AppArmor

Differences between revisions 39 and 112 (spanning 73 versions)
Revision 39 as of 2014-09-09 14:31:34
Size: 10031
Editor: jdstrand
Comment:
Revision 112 as of 2020-08-31 05:59:24
Size: 14572
Editor: alexmurray
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position: 98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;"><<TableOfContents>>||
Line 6: Line 8:
Line 9: Line 10:
 * click-apparmor
 * apparmor-easyprof-ubuntu
 * ubuntu-app-launch (uses apparmor kernel interface via upstart)		  * dbus
 * snapd
 * lxd
Line 13: Line 14:
 * libvirt
 * usermetrics (uses libapparmor)		  * libvirt/libvirt-lxc
 * docker.io
Line 17: Line 18:
=== autopkgtests ===
 0. Run autopkgtests for important rdepends. Do they all exit with status '0':
  * click-apparmor:
   0. make sure the schroot is up to date (eg, `autopkgtest-trusty-amd64`)
   0. download the new !AppArmor binaries to ../binary
   0. run the tests
    * 14.04: {{{
$ adt-run -B ../binary/*.deb --apt-source click-apparmor --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
}}}
    * 14.10: {{{
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --apt-source click-apparmor --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
# or if also have new click-apparmor source:
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/click-apparmor*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
}}}
  * apparmor-easyprof-ubuntu:
   0. make sure the schroot is up to date (eg, `autopkgtest-trusty-amd64`)
   0. download the new !AppArmor binaries to ../binary
   0. run the tests
    * 14.04: {{{
$ adt-run -B ../binary/*.deb --apt-source apparmor-easyprof-ubuntu --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
}}}
    * 14.10: {{{
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --apt-source apparmor-easyprof-ubuntu --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
# or if also have new appamror-easyprof-ubuntu source:
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/apparmor-easyprof-ubuntu*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
}}}
  * '''OPTIONAL''': lxc (requires autopkgtest VM. Note: runs before promotion to -proposed, but there are manual tests below that should be performed before upload)
   0. [[http://packaging.ubuntu.com/html/auto-pkg-test.html#executing-the-test|Create a pristine VM]] for testing
   0. from within the checkout of the lp:auto-package-testing branch:{{{
bin/run-adt-test -P -p ppa:ci-train-ppa-service/landing-NNN lxc
}}}
Line 50: Line 19:
 0. Install image on phone/emulator (x86) and have an up to date Ubuntu Desktop and/or Server VM ==== AppArmor ====
 0. Have an up to date Ubuntu Desktop and/or Server VM
Line 53: Line 23:
   * devel: `copy_sppa_to_repos --arch=i386,amd64,armhf --include-devel --ppa=ci-train-ppa-service/landing-NNN apparmor`
   * rtm: `copy_sppa_to_repos --include-devel -a amd64,i386,armhf --ppa=ci-train-ppa-service/landing-002 --distribution=ubuntu-rtm -r 14.09 apparmor`		    * devel: `copy_sppa_to_repos --arch=i386,amd64 --include-devel --ppa=ubuntu-security-proposed/ppa apparmor`
Line 59: Line 28:
  0. 0 profiles in complain mode (unless apparmor-profiles or some other special package is installed)   0. 0 profiles in complain mode (unless libreoffice-common, apparmor-profiles, or some other special package is installed)
Line 62: Line 31:
  0. 0 processes in complain mode (unless apparmor-profiles or some other special package is installed)
  0. 0 processes are unconfined but have a profile defined (the only exception is /usr/bin/lxc-start on Ubuntu Touch)

