← Back to team overview

touch-packages team mailing list archive

[Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile

 

This bug was fixed in the package systemd - 215-6ubuntu2

---------------
systemd (215-6ubuntu2) vivid; urgency=medium

  [ Martin Pitt ]
  * Merge fixes from Debian master.
  * Put user slices into all cgroup controllers. This makes unprivileged user
    LXC containers work under systemd. (LP: #1396270)
  * boot-and-services autopkgtest: Test AppArmor confined units (LP #1396270)

  [ Marc Deslauriers ]
  * Build-depend on libapparmor-dev to enable AppArmor support. (LP: #1396270)

systemd (215-7) UNRELEASED; urgency=medium

  [ Martin Pitt ]
  * Add myself to Uploaders.
  * Add boot-and-services autopkgtest: Check booting with systemd-sysv and
    that the most crucial services behave as expected.
  * logind autopkgtest: Fix stderr output in waiting loop for scsi_debug.
  * Add nspawn test to boot-and-services autopkgtest.
  * Make systemd-nspawn@.service work out of the box: (Closes: #770275)
    - Pre-create /var/lib/container with a secure mode (0700) via tmpfiles.d.
    - Add new try-{guest,host} modes for --link-journal to silently skip
      setting up the guest journal if the host has no persistant journal.
    - Extend boot-and-services autopkgtest to cover systemd-nspawn@.service.
  * Cherry-pick upstream patch to fix SELinux unit access check (regression
    in 215).

  [ Jon Severinsson]
  * Add /run/shm -> /dev/shm symlink in debian/tmpfiles.d/debian.conf. This
    avoids breakage in Jessie for packages which still refer to /run/shm, and
    while https://wiki.debian.org/ReleaseGoals/RunDirectory is still official.
    (LP: #1320534, Closes: #674755).
 -- Martin Pitt <martin.pitt@xxxxxxxxxx>   Thu, 27 Nov 2014 16:38:55 +0100

** Changed in: systemd (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1396270

Title:
  specifying AppArmorProfile doesn't result in processes launched under
  the named profile

Status in “systemd” package in Ubuntu:
  Fix Released

Bug description:
  Steps to reproduce

  1. grab attached tarball and unpack in /tmp:
  tar -zxvf /tmp/test.tar.gz

  2. cd /tmp/test

  3. Load the apparmor profile:
  sudo apparmor_parser -r ./apparmor.profile

  4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg:
  $ sudo aa-status
  apparmor module is loaded.
  6 profiles are loaded.
  6 profiles are in enforce mode.
     ...
     test-service
     ...

  5. enable the systemd service file:
  $ cat ./test.service
  [Unit]
  Description=test webserver
  [Service]
  Environment=PYTHONDONTWRITEBYTECODE=1
  ExecStart=/tmp/test/bin/webserver
  Restart=on-failure
  WorkingDirectory=/tmp/test/www
  AppArmorProfile=test-service
  [Install]
  WantedBy=multi-user.target

  $ sudo cp ./test.service /etc/systemd/system/

  $ sudo systemctl enable test.service

  6. start the service
  $ sudo systemctl start test.service

  $ sudo systemctl --no-pager status test.service
  ● test.service - test webserver
     Loaded: loaded (/etc/systemd/system/test.service; enabled)
     Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago
   Main PID: 1246 (webserver)
     CGroup: /system.slice/test.service
             └─1246 /usr/bin/python3 /tmp/test/bin/webserver

  Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test
  webserver.

  7. verify that the service is confined (use Main PID from the last step. You can also use aa-status):
  $ ps -Z 1246
  LABEL                             PID TTY      STAT   TIME COMMAND
  unconfined                       1246 ?        Ss     0:00 /usr/bin/python3 /tmp/test/bin/webserver

  Because the service file uses 'AppArmorProfile=test-service' and the
  'test-service' profile is already loaded into the kernel, I would
  expect /tmp/test/bin/webserver to be running under the 'test-service'
  label, not 'unconfined'.

  
  Note: you can manually start the webserver under apparmor using aa-exec. Eg:
  $ sudo aa-exec -p test-service /tmp/test/bin/webserver

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions


References