touch-packages team mailing list archive

Thread
Date
[Bug 1460152] Re: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable -> 15.04/edge updates)

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Michael Vogt <michael.vogt@xxxxxxxxxxxxx>
Date: Wed, 03 Jun 2015 09:04:26 -0000
Reply-to: Bug 1460152 <1460152@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I looked into this some more as I was confused why this works on the
distro. And it turns out that the dh_apparmor cache re-generates the
cache on install time.

I would really prefer if apparmor could handle this differently, I
attach a (ugly) proof of concept patch with what I have in mind. My idea
is to sync the mtime of cache and profile to ensure its always re-
generated when they are out-of-sync. Ideally this would  be part of the
apparmor cache header I think.

** Patch added: "proof of concept patch for apparmor parser"
   https://bugs.launchpad.net/snappy/+bug/1460152/+attachment/4409034/+files/lp1460152-apparmor.diff

** Also affects: apparmor (Ubuntu)
   Importance: Undecided
       Status: New

** Description changed:

  The apparmor cache gets confused easily on upgrade.
  
  Here is what happens:
  - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot
  - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package
  - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older)
  -> cache does is *not* re-generate
  
  Possible solution:
  - clear cache on upgrade
- - make apparmor_parser use mtime of the source file used to generate the cache
+ - make apparmor_parser store mtime of the source file in the header
+ - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync
  
  Original description:
  ----------------------
  
  Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error:
  """
  apparmor="DENIED" operation="mkdir" profile="/usr/bin/ubuntu-core-launcher" name="/tmp/snap.0_pastebinit.mvo_em33Zz/" pid=1092 comm="ubuntu-core-lau" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
  """
  
  Running:
  $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher
  fixes it.
  
  This strongly indicates that the cache has the old content and did not
  get re-generated on upgrade or image build.
  
  I also managed to reproduce this via:
  15.04/stable->15.04/edge
  
  The image is here:
  https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1k&authuser=0

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1460152

Title:
  apparmor cache not updated when apparmor.d rules change (breaks
  15.04/stable -> 15.04/edge updates)

Status in Snappy Ubuntu:
  In Progress
Status in Snappy 15.04 series:
  In Progress
Status in apparmor package in Ubuntu:
  New

Bug description:
  The apparmor cache gets confused easily on upgrade.

  Here is what happens:
  - boot stable, /etc/apparmor.d/cache/usr.bin.ubuntu-core-launcher is mtime of now because we generate the cache on boot
  - upgrade to edge, /etc/apparmor.d/usr.bin.ubuntu-core-launcher is updated and has the mtime of T (yesterday) when the file was put into the package
  - on the next reboot the apparmor_parser compares the mtime of the cache/usr.bin.ubuntu-core-launcher (very very recent) with the mtime of the souce usr.bin.ubuntu-core-launcher (much older)
  -> cache does is *not* re-generate

  Possible solution:
  - clear cache on upgrade
  - make apparmor_parser store mtime of the source file in the header
  - make apparmor_parser use set the cache file to the mtime of the source file used to generate the cache and re-generate if those get out-of-sync

  Original description:
  ----------------------

  Rick Spencer ran into the situation that he ended up with a snappy image that gave the following error:
  """
  apparmor="DENIED" operation="mkdir" profile="/usr/bin/ubuntu-core-launcher" name="/tmp/snap.0_pastebinit.mvo_em33Zz/" pid=1092 comm="ubuntu-core-lau" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
  """

  Running:
  $ sudo apparmor_parser --skip-cache -r /etc/apparmor.d/usr.bin.ubuntu-core-launcher
  fixes it.

  This strongly indicates that the cache has the old content and did not
  get re-generated on upgrade or image build.

  I also managed to reproduce this via:
  15.04/stable->15.04/edge

  The image is here:
  https://drive.google.com/open?id=0B1sb5ymdUGiLa0tUR0pGV3lzR1k&authuser=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1460152/+subscriptions