[Touch-packages] [Bug 2063976] Re: Apparmor breaking nsjail in AOSP

Sat, 27 Apr 2024 21:35:48 -0700 

Thanks, I took a look at creating a profile for nsjail, but I'm a bit
confused on how to associate it with the app?

Because nsjail is a prebuilt in AOSP's source code that means it could be 
litteraly anywhere on the user's system, e.g:
~/android-14.0.0_r1/prebuilts/build-tools/linux-x86/bin/nsjail
~/android-13.0.0_r1/prebuilts/build-tools/linux-x86/bin/nsjail
~/android-12.0.0_r1/prebuilts/build-tools/linux-x86/bin/nsjail

```
profile nsjail /**/prebuilts/build-tools/linux-x86/bin/nsjail 
flags=(unconfined) {
```

I tested the above and it works, but is there a better way to do this?
Feels dirty and not what apparmor people would want.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2063976

Title:
  Apparmor breaking nsjail in AOSP

Status in apparmor package in Ubuntu:
  New

Bug description:
  Build sandboxing in AOSP is broken after updating to 24.04 with the
  following denials:

  [  182.439078] audit: type=1400 audit(1714265880.641:449): apparmor="AUDIT" 
operation="userns_create" class="namespace" info="Userns create - transitioning 
profile" profile="unconfined" pid=8514 comm="nsjail" requested="userns_create" 
target="unprivileged_userns"
  [  182.439945] audit: type=1400 audit(1714265880.642:450): apparmor="DENIED" 
operation="capable" class="cap" profile="unprivileged_userns" pid=8515 
comm="nsjail" capability=6  capname="setgid"
  [  182.439972] audit: type=1400 audit(1714265880.642:451): apparmor="DENIED" 
operation="mount" class="mount" info="failed mntpnt match" error=-13 
profile="unprivileged_userns" name="/" pid=8515 comm="nsjail" flags="rw, 
rprivate"

  This seems to come from the following change earlier this year:
  
https://gitlab.com/apparmor/apparmor/-/commit/789cda2f089b3cd3c8c4ca387f023a36f7f1738a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to