AppArmor

Previous working rule "mount options=(rw, rslave) /," fails with apparmor 3.1.4

Bug #2023025 reported by Michael Vogt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned

Bug Description

We see integration test failures on arch linux related to apparmor, e.g. https://github.com/snapcore/snapd/actions/runs/5186349409/jobs/9347774708?pr=12870

It looks like it's this rule:
```
mount options=(rw, rslave) /,
```

The error is the following:
```
...
2023-06-06T08:59:58.6472304Z error: cannot perform the following tasks:
2023-06-06T08:59:58.6473193Z - Connect network-control-consumer:network-control to core:network-control (cannot setup profiles for snap "network-control-consumer": cannot load apparmor profiles: exit status 1
2023-06-06T08:59:58.6473774Z apparmor_parser output:
2023-06-06T08:59:58.6474032Z Encoding of mount rule failed
2023-06-06T08:59:58.6474551Z ERROR processing policydb rules for profile snap.network-control-consumer.cmd, failed to load
2023-06-06T08:59:58.6474944Z )
...
2023-06-06T08:59:59.5091838Z + apparmor_parser --version
2023-06-06T08:59:59.5093210Z AppArmor parser version 3.1.4
...
```

the profile is here: https://paste.ubuntu.com/p/fQ8bv6VvWG/ - and apparmor_parser --debug here https://paste.ubuntu.com/p/dvxX9Xd9yZ/ (but that does not give a failure oddly enough)

This might be releated to https://bugs.launchpad.net/apparmor/+bug/1648245

I created https://github.com/snapcore/snapd/pull/12871 to match the new behavior.

See original description
Michael Vogt (mvo)
description: updated
Revision history for this message
John Johansen (jjohansen) wrote :

3.1.4 contains the mount fixes so it would appear to be a bug in those patches. This may indeed be related to https://bugs.launchpad.net/apparmor/+bug/1648245, though it is distinct in that that bug results in compiling the profile but a failure to match, so lets keep the two bugs separate for now.

I replicated this, and find the failure reported to be throw

unsupported mount option value 'abc'

which would indicate a memory bug.

Revision history for this message
John Johansen (jjohansen) wrote :

Fix released upstream in apparmor 3.1.5, 3.0.11, and 2.13.9

Michael Vogt (mvo)
Changed in apparmor:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.