=== Touch only ===
 0. Verify Unity8 on Ubuntu Touch works by performing basic Unity8 manual testing:
  * verify networking comes up (has an ip address)
  * browser launches and can navigate pages
  * system settings opens
  * MTP music file to ~/Music (adb push to /home/phablet/Music on emulator)
  * MTP video file to ~/Videos (adb push to /home/phablet/Videos on emulator)
  * music-app can play copied music file on device (verifies mediascanner2 and media-hub. May need to search for it in the scope)
  * Videos scope can play copied video file on device (verifies mediascanner2 and media-hub. May need to search for it in the scope)
 0. Verify apps launch via ubuntu-app-launch on Ubuntu Touch:
  * Ensure that confined apps launch
   * in a terminal, console or adb shell, `tail -f /var/log/syslog | grep DEN`, then
   * launch a confined app (eg, start the weather app). Does it start?
   * are there any !AppArmor denials in /var/log/syslog for the app? (there should be none)
   * Run `sudo aa-status`, is the process for the app running under confinement (in enforce mode)?
  * Ensure that webapps launch
   * in a terminal, console or adb shell, `tail -f /var/log/syslog | grep DEN`, then
   * launch a webapp (eg, start the facebook webapp). Does it start?
   * are there any !AppArmor denials in /var/log/syslog for the webapp? (there should be none)
   * Run `sudo aa-status`, is the process for the webapp running under confinement (in enforce mode)?
  * Ensure that "unconfined" click apps launch (ie, those using the `unconfined` template):
   * in a terminal, console or adb shell, `tail -f /var/log/syslog | grep DEN`, then
   * launch an unconfined click app (eg, start the terminal or file manager (armhf) or music-app on emulator (verify it is still using the unconfined template in /var/lib/apparmor/clicks/*music*.json)). Does it start?
   * are there any !AppArmor denials in /var/log/syslog for the app? (there should be none)
   * Run `sudo aa-status`, is the process for the app running under confinement (in enforce mode)?
 0. Run image tests on Ubuntu Touch (emulator or touch image): {{{
$ bzr branch lp:qa-regression-testing
$ cd qa-regression-testing
$ adb push ./tests /tmp/tests
$ adb shell /tmp/tests/image/privileged/check-apparmor
# new (adb as non-root)
$ adb shell /tmp/tests/image/unprivileged/click-apparmor # emulator may have 1 failure. if so, try again
$ adb shell /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
# old (adb as root)
$ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/click-apparmor
$ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
}}}
 0. '''SKIP''' (usermetrics don't seem to work any more): Run [[https://wiki.ubuntu.com/Process/Merges/TestPlan/libusermetrics|libusermetrics tests]] on Touch
  * The above page was removed. For now:
   * Press the power button twice to display the infographic
   * Double tap the infographic until you see "# ounces of water consumed today"
   * Install 'Hydrate' from the app store
   * Launch it (search for 'hydrate' in Search in the Application scope
   * Within Hydrate, tap 'add water
   * Press the power button twice to display the infographic
   * Double tap the infographic until you see "# ounces of water consumed today"

=== Desktop (some can be run on Server) only ===
 0. Verify Ubuntu Desktop and/or Server works by performing basic login testing - eg, verify networking, verify browser launches, verify apt-get works
 0. Run QRT/scripts/test-apparmor.py on Ubuntu Desktop/Server (not Ubuntu Touch, needs extensive read/write permissions):{{{
$ bzr branch lp:qa-regression-testing		   0. 0 processes in complain mode (unless libreoffice-common, apparmor-profiles, or some other special package is installed)
  0. 0 processes are unconfined but have a profile defined
 0. Verify cache files have no errors
  * 18.10 and lower:{{{
$ for i in /etc/apparmor.d/cache /var/cache/apparmor ; do echo "= $i =" ; for j in $i/* ; do echo -n "$j: " ; sudo apparmor_parser -B -r $j && echo pass || echo FAIL ; done ; done | grep FAIL
}}}
  * 19.04 and higher:{{{
$ export AACACHEDIR=$(sudo apparmor_parser --print-cache-dir)
$ for i in $(sudo ls -1 "$AACACHEDIR") ; do echo -n "$i: " ; sudo apparmor_parser -B -r "$AACACHEDIR/$i" && echo pass || echo FAIL ; done | grep FAIL
}}}
 0. Verified the cache is used
  * 18.10 and lower: {{{
$ sudo rm -rf /etc/apparmor.d/cache/*
$ sudo /sbin/apparmor_parser --remove /etc/apparmor.d
$ sudo /sbin/apparmor_parser --write-cache --add /etc/apparmor.d
$ ls /etc/apparmor.d/cache
sbin.dhclient usr.lib.libreoffice.program.xpdfimport
usr.bin.evince usr.lib.snapd.snap-confine.real
...
$ sudo /sbin/apparmor_parser --remove /etc/apparmor.d
$ sudo /sbin/apparmor_parser -k --write-cache --add /etc/apparmor.d 2>&1 | grep -i miss # should be no misses
$
}}}
  * 19.04 and higher: {{{
$ sudo rm -rf /var/cache/apparmor/*
$ sudo /sbin/apparmor_parser --remove /etc/apparmor.d
$ sudo /sbin/apparmor_parser --write-cache --add /etc/apparmor.d
$ sudo ls /var/cache/apparmor/*
nvidia_modprobe usr.bin.evince usr.lib.snapd.snap-confine.real usr.sbin.cupsd
sbin.dhclient usr.bin.man usr.sbin.cups-browsed usr.sbin.ippusbxd
$ sudo /sbin/apparmor_parser --remove /etc/apparmor.d
$ sudo /sbin/apparmor_parser -k --write-cache --add /etc/apparmor.d 2>&1 | grep -i miss # should be no misses
$
}}}

