Public bug reported: [ Impact ]
The parser did not handle the norelatime mount flag correctly, essentially treating its addition to a list of mount flags as a no-op. A test should also be included to ensure that the behavior is fixed and not broken again. [ Test Plan ] This bug is caught by an addition to AppArmor's regression test suite, which is also invoked via its QRT test suite. * To prepare the QRT test suite (can be done on any machine): - `git clone https://git.launchpad.net/qa-regression-testing` - `./scripts/make-test-tarball ./scripts/test-apparmor.py` * To run the QRT test suite: - Copy the tarball onto the machine with the new AppArmor installed and extract it - `sudo ./install-packages test-apparmor.py` - `sudo ./test-apparmor.py -v` [ Where problems could occur ] This parser fix changes the behavior of mount rules that explicitly specify the norelatime flag. In particular, a custom profile containing `mount options in (norelatime)` will have different, more permissive behavior than before (reducing regression risk as compared to tightening behavior). However, this flag is not used in any of the commonly used profiles (including the ones in our repo and the profile fragments used by snapd), so this will not change the behavior of existing packaged profiles being used. [ Other Info ] This bug was originally reported at https://gitlab.com/apparmor/apparmor/-/merge_requests/1679. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Description changed: [ Impact ] The parser did not handle the norelatime mount flag correctly, essentially treating its addition to a list of mount flags as a no-op. A test should also be included to ensure that the behavior is fixed and not broken again. [ Test Plan ] This bug is caught by an addition to AppArmor's regression test suite, which is also invoked via its QRT test suite. - * To prepare the QRT test suite (can be done on any machine): - - `git clone https://git.launchpad.net/qa-regression-testing` - - `./scripts/make-test-tarball ./scripts/test-apparmor.py` - * To run the QRT test suite: - - Copy the tarball onto the machine with the new AppArmor installed and extract it - - `sudo ./install-packages test-apparmor.py` - - `sudo ./test-apparmor.py -v` + * To prepare the QRT test suite (can be done on any machine): + - `git clone https://git.launchpad.net/qa-regression-testing` + - `./scripts/make-test-tarball ./scripts/test-apparmor.py` + * To run the QRT test suite: + - Copy the tarball onto the machine with the new AppArmor installed and extract it + - `sudo ./install-packages test-apparmor.py` + - `sudo ./test-apparmor.py -v` [ Where problems could occur ] This parser fix changes the behavior of mount rules that explicitly specify the norelatime flag. In particular, a custom profile containing `mount options in (norelatime)` will have different, more permissive behavior than before (reducing regression risk as compared to tightening behavior). However, this flag is not used in any of the commonly used profiles (including the ones in our repo and the profile fragments used by snapd), so this will not change the behavior of existing packaged profiles being used. [ Other Info ] + + This bug was originally reported at + https://gitlab.com/apparmor/apparmor/-/merge_requests/1679. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2110688 Title: apparmor parser incorrectly treats norelatime mount flag as a no-op Status in apparmor package in Ubuntu: New Bug description: [ Impact ] The parser did not handle the norelatime mount flag correctly, essentially treating its addition to a list of mount flags as a no-op. A test should also be included to ensure that the behavior is fixed and not broken again. [ Test Plan ] This bug is caught by an addition to AppArmor's regression test suite, which is also invoked via its QRT test suite. * To prepare the QRT test suite (can be done on any machine): - `git clone https://git.launchpad.net/qa-regression-testing` - `./scripts/make-test-tarball ./scripts/test-apparmor.py` * To run the QRT test suite: - Copy the tarball onto the machine with the new AppArmor installed and extract it - `sudo ./install-packages test-apparmor.py` - `sudo ./test-apparmor.py -v` [ Where problems could occur ] This parser fix changes the behavior of mount rules that explicitly specify the norelatime flag. In particular, a custom profile containing `mount options in (norelatime)` will have different, more permissive behavior than before (reducing regression risk as compared to tightening behavior). However, this flag is not used in any of the commonly used profiles (including the ones in our repo and the profile fragments used by snapd), so this will not change the behavior of existing packaged profiles being used. [ Other Info ] This bug was originally reported at https://gitlab.com/apparmor/apparmor/-/merge_requests/1679. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110688/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
