Support /proc/PID/attr/apparmor/exec in addition to /proc/PID/attr/exec #2801
Comments
|
This is kinda enhancement, but probably we should have this in rc94 to rescue Arch Linux users. |
|
PR: #2803 |
|
Feels like this is a kernel regression (or rather, a regression by the Arch Linux maintainers). Why does |
Not a kernel regression, this is a configuration issue on Arch side: archlinux/svntogit-packages@69cb8c2#diff-6503b30d816e211d1909eed3e1eff5f9105fdc48f5735921a59f4906f99415beR9406
Because it prioritize |
|
Sorry, that's what I meant by "regression by the Arch Linux maintainers". But yeah, I already LGTM'd the patch, just seems like the Arch folks should test config changes before releasing them. 🤷 |
|
@cyphar In Arch we do test kernels and configuration adjustments to some degree, our general purpose kernel always goes through the testing repository which requires approvals. However, the side effects of such a change are not trivial to recognize especially as Apparmor is not something we support out of the box and by default in our kernel. It seems the testing audience overlooked implications causing by this or the coverage of our testing group did not have a subset of "custom enabled apparmor as non primary LSM + using docker". |
|
@AkihiroSuda and fwiw, I do backport patches for runc/containerd/docker if I'm made aware of them :) |
|
@anthraxx this issue is much beyond apparmor use with runc or docker. In fact Arch change of appending bpf to lsm list broke the legacy way of enabling major lsm with |
|
@Maryse47 I understood that, but its the legacy interface after all. Arch Linux is a rolling release, at a certain point in time users are expected to adapt to more modern ways to declare this. As I've tried to point out, the implications of this didn't initially arise during the testing phase. Documentation and wiki pages are open to be contributed to, especially if they lack non legacy ways to configure this. I'm gratefully inviting you to contribute to the wiki and extend documentation, but I believe discussing Arch Linux specifics at this level starts to really be off-topic for this thread. |
I would understand if this change brought any benefit for Arch users but you just trade legacy interface to enable some idle code that has zero support from distro side (even wiki has zero documentation about it), not sure if there is a single person who really uses bpf lsm on Arch but then they can enable it themselves just fine. AFAIK the logic behind enabling bpf was - it doesn't hurt - but now it was proved it did hurt some users so the assumptions were clearly wrong.
I don't understand why this matters now while they arised after testing phase with real users. It only shows that testing phase was unfortunately insufficient but it isn't excuse for ignoring the problem.
The problem I see is Arch broke stuff without a reason and puts the burden of fixing it on someone else because our testing didn't uncover the problem. Such attitude doesn't build faith in Arch maintainership and is generally bad for relations with upstream projects. |
|
Okay, this thread isn't the best place for arguments about Arch maintainership. @anthraxx The reason I said it was a configuration bug is that So while you may view this as a bug in userland, that's not historically how backwards-incompatible UAPI changes are treated in Linux. If a kernel change breaks userspace, it's never userspace's fault -- and in my view that includes changes made by downstream kernel maintainers. The fact that an interface is described as legacy in the kernel documentation does not indicate that it's okay for downstream maintainers to break userspace by changing it. Personally I still find it strange that LSMs now have this (new) behaviour where kernel configuration options change parts of the UAPI. My guess is that most LSM developers assume everyone uses libapparmor or libselinux -- which simply isn't the case. (And AppArmor has caused backwards-incompatible changes in the past -- the most notable example being signal mediation, so it's hardly a new issue.) But yeah my comment was a bit flippant -- sorry for how I phrased it. We've fixed the issue now, so let's move on. |
|
(Also it should be noted this interface was only added in Linux 5.8 -- I would argue that "was the only way of doing this operation two kernel releases ago" really doesn't count as a legacy interface!) |
It turns out that since Linux 5.1 there are now per-LSM subdirectories for major LSMs, which users are recommended to use over the "legacy" top-level /proc/$pid/attr/... files[1]: > Process attributes associated with “major” security modules should be > accessed and maintained using the special files in /proc/.../attr. A > security module may maintain a module specific subdirectory there, > named after the module. /proc/.../attr/smack is provided by the Smack > security module and contains all its special files. The files directly > in /proc/.../attr remain as legacy interfaces for modules that provide > subdirectories. AppArmor has had such a directory since Linux 5.8[2], and it turns out that with certain CONFIG_LSM configurations you can end up with AppArmor files not being accessible from the legacy interface. Arch Linux recently added BPF as one of the enabled LSM in their configuration, and this broke runc[3] and LXC. The solution is to first try to use /proc/$pid/attr/apparmor/current and fall back to /proc/$pid/attr/current if the former is not available. [1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html [2]: Linux 5.8 ; commit 6413f852ce08 ("apparmor: add proc subdir to attrs") [3]: opencontainers/runc#2801 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
It turns out that since Linux 5.1 there are now per-LSM subdirectories for major LSMs, which users are recommended to use over the "legacy" top-level /proc/$pid/attr/... files[1]: > Process attributes associated with “major” security modules should be > accessed and maintained using the special files in /proc/.../attr. A > security module may maintain a module specific subdirectory there, > named after the module. /proc/.../attr/smack is provided by the Smack > security module and contains all its special files. The files directly > in /proc/.../attr remain as legacy interfaces for modules that provide > subdirectories. AppArmor has had such a directory since Linux 5.8[2], and it turns out that with certain CONFIG_LSM configurations you can end up with AppArmor files not being accessible from the legacy interface. Arch Linux recently added BPF as one of the enabled LSM in their configuration, and this broke runc[3] and LXC. The solution is to first try to use /proc/$pid/attr/apparmor/current and fall back to /proc/$pid/attr/current if the former is not available. [1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html [2]: Linux 5.8 ; commit 6413f852ce08 ("apparmor: add proc subdir to attrs") [3]: opencontainers/runc#2801 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
It turns out that since Linux 5.1 there are now per-LSM subdirectories for major LSMs, which users are recommended to use over the "legacy" top-level /proc/$pid/attr/... files[1]: > Process attributes associated with “major” security modules should be > accessed and maintained using the special files in /proc/.../attr. A > security module may maintain a module specific subdirectory there, > named after the module. /proc/.../attr/smack is provided by the Smack > security module and contains all its special files. The files directly > in /proc/.../attr remain as legacy interfaces for modules that provide > subdirectories. AppArmor has had such a directory since Linux 5.8[2], and it turns out that with certain CONFIG_LSM configurations you can end up with AppArmor files not being accessible from the legacy interface. Arch Linux recently added BPF as one of the enabled LSM in their configuration, and this broke runc[3] and LXC. The solution is to first try to use /proc/$pid/attr/apparmor/current and fall back to /proc/$pid/attr/current if the former is not available. [1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html [2]: Linux 5.8 ; commit 6413f852ce08 ("apparmor: add proc subdir to attrs") [3]: opencontainers/runc#2801 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Requested in docker/for-linux#1199 (comment)
The text was updated successfully, but these errors were encountered: