

Status in livecd-rootfs package in Ubuntu:
  New

Bug description:
  starting with kernel package(s) 6.5.0.1006, currently in mantic-
  proposed, `io_uring` is added as a apparmor feature. This change
  results in preseeded snaps being unoptimized, as the mounted apparmor
  features in the chroot do not match the 6.5.0.1006 kernels. On a
  system running with the kernel

  cat /sys/kernel/security/apparmor/features/io_uring/mask
  sqpoll override_creds

  1. ensure that this is correct with kernel and security teams
  2. ~~ensure that this is the default going forward~~  : Create a 6.5 feature directory as it was pointed out by xnox that Mantic has more than 6.5 kernels at this time.

  if 1 and 2, then set the default in `livecd-rootfs` for mounted
  apparmor features to include io_uring

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2037567/+subscriptions

More information about the foundations-bugs mailing list