==== Integration ====
Verify Ubuntu Desktop and/or Server works by performing basic login testing - eg, verify networking, verify browser launches, verify apt-get works

==== QRT ====
Run QRT/scripts/test-apparmor.py on Ubuntu Desktop/Server ('''Note''': in the exceptional case when there are temporary new expected failures, be sure to update test-apparmor.py for these to not block kernel team processes):{{{
$ git clone https://git.launchpad.net/qa-regression-testing
Line 124: Line 80:
 0. Run image tests on Ubuntu Desktop/Server:
  * Desktop: {{{
$ bzr branch lp:qa-regression-testing
$ cd qa-regression-testing
$ scp -r ./tests username@vm:/tmp/tests
$ ssh -tt root@vm /tmp/tests/image/privileged/check-apparmor
$ ssh -tt root@vm apt-get install click-apparmor apparmor-easyprof-ubuntu click packagekit-tools ubuntu-app-launch ubuntu-sdk-libs
}}}
  At this point you'll need to login to Ubuntu Desktop and open a terminal and run (if someone knows how to run this over ssh, please tell :):{{{
$ /tmp/tests/image/unprivileged/click-apparmor
$ /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
}}}
 0. Verify [[https://help.ubuntu.com/lts/serverguide/lxc.html|lxc]] container starts with new !AppArmor on Ubuntu Desktop/Server:{{{
~$ sudo apt-get install lxc
# optionally adjust MIRROR in /etc/default/lxc
~$ sudo lxc-create -t ubuntu -n CN
~$ sudo lxc-start -n CN
==== lxc ====
Verify [[https://help.ubuntu.com/lts/serverguide/lxc.html|lxc]] container starts with new !AppArmor on Ubuntu Desktop/Server:{{{
~$ sudo apt-get install lxc lxc-templates
~$ sudo lxc-create -t ubuntu -n CN # or: sudo MIRROR=http://<mirror>/ubuntu lxc-create ...
~$ sudo lxc-start -n CN # later versions (eg 15.04) may not start in a console
Line 175: Line 120:
 When done, shut it down with:{{{
$ sudo shutdown -h now
...
 0. Will now halt
~$
}}}
 0. Verify qemu/kvm libvirt VMs start with new !AppArmor on Ubuntu Desktop/Server by using QRT/scripts/test-libvirt.py (note: there are some failures unrelated to apparmor, so do a baseline run before upgrading to compare)
 0. Verify lightdm guest session works correctly (there will be apparmor denials, but this is expected)
 Verify apparmor profiles are in use: {{{
$ sudo aa-status | grep ') lxc'
   /usr/sbin/agetty (871) lxc-container-default-cgns
   /usr/lib/systemd/systemd (32182) lxc-container-default-cgns
...
}}}

 When done, shut it down with (outside the container (tests lxc-start still works to control the container)):{{{
$ sudo lxc-stop -k -n CN
}}}

 Verify apparmor profiles are no longer in use: {{{
$ sudo aa-status | grep ') lxc'
$
}}}

 And, finally, destroy it:{{{
$ sudo lxc-destroy -n CN
}}}

==== lxd ====
 0. Verify [[https://insights.ubuntu.com/2015/04/28/getting-started-with-lxd-the-container-lightervisor/|lxd]] container starts with new !AppArmor on Ubuntu Desktop/Server:
  * deb (deprecated on 18.10 and higher): {{{
$ sudo apt-get install lxd
$ newgrp lxd
}}}
  * snap: {{{
$ sudo apt-get remove --purge lxd lxc
$ sudo snap install lxd
$ sudo adduser `id -un` lxd
$ newgrp lxd
$ sudo lxd init # use defaults
}}}

 Once lxd is installed: {{{
$ . /etc/profile.d/apps-bin-path.sh # in case /snap/bin is not in your PATH
$ lxc image list images:
...
| | 0d4bfe75bd0d | yes | Ubuntu trusty (amd64) (20160321_03:49) | x86_64 | 75.60MB | Mar 21, 2016 at 4:19am (UTC) |
...

