=== chris14_ is now known as chris14
=== crazybyte22 is now known as crazybyte2
=== ahasenack_ is now known as ahasenack
[19:38] <ahasenack> hi #security, georgiag if you are around
[19:38] <ahasenack> I'm on patch pilot, and reviewing a patch
[19:39] <ahasenack> it's one of those apparmor profiles that is generated by an application, and loaded into the kernel, without a source text file in /etc/apparmor.d
[19:39] <ahasenack> this is the patch: https://github.com/containers/common/commit/1aedc12e356cfd29a5bb54d94e9b2e09da3649ca
[19:39] -ubottu:#ubuntu-security- Commit 1aedc12 in containers/common "Update apparmor profile to support v4.0.0"
[19:39] <ahasenack> that template is used by podman when creating a container on-the-fly
[19:40] <ahasenack> my problem is not that the fix does not work, it does
[19:40] <ahasenack> BUT
[19:40] <ahasenack> the package doesn't do any profile reloading after it's upgraded
[19:40] <ahasenack> so even if I update podman with the fix, and even start new profiles, they won't load the fresh profile, they will use the one that is already loaded, and wrong
[19:41] <ahasenack> so I guess my guestion is, how can I sort this? Can I unload a specific profile, without having its "source" on disk? And even that is not optimal, as it will affect every container that is still running
[19:41] <ahasenack> and I can't just attach the new one after, because it doesn't exist on disk
[19:45] <ahasenack> context is https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
[19:45] -ubottu:#ubuntu-security- Launchpad bug 2040483 in libpod (Ubuntu Noble) "AppArmor denies crun sending signals to containers (stop, kill)" [Undecided, Confirmed]
[19:47] <ahasenack> aa-disable <name> doesn't work: https://pastebin.ubuntu.com/p/HQMtDjtBY2/
[19:52] <sdeziel> ahasenack: `echo -n "/usr/bin/evince" > /sys/kernel/security/apparmor/.remove` worked for me
[19:52] <georgiag> you can unload a profile by echo -n profilename > /sys/kernel/security/apparmor/.remove
[19:52] <ahasenack> let me try
[19:53] <ahasenack> ok, that worked, and of course made all running containers unconfined
[19:53] <ahasenack> but then at least I can stop them
[19:54] <ahasenack> this sounds like something upstream should work on
[19:56] <georgiag> yeah, it does. there should be an option to reload the profile. all containers use the same profile?
[19:56] <georgiag> do all containers use the same profile?*
[19:57] <ahasenack> yes, it's the same, it's not as dynamic as in the libvirt case, with an uuid
[19:57] <ahasenack> and per vm
[19:57] <ahasenack> [Fri Jun 14 19:38:11 2024] audit: type=1400 audit(1718393892.183:141): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.57.4" pid=2309 comm="3" requested_mask="receive" denied_mask="receive" signal=quit peer="crun"
[19:57] <ahasenack> it's that containers-default-0.57.4
[19:57] <ahasenack> hm, that version, where does it come from
[19:57] <ahasenack> the podman package is 4.9.4+ds1-1
[19:58] <ahasenack> src:golang-github-containers-common which is where the profile definition is in, is version 0.57.4+ds1-2ubuntu1
[19:58] <ahasenack> aha
[19:58] <georgiag> that's unfortunate, I didn't look deeper into it but I thought that was the point of having "profile {{.Name}}"
[19:58] <ahasenack> so perhaps to trigger the new profile, that version needs to change
[19:58] <ahasenack> thing is, we wouldn't change 0.57.4, in our case it's the ubuntuN suffix