[Bug 2080358] Re: liblxc-common: AppArmor-Profile for /usr/bin/lxc-copy contains rule for lxc-start

Andreas Hasenack 2080358 at bugs.launchpad.net
Fri Sep 27 17:22:27 UTC 2024 

Thanks for the patch. I have some questions and comments below.


a)
The profile file is /etc/apparmor.d/usr.bin.lxc-copy, which contains:

abi <abi/4.0>,
#include <tunables/global>

/usr/bin/lxc-start flags=(attach_disconnected) {
  #include <abstractions/lxc/start-container>
}


There is an obvious name mismatch, but the thing is, the name of the file doesn't matter. An apparmor profile named "/usr/bin/lxc-start" will be created by the above profile, and it will attach to the executable /usr/bin/lxc-start, not to /usr/bin/lxc-copy.

So in reality, /usr/bin/lxc-copy is NOT confined. Can you please
elaborate on what is breaking for you?

Is it a matter of policy? Because there are many other unconfined
profiles there:

$ grep -E "\(unconfined\)" /etc/apparmor.d/lxc-*
/etc/apparmor.d/lxc-attach:profile lxc-attach /usr/bin/lxc-attach flags=(unconfined) {
/etc/apparmor.d/lxc-create:profile lxc-create /usr/bin/lxc-create flags=(unconfined) {
/etc/apparmor.d/lxc-destroy:profile lxc-destroy /usr/bin/lxc-destroy flags=(unconfined) {
/etc/apparmor.d/lxc-execute:profile lxc-execute /usr/bin/lxc-execute flags=(unconfined) {
/etc/apparmor.d/lxc-stop:profile lxc-stop /usr/bin/lxc-stop flags=(unconfined) {
/etc/apparmor.d/lxc-unshare:profile lxc-unshare /usr/bin/lxc-unshare flags=(unconfined) {
/etc/apparmor.d/lxc-usernsexec:profile lxc-usernsexec /usr/bin/lxc-usernsexec flags=(unconfined) {


b) d/changelog
+lxc (1:5.0.3-2ubuntu8) UNRELEASED; urgency=medium

For the version, please follow the version convention from "Update the
packaging" from https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation.
For this case, the version should be 1:5.0.3-2ubuntu7.1

Please replace "UNRELEASED" with "noble".


+
+  * apparmor: lxc-copy: Replace mistyped filename lxc-start by lxc-copy

It's customary to list the files you are changing. In this case, you are
changing a patch file, so I would expect the changelog above to say
something like:

  * d/p/0014-cherry-pick-lxc-copy-apparmor.patch: replace mistyped
filename lxc-start by lxc-copy

(with appropriate word wrapping as needed)

+
+ -- Nicolas Schier <n.schier at avm.de>  Thu, 05 Sep 2024 10:14:51 +0200


c) Bug description
Since this is targeting a stable release of ubuntu (noble), the bug description needs to be in the SRU format: https://canonical-sru-docs.readthedocs-hosted.com/en/latest/reference/bug-template/

The general steps to follow are outlined in https://canonical-sru-
docs.readthedocs-hosted.com/en/latest/howto/standard/

I can help and guide you through these. I would suggest to start with
the template, and we can go from there. That is, if you still want to
proceed with this bug fix, depending on the answer to (a) above (which
translates to the "impact" section of the SRU template, and helps us
gauge if this bug is worth fixing or not).

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2080358

Title:
  liblxc-common: AppArmor-Profile for /usr/bin/lxc-copy contains rule
  for lxc-start

Status in lxc package in Ubuntu:
  Fix Released
Status in lxc source package in Noble:
  Incomplete
Status in lxc source package in Oracular:
  Fix Released

Bug description:
  Hi,

  liblxc-common 1:5.0.3-2ubuntu7 provides an AppArmor-Profile for /usr/bin/lxc-copy, but the profile file
  contains the rule for /usr/bin/lxc-start instead of /usr/bin/lxc-copy.  The mistake was introduced in [1], current Debian versions (1:5.0.2-1 and 1:6.0.1-1) are not affected, but Ubuntu 24.04 (noble) is.  This 
  wrong profile file prevents running lxc-copy on my companies Ubuntu 24.04 machines.

  Can you please replace the 'lxc-start' by 'lxc-copy' in
  /etc/apparmor/usr.bin.lxc-copy or update to Debian's 1:6.0.1-1 or
  above?

  Thanks and kind regards,
  Nicolas
   

  [1]: https://salsa.debian.org/lxc-
  team/lxc/-/merge_requests/19/diffs?commit_id=a2ad01ca2081c4dd925037253b01fff0499af17e#d7b13f871dc297c7aa81e98c974db1a24f1b016d_0_21

  
  ---
  Description:	Ubuntu 24.04.1 LTS
  Release:	24.04
  liblxc-common:
    Installed: 1:5.0.3-2ubuntu7
    Candidate: 1:5.0.3-2ubuntu7
    Version table:
   *** 1:5.0.3-2ubuntu7 990
          990 http://de.archive.ubuntu.com/ubuntu noble/universe amd64 Packages
          100 /var/lib/dpkg/status

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: liblxc-common 1:5.0.3-2ubuntu7
  Uname: Linux 6.10.6 x86_64
  ApportVersion: 2.28.1-0ubuntu3.1
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: sway
  Date: Wed Sep 11 12:37:23 2024
  InstallationDate: Installed on 2024-08-26 (16 days ago)
  InstallationMedia: Ubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240220)
  SourcePackage: lxc
  UpgradeStatus: Upgraded to noble on 2024-09-04 (7 days ago)
  modified.conffile..etc.init.d.apport: [modified]
  mtime.conffile..etc.init.d.apport: 2024-07-22T16:59:07

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2080358/+subscriptions

More information about the Ubuntu-sponsors mailing list