$ lxc launch ubuntu: ubuntu-64
...
Creating ubuntu-64
Retrieving image: 100%
Starting ubuntu-64

$ lxc list
+-----------+---------+-------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-----------+---------+-------------------+------+------------+-----------+
| ubuntu-64 | RUNNING | 10.0.3.181 (eth0) | | PERSISTENT | 0 |
+-----------+---------+-------------------+------+------------+-----------+

$ lxc info ubuntu-64
Name: ubuntu-64
Architecture: i686
Created: 2016/03/22 17:55 UTC
Status: Running
Type: persistent
Profiles: default
Pid: 2612
Processes: 8
Ips:
  eth0: inet 10.0.3.181 vethIKDBKR
  eth0: inet6 fe80::216:3eff:fe88:59b7 vethIKDBKR
  lo: inet 127.0.0.1
  lo: inet6 ::1

$ sudo aa-status | grep ') lxd-ubuntu-64'
   /usr/lib/systemd/systemd (14348) lxd-ubuntu-64_</var/snap/lxd/common/lxd>//&:lxd-ubuntu-64_<var-snap-lxd-common-lxd>:unconfined
   /usr/lib/systemd/systemd-journald (14464) lxd-ubuntu-64_</var/snap/lxd/common/lxd>//&:lxd-ubuntu-64_<var-snap-lxd-common-lxd>:unconfined

$ lxc exec ubuntu-64 /bin/bash
root@ubuntu-64:~# ls
root@ubuntu-64:~# uptime
 17:58:40 up 3 min, 0 users, load average: 0.01, 0.06, 0.05
root@ubuntu-64:~# aa-status # AppArmor stacking works
apparmor module is loaded.
15 profiles are loaded.
15 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
...
root@ubuntu-64:~# exit

$ lxc exec ubuntu-64 ps
  PID TTY TIME CMD
 1552 ? 00:00:00 ps

# pull/push files
$ lxc file pull ubuntu-64/etc/hostname .
$ lxc file push hostname ubuntu-64/tmp/hostname
$ lxc exec ubuntu-64 -- cat /tmp/hostname
ubuntu-64

$ lxc stop ubuntu-64

$ sudo aa-status | grep ') lxd-ubuntu-64' # profiles unloaded
$

$ lxc delete ubuntu-64
}}}

==== libvirt ====
 0. Install libvirt and ensure that the libvirtd group is part of the current session:{{{
$ sudo apt-get install libvirt-bin # libvirt-daemon on more recent Ubuntu releases
$ newgrp libvirtd
}}}
 0. Follow setup instructions in $QRT/notes_testing/libvirt/README
 0. Verify qemu/kvm libvirt VMs start under confinement (verify with `sudo aa-status`) with new !AppArmor on Ubuntu Desktop/Server by using QRT/scripts/test-libvirt.py (note: there are some failures unrelated to apparmor, so do a baseline run before upgrading to compare)
 0. Verify libvirt-lxc VMs start with new !AppArmor on Ubuntu Desktop/Server by following [[https://wiki.ubuntu.com/SergeHallyn_libvirtlxc|SergeHallyn_libvirtlxc]]
  * '''IMPORTANT:''' The instructions linked to above will not work until [[https://launchpad.net/bugs/1445611|bug #1445611]] is fixed.

==== docker ====
Verify docker.io (need at least 1.2) containers with new !AppArmor on Ubuntu Desktop/Server:{{{
$ sudo apt-get install docker.io # should not have libvirt or lxc co-installed

$ sudo docker pull ubuntu:bionic
...
6e1bee0f8701: Pull complete
Digest: sha256:d019bdb3ad5af96fa1541f9465f070394c0daf0ffd692646983f491ce077b70f
Status: Downloaded newer image for ubuntu:bionic

$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu bionic 94e814e2efa8 44 hours ago 88.9MB

$ sudo docker run ubuntu:bionic uptime
 20:31:21 up 1 min, 0 users, load average: 0.09, 0.06, 0.03
...

$ sudo aa-status|grep docker
   docker-default

$ sudo docker run -i -t ubuntu:bionic /bin/sh
# ps
  PID TTY TIME CMD
    1 ? 00:00:00 sh
    7 ? 00:00:00 ps
}}}

 At this point, an interactive shell is running in the terminal. In another, try a couple of operations:{{{
$ sudo aa-status|grep docker
   docker-default
   /usr/bin/dash (24201) docker-default

$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3acc3d52bca2 ubuntu:bionic "/bin/sh" 43 seconds ago Up 42 seconds nostalgic_ramanujan

$ ps -Z 24201
LABEL PID TTY STAT TIME COMMAND
docker-default (enforce) 24201 pts/0 Ss+ 0:00 /bin/sh

$ sudo docker inspect 3acc3d52bca2
[
    {
        "Id": "3acc3d52bca28aa40da695781bb7a1195c3c4d5d821c350e272f4ed9d8582271",
        "Created": "2019-03-13T20:10:33.671935431Z",
        "Path": "/bin/sh",
        "Args": [],
        "State": {
            "Status": "running",
...
}}}
 In the terminal running 'sh', now exit:{{{
# exit

$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

$ sudo aa-status|grep docker
   docker-default
}}}

==== snapd ====
Verify snappy works ok:{{{
$ sudo apt-get install snapd
$ sudo snap install hello-world

