← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #37047

[Bug 1396270] [NEW] AppArmorProfile doesn't launch process under the named profile

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Steps to reproduce

1. grab attached tarball and unpack in /tmp:
tar -zxvf /tmp/test.tar.gz

2. cd /tmp/test

3. Load the apparmor profile:
sudo apparmor_parser -r ./apparmor.profile

4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg:
$ sudo aa-status
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
   ...
   test-service
   ...

5. enable the systemd service file:
$ cat ./test.service
[Unit]
Description=test webserver
[Service]
Environment=PYTHONDONTWRITEBYTECODE=1
ExecStart=/tmp/test/bin/webserver
Restart=on-failure
WorkingDirectory=/tmp/test/www
AppArmorProfile=test-service
[Install]
WantedBy=multi-user.target

$ sudo cp ./test.service /etc/systemd/system/

$ sudo systemctl enable test.service

6. start the service
$ sudo systemctl start test.service

$ sudo systemctl --no-pager status test.service
● test.service - test webserver
   Loaded: loaded (/etc/systemd/system/test.service; enabled)
   Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago
 Main PID: 1246 (webserver)
   CGroup: /system.slice/test.service
           └─1246 /usr/bin/python3 /tmp/test/bin/webserver

Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test
webserver.

7. verify that the service is confined (use Main PID from the last step. You can also use aa-status):
$ ps -Z 1246
LABEL                             PID TTY      STAT   TIME COMMAND
unconfined                       1246 ?        Ss     0:00 /usr/bin/python3 /tmp/test/bin/webserver

Because the service file uses 'AppArmorProfile=test-service' and the
'test-service' profile is already loaded into the kernel, I would expect
/tmp/test/bin/webserver to be running under the 'test-service' label,
not 'unconfined'.


Note: you can manually start the webserver under apparmor using aa-exec. Eg:
$ sudo aa-exec -p test-service /tmp/test/bin/webserver

** Affects: systemd (Ubuntu)
     Importance: Undecided
         Status: New

** Summary changed:

- AppArmorProfile doesn't launch process under the name profile
+ AppArmorProfile doesn't launch process under the named profile

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1396270

Title:
  AppArmorProfile doesn't launch process under the named profile

Status in “systemd” package in Ubuntu:
  New

Bug description:
  Steps to reproduce

  1. grab attached tarball and unpack in /tmp:
  tar -zxvf /tmp/test.tar.gz

  2. cd /tmp/test

  3. Load the apparmor profile:
  sudo apparmor_parser -r ./apparmor.profile

  4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg:
  $ sudo aa-status
  apparmor module is loaded.
  6 profiles are loaded.
  6 profiles are in enforce mode.
     ...
     test-service
     ...

  5. enable the systemd service file:
  $ cat ./test.service
  [Unit]
  Description=test webserver
  [Service]
  Environment=PYTHONDONTWRITEBYTECODE=1
  ExecStart=/tmp/test/bin/webserver
  Restart=on-failure
  WorkingDirectory=/tmp/test/www
  AppArmorProfile=test-service
  [Install]
  WantedBy=multi-user.target

  $ sudo cp ./test.service /etc/systemd/system/

  $ sudo systemctl enable test.service

  6. start the service
  $ sudo systemctl start test.service

  $ sudo systemctl --no-pager status test.service
  ● test.service - test webserver
     Loaded: loaded (/etc/systemd/system/test.service; enabled)
     Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago
   Main PID: 1246 (webserver)
     CGroup: /system.slice/test.service
             └─1246 /usr/bin/python3 /tmp/test/bin/webserver

  Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test
  webserver.

  7. verify that the service is confined (use Main PID from the last step. You can also use aa-status):
  $ ps -Z 1246
  LABEL                             PID TTY      STAT   TIME COMMAND
  unconfined                       1246 ?        Ss     0:00 /usr/bin/python3 /tmp/test/bin/webserver

  Because the service file uses 'AppArmorProfile=test-service' and the
  'test-service' profile is already loaded into the kernel, I would
  expect /tmp/test/bin/webserver to be running under the 'test-service'
  label, not 'unconfined'.

  
  Note: you can manually start the webserver under apparmor using aa-exec. Eg:
  $ sudo aa-exec -p test-service /tmp/test/bin/webserver

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next