| === chris14_ is now known as chris14 | ||
| === crazybyte22 is now known as crazybyte2 | ||
| === ahasenack_ is now known as ahasenack | ||
| ahasenack | hi #security, georgiag if you are around | 19:38 |
|---|---|---|
| ahasenack | I'm on patch pilot, and reviewing a patch | 19:38 |
| ahasenack | it's one of those apparmor profiles that is generated by an application, and loaded into the kernel, without a source text file in /etc/apparmor.d | 19:39 |
| ahasenack | this is the patch: https://github.com/containers/common/commit/1aedc12e356cfd29a5bb54d94e9b2e09da3649ca | 19:39 |
| -ubottu:#ubuntu-security- Commit 1aedc12 in containers/common "Update apparmor profile to support v4.0.0" | 19:39 | |
| ahasenack | that template is used by podman when creating a container on-the-fly | 19:39 |
| ahasenack | my problem is not that the fix does not work, it does | 19:40 |
| ahasenack | BUT | 19:40 |
| ahasenack | the package doesn't do any profile reloading after it's upgraded | 19:40 |
| ahasenack | so even if I update podman with the fix, and even start new profiles, they won't load the fresh profile, they will use the one that is already loaded, and wrong | 19:40 |
| ahasenack | so I guess my guestion is, how can I sort this? Can I unload a specific profile, without having its "source" on disk? And even that is not optimal, as it will affect every container that is still running | 19:41 |
| ahasenack | and I can't just attach the new one after, because it doesn't exist on disk | 19:41 |
| ahasenack | context is https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483 | 19:45 |
| -ubottu:#ubuntu-security- Launchpad bug 2040483 in libpod (Ubuntu Noble) "AppArmor denies crun sending signals to containers (stop, kill)" [Undecided, Confirmed] | 19:45 | |
| ahasenack | aa-disable <name> doesn't work: https://pastebin.ubuntu.com/p/HQMtDjtBY2/ | 19:47 |
| sdeziel | ahasenack: `echo -n "/usr/bin/evince" > /sys/kernel/security/apparmor/.remove` worked for me | 19:52 |
| georgiag | you can unload a profile by echo -n profilename > /sys/kernel/security/apparmor/.remove | 19:52 |
| ahasenack | let me try | 19:52 |
| ahasenack | ok, that worked, and of course made all running containers unconfined | 19:53 |
| ahasenack | but then at least I can stop them | 19:53 |
| ahasenack | this sounds like something upstream should work on | 19:54 |
| georgiag | yeah, it does. there should be an option to reload the profile. all containers use the same profile? | 19:56 |
| georgiag | do all containers use the same profile?* | 19:56 |
| ahasenack | yes, it's the same, it's not as dynamic as in the libvirt case, with an uuid | 19:57 |
| ahasenack | and per vm | 19:57 |
| ahasenack | [Fri Jun 14 19:38:11 2024] audit: type=1400 audit(1718393892.183:141): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.57.4" pid=2309 comm="3" requested_mask="receive" denied_mask="receive" signal=quit peer="crun" | 19:57 |
| ahasenack | it's that containers-default-0.57.4 | 19:57 |
| ahasenack | hm, that version, where does it come from | 19:57 |
| ahasenack | the podman package is 4.9.4+ds1-1 | 19:57 |
| ahasenack | src:golang-github-containers-common which is where the profile definition is in, is version 0.57.4+ds1-2ubuntu1 | 19:58 |
| ahasenack | aha | 19:58 |
| georgiag | that's unfortunate, I didn't look deeper into it but I thought that was the point of having "profile {{.Name}}" | 19:58 |
| ahasenack | so perhaps to trigger the new profile, that version needs to change | 19:58 |
| ahasenack | thing is, we wouldn't change 0.57.4, in our case it's the ubuntuN suffix | 19:58 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!