$ sudo aa-status | grep snap
   /snap/core/6623/usr/lib/snapd/snap-confine
   /snap/core/6623/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   snap-update-ns.core
   snap-update-ns.hello-world
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh

$ . /etc/profile.d/apps-bin-path.sh # in case /snap/bin is not in your PATH
$ hello-world.evil
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
/snaps/hello-world.canonical/6.0/bin/evil: 9: /snaps/hello-world.canonical/6.0/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied

$ hello-world.sh
Launching a shell inside the default app confinement. Navigate to your
app-specific directories with:

  $ cd $SNAP
  $ cd $SNAP_DATA
  $ cd $SNAP_USER_DATA

bash-4.3$
cat /etc/fstab
cat: /etc/fstab: Permission denied
bash-4.3$ exit

$ sudo snap install snappy-debug
$ snappy-debug.scanlog --only-snap=hello-world
= AppArmor =
Time: Mar 13 15:17:16
Log: apparmor="DENIED" operation="mknod" profile="snap.hello-world.evil" name="/var/tmp/myevil.txt" pid=28941 comm="evil" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
File: /var/tmp/myevil.txt (write)

= AppArmor =
Time: Mar 13 15:17:42
Log: apparmor="DENIED" operation="open" profile="snap.hello-world.sh" name="/etc/fstab" pid=29215 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /etc/fstab (read)

$ sudo snap remove hello-world

$ sudo ls /var/cache/apparmor/* | grep hello-world # cache files are removed
$
}}}

=== Desktop only ===
==== dbus ====
Run QRT/scripts/test-dbus.py on Ubuntu Desktop:{{{
$ ./scripts/make-test-tarball ./scripts/test-dbus.py
# To run, copy /tmp/qrt-test-dbus.tar.gz to the target system, then log in through a graphical session and do:
$ tar -zxf qrt-test-dbus.tar.gz
$ cd ./qrt-test-dbus
$ sudo ./install-packages test-dbus.py
$ sudo ./test-dbus.py -v
}}}

=== autopkgtests ===
 0. '''OPTIONAL''': apparmor, dbus, and lxc autopkgtests (requires autopkgtest VM. Note: runs before promotion to -proposed, but there are manual tests below that should be performed before upload)
   0. [[http://packaging.ubuntu.com/html/auto-pkg-test.html#executing-the-test|Create a pristine VM]] for testing:{{{
$ autopkgtest-buildvm-ubuntu-cloud -v
}}}
   0. Run the apparmor autopkgtests in the VM (''only possible in apparmor-2.11.0-4 and newer''):{{{
$ autopkgtest -BUl /tmp/apparmor-autopkgtest.out ../source/*.dsc ../binary/*.deb -- autopkgtest-virt-qemu /tmp/autopkgtest-bionic-amd64.img || echo "** AUTOPKGTESTS FAILED"
}}}
   0. Run the dbus autopkgtests in the VM:{{{
$ autopkgtest -BUl /tmp/dbus-autopkgtest.out dbus ../binary/*.deb -- autopkgtest-virt-qemu adt-bionic-amd64-cloud.img || echo "** AUTOPKGTESTS FAILED"
}}}
   0. Run the lxc autopkgtests after enabling a PPA and updating and dist-upgrading:{{{
$ autopkgtest -BUl /tmp/lxc-autopkgtest.out ../binary/*.deb lxc -- autopkgtest-virt-qemu adt-bionic-amd64-cloud.img || echo "** AUTOPKGTESTS FAILED"
}}}

Dependents/Clients

  • dbus
  • snapd
  • lxd
  • lxc
  • libvirt/libvirt-lxc
  • docker.io

Test Plan

Common tests

AppArmor

  1. Have an up to date Ubuntu Desktop and/or Server VM
  2. Install freshly built packages that are needed for landing and reboot
    • Eg:

      • devel: copy_sppa_to_repos --arch=i386,amd64 --include-devel --ppa=ubuntu-security-proposed/ppa apparmor

  3. Verify the system comes up and has networking (dhclient profile)

  4. Verify the output of aa-status. It should report:

    1. many profiles loaded (eg, 20 or more)
    2. many profiles in enforce mode (eg, 20 or more)
    3. 0 profiles in complain mode (unless libreoffice-common, apparmor-profiles, or some other special package is installed)
    4. some process should have a profile defined
    5. some process should be in enforce mode (the same number as '4', above)
    6. 0 processes in complain mode (unless libreoffice-common, apparmor-profiles, or some other special package is installed)
    7. 0 processes are unconfined but have a profile defined
  5. Verify cache files have no errors

    • 18.10 and lower:

      $ for i in /etc/apparmor.d/cache /var/cache/apparmor ; do echo "= $i =" ; for j in $i/* ; do echo -n "$j: " ; sudo apparmor_parser -B -r $j && echo pass || echo FAIL ; done ; done | grep FAIL

    • 19.04 and higher:

      $ export AACACHEDIR=$(sudo apparmor_parser --print-cache-dir)
$ for i in $(sudo ls -1 "$AACACHEDIR") ; do echo -n "$i: " ; sudo apparmor_parser -B -r "$AACACHEDIR/$i" && echo pass || echo FAIL ; done | grep FAIL
  6. Verified the cache is used

    • 18.10 and lower: 

      $ sudo rm -rf /etc/apparmor.d/cache/*
$ sudo /sbin/apparmor_parser --remove /etc/apparmor.d
$ sudo /sbin/apparmor_parser --write-cache --add /etc/apparmor.d
$ ls /etc/apparmor.d/cache
sbin.dhclient                            usr.lib.libreoffice.program.xpdfimport
usr.bin.evince                           usr.lib.snapd.snap-confine.real
...
$ sudo /sbin/apparmor_parser --remove /etc/apparmor.d
$ sudo /sbin/apparmor_parser -k --write-cache --add /etc/apparmor.d 2>&1 | grep -i miss # should be no misses
$

    • 19.04 and higher: 

      $ sudo rm -rf /var/cache/apparmor/*
$ sudo /sbin/apparmor_parser --remove /etc/apparmor.d
$ sudo /sbin/apparmor_parser --write-cache --add /etc/apparmor.d
$ sudo ls /var/cache/apparmor/*
nvidia_modprobe  usr.bin.evince  usr.lib.snapd.snap-confine.real  usr.sbin.cupsd
sbin.dhclient    usr.bin.man     usr.sbin.cups-browsed            usr.sbin.ippusbxd
$ sudo /sbin/apparmor_parser --remove /etc/apparmor.d
$ sudo /sbin/apparmor_parser -k --write-cache --add /etc/apparmor.d 2>&1 | grep -i miss # should be no misses
$

Integration

Verify Ubuntu Desktop and/or Server works by performing basic login testing - eg, verify networking, verify browser launches, verify apt-get works

QRT

Run QRT/scripts/test-apparmor.py on Ubuntu Desktop/Server (Note: in the exceptional case when there are temporary new expected failures, be sure to update test-apparmor.py for these to not block kernel team processes):

$ git clone https://git.launchpad.net/qa-regression-testing
$ cd qa-regression-testing
$ ./scripts/make-test-tarball ./scripts/test-apparmor.py
# To run, copy /tmp/qrt-test-apparmor.tar.gz to the target system, then do:
$ tar -zxf qrt-test-apparmor.tar.gz
$ cd ./qrt-test-apparmor
$ sudo ./install-packages test-apparmor.py
$ sudo ./test-apparmor.py -v

lxc

Verify lxc container starts with new AppArmor on Ubuntu Desktop/Server:

~$ sudo apt-get install lxc lxc-templates
~$ sudo lxc-create -t ubuntu -n CN  # or: sudo MIRROR=http://<mirror>/ubuntu lxc-create ...
~$ sudo lxc-start -n CN # later versions (eg 15.04)  may not start in a console
...
Ubuntu Trusty Tahr (development branch) CN console

CN login: ubuntu
Password:
...

  • Run a few external commands:

    $ sudo lxc-ls
CN
$ sudo lxc-info --name CN
Name:           CN
State:          RUNNING
PID:            24354
IP:             10.0.3.153
CPU use:        1.80 seconds
BlkIO use:      12.18 MiB
Memory use:     20.58 MiB
KMem use:       0 bytes
Link:           vethYD8QMX
 TX bytes:      2.90 KiB
 RX bytes:      6.77 KiB
 Total bytes:   9.67 KiB
$ sudo lxc-console --name CN
Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Ubuntu Utopic Unicorn (development branch) CN tty1

CN login:
...
$ sudo lxc-attach --name CN uptime
 22:29:49 up  1:10,  1 user,  load average: 0.06, 0.31, 0.58

    Verify apparmor profiles are in use: 

    $ sudo aa-status | grep ') lxc'
   /usr/sbin/agetty (871) lxc-container-default-cgns
   /usr/lib/systemd/systemd (32182) lxc-container-default-cgns
...

