Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apparmor: load profiles in parallel #28766

Merged
merged 1 commit into from
Feb 15, 2021
Merged

apparmor: load profiles in parallel #28766

merged 1 commit into from
Feb 15, 2021

Conversation

thypon
Copy link
Member

@thypon thypon commented Feb 14, 2021
edited
Loading

Just a quick mod for parallelizing apparmor profiles on load.

Cc: @Gottox @ericonr @CameronNemo

@thypon thypon added the enhancement New feature or request label Feb 14, 2021
ericonr
ericonr reviewed Feb 14, 2021
View reviewed changes
Copy link
Member

@ericonr ericonr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do we encode the dependency on find/xargs?

srcpkgs/runit-void/files/09-apparmor.sh Outdated
fi
done
find /etc/apparmor.d -maxdepth 1 -type f ! -name '*.new-*_*' |\
xargs -d"\n" -I{} --max-procs="$(grep -c ^processor /proc/cpuinfo)" \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nproc https://www.flamingspork.com/blog/2020/11/25/why-you-should-use-nproc-and-not-grep-proc-cpuinfo/

@thypon
Copy link
Member Author

thypon commented Feb 14, 2021

it's all in findutils (xargs and find) which are installed if you have base-system base-minimal or base-chroot. No need to specify anything.

Gottox
Gottox reviewed Feb 14, 2021
View reviewed changes
srcpkgs/runit-void/files/09-apparmor.sh Outdated
done
find /etc/apparmor.d -maxdepth 1 -type f ! -name '*.new-*_*' |\
xargs -d"\n" -I{} --max-procs="$(nproc)" \
sh -c "printf '* Load profile %s: %s\n' '($APPARMOR)' '{}'; apparmor_parser -a $AACOMPLAIN '{}'"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allows command injection. I'm not considering this an attack vector, as the files are root writeable, nevertheless, avoid this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Command injection? You mean shell spawning or in general? I don't see command injection here. I mean, even $APPARMOR without anything else in a shell script it can be a command injection if you don't control the source.

@CameronNemo
Copy link
Contributor

Upstream has optimized code to do this (/usr/lib/apparmor/rc.apparmor.functions parse_profiles()).

Currently we fudge it up with our custom one-by-one loading. Now we are reimplementing?

Can we deprecate the runit "complain" mode and direct users to the aa-complain(8) utility? It would bring us closer to upstream and other distros.

Minimal example of what using the upstream provided code would look like (they make you define log functions):

set -e

test -d /sys/kernel/security/apparmor

AA_FUNCTIONS=/usr/lib/apparmor/rc.apparmor.functions
test -r "$AA_FUNCTIONS"

aa_action() { :; }
aa_log_warning_msg() { :; }
aa_log_failure_msg() { :; }
aa_log_action_start() { :; }
aa_log_action_end() { :; }
aa_log_daemon_msg() { :; }
aa_log_skipped_msg() { :; }
aa_log_end_msg() { :; }

set +e
. "$AA_FUNCTIONS"
apparmor_restart
exit $?

@thypon
Copy link
Member Author

thypon commented Feb 14, 2021

I perfectly agree with @CameronNemo on long term using the upstream version.
For now I just ported from the official script the xargs command so that we can have parallelism with minimal changes.

@Duncaen
Copy link
Member

Duncaen commented Feb 14, 2021

apparmror_parser already parses profiles in parallel, just pass everything to it and forget about the printf.

@Duncaen
Copy link
Member

Duncaen commented Feb 14, 2021
edited
Loading

If we patch in our .new- suffix we can just pass the directory and it will be fast and simple.
https://gitlab.com/apparmor/apparmor/-/blob/master/libraries/libapparmor/src/private.c#L65

@thypon
Copy link
Member Author

thypon commented Feb 14, 2021

The last version removes the superfluous logging

@thypon thypon force-pushed the apparmor-parallel branch 2 times, most recently from daea413 to 9dd2431 Compare February 14, 2021 23:21
@thypon thypon merged commit 52ce664 into void-linux:master Feb 15, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ericonr ericonr ericonr left review comments

@Gottox Gottox Gottox approved these changes

@Duncaen Duncaen Duncaen approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@thypon @CameronNemo @Duncaen @Gottox @ericonr