Hey Christian! thanks a lot for your fast reaction on this report!
>In other words: this looks like normal and expected behaviour to me. You'll need to add a rule ok, that makes sense. >Note that abstractions/base allows signal (receive) peer=unconfined, - and "unconfined" does not match your profile name. but if we have this specific rule just for unconfined label, why we don't have analogical rule for profiles with flags=(unconfined)? Because this "unconfined" profile flag was presented as a drop-in replacement for an old unconfined label. Isn't it? The problem with your proposal of adding an extra rule in a profile is that, it's a painful for existing software to step from old "unconfined" label to a new "flags=(unconfined)" profile, because this will require revisiting and modification of many existing and stable apparmor profiles. Which is not acceptable. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2077413 Title: apparmor unconfined profile blocks signal sending Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: Dear friends, if I'm not missing anything it looks like we have one more bug with unconfined AppArmor profiles. Reproducer description. ==================== 1. Create 4 files with the following content: # cat apparmor_signal_test_wrap.sh #!/bin/sh cat /proc/self/attr/apparmor/current ./apparmor_signal_test.sh kill -9 $(cat test.pid) # cat apparmor_signal_test.sh #!/bin/sh cat /proc/self/attr/apparmor/current sleep 1000 & echo $! > test.pid # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap #include <tunables/global> "/home/ubuntu/apparmor_signal_test_wrap.sh" flags=(unconfined) { #include <abstractions/base> capability, dbus, file, network, } # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test #include <tunables/global> "/home/ubuntu/apparmor_signal_test.sh" { #include <abstractions/base> capability, dbus, file, network, } 2. Load AppArmor profiles: apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap 3. run program # ./apparmor_signal_test_wrap.sh /home/ubuntu/apparmor_signal_test_wrap.sh (unconfined) /home/ubuntu/apparmor_signal_test.sh (enforce) ./apparmor_signal_test_wrap.sh: 7: kill: Permission denied 4. check dmesg: [ 4043.092218] audit: type=1400 audit(1724153768.037:191): apparmor="DENIED" operation="signal" class="signal" profile="/home/ubuntu/apparmor_signal_test.sh" pid=10561 comm="apparmor_signal" requested_mask="receive" denied_mask="receive" signal=kill peer="/home/ubuntu/apparmor_signal_test_wrap.sh" Expected behavior: ./apparmor_signal_test_wrap.sh should exit without any errors. ==================== This bug affects LXD when we enable a new unconfined mode (in lxd-support snapd interface). Originally, this problem was reported as a comment in another LP bug for AppArmor: https://bugs.launchpad.net/apparmor/+bug/2067900/comments/2 but it looks like problem is deeper in this case. We had to revert: https://github.com/canonical/lxd-pkg-snap/pull/489 because of this and a few other issues. System info: # cat /etc/os-release PRETTY_NAME="Ubuntu 24.04 LTS" NAME="Ubuntu" VERSION_ID="24.04" VERSION="24.04 LTS (Noble Numbat)" # uname -a Linux ubuntu 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux # apt info apparmor Package: apparmor Version: 4.0.1really4.0.0-beta3-0ubuntu0.1 # apparmor_parser -V AppArmor parser version 4.0.0~beta3 Copyright (C) 1999-2008 Novell Inc. Copyright 2009-2018 Canonical Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2077413/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