    When done, shut it down with (outside the container (tests lxc-start still works to control the container)):

    $ sudo lxc-stop -k -n CN

    Verify apparmor profiles are no longer in use: 

    $ sudo aa-status | grep ') lxc'
$

    And, finally, destroy it:

    $ sudo lxc-destroy -n CN

lxd

  1. Verify lxd container starts with new AppArmor on Ubuntu Desktop/Server:

    • deb (deprecated on 18.10 and higher): 

      $ sudo apt-get install lxd
$ newgrp lxd

    • snap: 

      $ sudo apt-get remove --purge lxd lxc
$ sudo snap install lxd
$ sudo adduser `id -un` lxd
$ newgrp lxd
$ sudo lxd init # use defaults

    Once lxd is installed: 

    $ . /etc/profile.d/apps-bin-path.sh # in case /snap/bin is not in your PATH
$ lxc image list images:
...
|                                 | 0d4bfe75bd0d | yes    | Ubuntu trusty (amd64) (20160321_03:49)    | x86_64  | 75.60MB  | Mar 21, 2016 at 4:19am (UTC)  |
...

$ lxc launch ubuntu: ubuntu-64
...
Creating ubuntu-64
Retrieving image: 100%
Starting ubuntu-64

$ lxc list
+-----------+---------+-------------------+------+------------+-----------+
|   NAME    |  STATE  |       IPV4        | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+-------------------+------+------------+-----------+
| ubuntu-64 | RUNNING | 10.0.3.181 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-------------------+------+------------+-----------+

$ lxc info ubuntu-64
Name: ubuntu-64
Architecture: i686
Created: 2016/03/22 17:55 UTC
Status: Running
Type: persistent
Profiles: default
Pid: 2612
Processes: 8
Ips:
  eth0: inet    10.0.3.181      vethIKDBKR
  eth0: inet6   fe80::216:3eff:fe88:59b7        vethIKDBKR
  lo:   inet    127.0.0.1
  lo:   inet6   ::1

$ sudo aa-status | grep ') lxd-ubuntu-64'
   /usr/lib/systemd/systemd (14348) lxd-ubuntu-64_</var/snap/lxd/common/lxd>//&:lxd-ubuntu-64_<var-snap-lxd-common-lxd>:unconfined
   /usr/lib/systemd/systemd-journald (14464) lxd-ubuntu-64_</var/snap/lxd/common/lxd>//&:lxd-ubuntu-64_<var-snap-lxd-common-lxd>:unconfined

$ lxc exec ubuntu-64 /bin/bash
root@ubuntu-64:~# ls
root@ubuntu-64:~# uptime
 17:58:40 up 3 min,  0 users,  load average: 0.01, 0.06, 0.05
root@ubuntu-64:~# aa-status # AppArmor stacking works
apparmor module is loaded.
15 profiles are loaded.
15 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
...
root@ubuntu-64:~# exit

$ lxc exec ubuntu-64 ps
  PID TTY          TIME CMD
 1552 ?        00:00:00 ps

# pull/push files
$ lxc file pull ubuntu-64/etc/hostname .
$ lxc file push hostname ubuntu-64/tmp/hostname
$ lxc exec ubuntu-64 -- cat /tmp/hostname
ubuntu-64

$ lxc stop ubuntu-64

$ sudo aa-status | grep ') lxd-ubuntu-64' # profiles unloaded
$

$ lxc delete ubuntu-64

libvirt

  1. Install libvirt and ensure that the libvirtd group is part of the current session:

    $ sudo apt-get install libvirt-bin # libvirt-daemon on more recent Ubuntu releases
$ newgrp libvirtd
  2. Follow setup instructions in $QRT/notes_testing/libvirt/README

  3. Verify qemu/kvm libvirt VMs start under confinement (verify with sudo aa-status) with new AppArmor on Ubuntu Desktop/Server by using QRT/scripts/test-libvirt.py (note: there are some failures unrelated to apparmor, so do a baseline run before upgrading to compare)

  4. Verify libvirt-lxc VMs start with new AppArmor on Ubuntu Desktop/Server by following SergeHallyn_libvirtlxc

    • IMPORTANT: The instructions linked to above will not work until bug #1445611 is fixed.

docker

Verify docker.io (need at least 1.2) containers with new AppArmor on Ubuntu Desktop/Server:

$ sudo apt-get install docker.io # should not have libvirt or lxc co-installed

$ sudo docker pull ubuntu:bionic
...
6e1bee0f8701: Pull complete 
Digest: sha256:d019bdb3ad5af96fa1541f9465f070394c0daf0ffd692646983f491ce077b70f
Status: Downloaded newer image for ubuntu:bionic

$ sudo docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              bionic              94e814e2efa8        44 hours ago        88.9MB

$ sudo docker run ubuntu:bionic uptime
 20:31:21 up 1 min,  0 users,  load average: 0.09, 0.06, 0.03
...

