pkg/apparmor: bump to v4.1.3

[christoph-zededa]

Description

pkg/apparmor: bump to v4.1.3

to make it compileable under newer alpine versions

How to test and validate this PR

Check that the apparmor profiles still work correctly; these are:

usr.bin.ptpm  usr.bin.swtpm  usr.bin.tpm2  usr.bin.vector  usr.bin.vtpm  usr.sbin.guacd

Changelog notes

Update apparmor

PR Backports

For all current LTS branches, please state explicitly if this PR should be
backported or not. This section is used by our scripts to track the backports,
so, please, do not omit it.

Here is the list of current LTS branches (it should be always up to date):

• 16.0-stable: no, not a bug
• 14.5-stable: no, not a bug
• 13.4-stable: no, not a bug

Also, to the PRs that should be backported into any stable branch, please
add a label stable.

Checklist

• I've provided a proper description
• I've added the proper documentation
• I've tested my PR on amd64 device
• I've tested my PR on arm64 device
• I've written the test verification instructions
• I've set the proper labels to this PR

And the last but not least:

• I've checked the boxes above, or I've provided a good reason why I didn't
  check them.

Please, check the boxes above after submitting the PR in interactive mode.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 29.49%. Comparing base (2281599) to head (13da290).
⚠️ Report is 275 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5601      +/-   ##
==========================================
+ Coverage   19.52%   29.49%   +9.96%     
==========================================
  Files          19       18       -1     
  Lines        3021     2417     -604     
==========================================
+ Hits          590      713     +123     
+ Misses       2310     1552     -758     
- Partials      121      152      +31     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[christoph-zededa]

ERROR: size of /opt/actions-runner/_work/eve/eve/dist/amd64/0.0.0-pr5601-a29df1de/installer/rootfs-generic.img is greater than 290MB (bigger than allocated partition)

[christoph-zededa]

ERROR: size of /opt/actions-runner/_work/eve/eve/dist/amd64/0.0.0-pr5601-a29df1de/installer/rootfs-generic.img is greater than 290MB (bigger than allocated partition)

I added https://github.com/lf-edge/eve/pull/5601/changes#diff-8fdd327382821356ed0d73e6d8f18b1108494cf89e730be895ab046404502cf3R21

and at least for uncompressed apparmor_parser it reduces it from 12.4mb (master) to 6.5mb (this PR).

[christoph-zededa]

  Error: fatal: unable to access 'https://github.com/lf-edge/eve/': The requested URL returned error: 503

/rerun red

[rene]

@christoph-zededa I suppose this version is fully compatible with the old one, right?
@shjala , any thoughts?

[shjala]

@christoph-zededa I suppose this version is fully compatible with the old one, right? @shjala , any thoughts?

I hope so, let me check...

[eriknordmark]

Running tests (in parallel with @shjala checking the compatibility)

[shjala]

It seems that 4.x version introduced incompatible changes compared to 3.x, there are ABI changes, variable redefinition, etc.

If you are jumping to 4.x, you should also update the stuff in the pkg/apparmor/etc/apparmor.d and make sure the existing profiles are being parsed without any error/warnings when using ABI version 4 and tunables, and are enforced completely.

[shjala]

In addition, there are some features that are only available on kernel 6.8+, I doubt we are using any of those features (specifically for network related policies), but one particular thing is switching from SHA1 to SHA256 for policy hashing which might cause issues? I'm not sure.

Our kernel on all platforms except amd64 is < 6.8. So I think moving to 4.x needs comprehensive testing.

[rene]

As per @shjala's comments, let's collect more evidences that this bump will work out of the box (or make the necessary changes).

[christoph-zededa]

make sure the existing profiles are being parsed without any error/warnings

I added a test to check that the profiles are being parsed correctly

[christoph-zededa]

It seems that 4.x version introduced incompatible changes compared to 3.x, there are ABI changes, variable redefinition, etc.

@shjala Where do you see the incompatible changes? I can only find the following in the document: "newer AppArmor 4 style policy which introduces several new features that are not backwards compatible".

[christoph-zededa]

If you are jumping to 4.x, you should also update the stuff in the pkg/apparmor/etc/apparmor.d

I added it here: 13da290

[shjala]

@shjala Where do you see the incompatible changes? I can only find the following in the document: "newer AppArmor 4 style policy which introduces several new features that are not backwards compatible".

Surely we are not using any ABI 4.0 features, but if we start using? see Feature Matrix , I also don't know if these affect us in the current state or not (just by including some newer tunables on older kernels for example).

[shjala]

OK, the page says "policy can be downgraded to work on kernels that do not support." if this happens on the fly, we might have no problem on older kernels.

[rene]

Let's kick-off tests, but I'll wait a final approval from @shjala

[christoph-zededa]

Surely we are not using any ABI 4.0 features, but if we start using? see Feature Matrix , I also don't know if these affect us in the current state or not (just by including some newer tunables on older kernels for example).

I understand https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-alpha4#feature-matrix as that these 4.x features of apparmor do not work with apparmor 3.x.

I also found https://apparmor.net/news/release-4.0.2/ and it seems that kernel > 2.6.15 is good for apparmor 4.x.

[shjala]

LGTM