$ sudo aa-status|grep docker
   docker-default

$ sudo docker run -i -t ubuntu:bionic /bin/sh
# ps
  PID TTY          TIME CMD
    1 ?        00:00:00 sh
    7 ?        00:00:00 ps

  • At this point, an interactive shell is running in the terminal. In another, try a couple of operations:

    $ sudo aa-status|grep docker
   docker-default
   /usr/bin/dash (24201) docker-default

$ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
3acc3d52bca2        ubuntu:bionic       "/bin/sh"           43 seconds ago      Up 42 seconds                           nostalgic_ramanujan

$ ps -Z 24201
LABEL                             PID TTY      STAT   TIME COMMAND
docker-default (enforce)        24201 pts/0    Ss+    0:00 /bin/sh

$ sudo docker inspect 3acc3d52bca2
[
    {
        "Id": "3acc3d52bca28aa40da695781bb7a1195c3c4d5d821c350e272f4ed9d8582271",
        "Created": "2019-03-13T20:10:33.671935431Z",
        "Path": "/bin/sh",
        "Args": [],
        "State": {
            "Status": "running",
...

    In the terminal running 'sh', now exit:

    # exit

$ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

$ sudo aa-status|grep docker
   docker-default

snapd

Verify snappy works ok:

$ sudo apt-get install snapd
$ sudo snap install hello-world

$ sudo aa-status | grep snap
   /snap/core/6623/usr/lib/snapd/snap-confine
   /snap/core/6623/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   snap-update-ns.core
   snap-update-ns.hello-world
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh

$ . /etc/profile.d/apps-bin-path.sh # in case /snap/bin is not in your PATH
$ hello-world.evil
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
/snaps/hello-world.canonical/6.0/bin/evil: 9: /snaps/hello-world.canonical/6.0/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied

$ hello-world.sh
Launching a shell inside the default app confinement. Navigate to your
app-specific directories with:

  $ cd $SNAP
  $ cd $SNAP_DATA
  $ cd $SNAP_USER_DATA

bash-4.3$ 
cat /etc/fstab
cat: /etc/fstab: Permission denied
bash-4.3$ exit

$ sudo snap install snappy-debug
$ snappy-debug.scanlog --only-snap=hello-world
= AppArmor =
Time: Mar 13 15:17:16
Log: apparmor="DENIED" operation="mknod" profile="snap.hello-world.evil" name="/var/tmp/myevil.txt" pid=28941 comm="evil" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
File: /var/tmp/myevil.txt (write)

= AppArmor =
Time: Mar 13 15:17:42
Log: apparmor="DENIED" operation="open" profile="snap.hello-world.sh" name="/etc/fstab" pid=29215 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /etc/fstab (read)

$ sudo snap remove hello-world

$ sudo ls /var/cache/apparmor/* | grep hello-world # cache files are removed
$

Desktop only

dbus

Run QRT/scripts/test-dbus.py on Ubuntu Desktop:

$ ./scripts/make-test-tarball ./scripts/test-dbus.py
# To run, copy /tmp/qrt-test-dbus.tar.gz to the target system, then log in through a graphical session and do:
$ tar -zxf qrt-test-dbus.tar.gz
$ cd ./qrt-test-dbus
$ sudo ./install-packages test-dbus.py
$ sudo ./test-dbus.py -v

autopkgtests

  1. OPTIONAL: apparmor, dbus, and lxc autopkgtests (requires autopkgtest VM. Note: runs before promotion to -proposed, but there are manual tests below that should be performed before upload)

    1. Create a pristine VM for testing:

      $ autopkgtest-buildvm-ubuntu-cloud -v

    2. Run the apparmor autopkgtests in the VM (only possible in apparmor-2.11.0-4 and newer):

      $ autopkgtest -BUl /tmp/apparmor-autopkgtest.out ../source/*.dsc ../binary/*.deb -- autopkgtest-virt-qemu /tmp/autopkgtest-bionic-amd64.img || echo "** AUTOPKGTESTS FAILED"

    3. Run the dbus autopkgtests in the VM:

      $ autopkgtest -BUl /tmp/dbus-autopkgtest.out dbus ../binary/*.deb -- autopkgtest-virt-qemu adt-bionic-amd64-cloud.img || echo "** AUTOPKGTESTS FAILED"

    4. Run the lxc autopkgtests after enabling a PPA and updating and dist-upgrading:

      $ autopkgtest -BUl /tmp/lxc-autopkgtest.out ../binary/*.deb lxc -- autopkgtest-virt-qemu adt-bionic-amd64-cloud.img || echo "** AUTOPKGTESTS FAILED"

Process/Merges/TestPlans/AppArmor (last edited 2020-08-31 05:59:24 by alexmurray)