apparmor features overrides for specific kernels never restored
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
livecd-rootfs (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Recent changes (commit bd1690bd16c70f9631, bug is https:/
But CPC builds do use derivative images. In that case, it's
eg. possible that an image has kernel 5.19 installed (which would
trigger the modification of apparmor features on the filesystem) and a
derivate image (eg. the realtime kernel image) does then install a
5.15 kernel. In that case the modifications from the 5.19 kernel would
still be visible in /sys/kernel/
preseeding optimizations fail.
That's visible by calling "snap debug seeding":
# uname -a
Linux ip-172-31-28-91 5.15.0-
# diff -u <(snap debug seeding|yq -P '.preseed-
--- /dev/fd/63 2023-06-22 07:55:00.603927264 +0000
+++ /dev/fd/62 2023-06-22 07:55:00.604927242 +0000
@@ -3,7 +3,6 @@
- dbus
- domain
- file
- - ipc
- mount
- namespaces
- network
[Impact]
For some images (eg. the realtime kernel images) the preseed optimizations do not work. That affects bootspeed
[Test Plan]
* Build images with the fix and boot the image
* make sure the output is:
# snap debug seeding
seeded: true
preseeded: true
image-preseeding: 13.682s
seed-completion: 4.684s
[Where problems could occur]
Snap seed may not be validated correctly and fail CPC automation test, which will block image publication
Related branches
- Utkarsh Gupta: Approve
- Thomas Bechtold (community): Approve
-
Diff: 39 lines (+22/-0)1 file modifiedlive-build/functions (+22/-0)
- Utkarsh Gupta: Approve
- Thomas Bechtold (community): Approve
- John Chittum (community): Approve
- Ubuntu Sponsors: Pending requested
-
Diff: 248 lines (+43/-1)32 files modifiedlive-build/apparmor/5.19/capability (+1/-0)
live-build/apparmor/5.19/caps/mask (+1/-0)
live-build/apparmor/5.19/dbus/mask (+1/-0)
live-build/apparmor/5.19/domain/attach_conditions/xattr (+1/-0)
live-build/apparmor/5.19/domain/change_hat (+1/-0)
live-build/apparmor/5.19/domain/change_hatv (+1/-0)
live-build/apparmor/5.19/domain/change_onexec (+1/-0)
live-build/apparmor/5.19/domain/change_profile (+1/-0)
live-build/apparmor/5.19/domain/computed_longest_left (+1/-0)
live-build/apparmor/5.19/domain/fix_binfmt_elf_mmap (+1/-0)
live-build/apparmor/5.19/domain/post_nnp_subset (+1/-0)
live-build/apparmor/5.19/domain/stack (+1/-0)
live-build/apparmor/5.19/domain/version (+1/-0)
live-build/apparmor/5.19/file/mask (+1/-0)
live-build/apparmor/5.19/mount/mask (+1/-0)
live-build/apparmor/5.19/namespaces/pivot_root (+1/-0)
live-build/apparmor/5.19/namespaces/profile (+1/-0)
live-build/apparmor/5.19/network/af_mask (+1/-0)
live-build/apparmor/5.19/network/af_unix (+1/-0)
live-build/apparmor/5.19/network_v8/af_mask (+1/-0)
live-build/apparmor/5.19/policy/set_load (+1/-0)
live-build/apparmor/5.19/policy/versions/v5 (+1/-0)
live-build/apparmor/5.19/policy/versions/v6 (+1/-0)
live-build/apparmor/5.19/policy/versions/v7 (+1/-0)
live-build/apparmor/5.19/policy/versions/v8 (+1/-0)
live-build/apparmor/5.19/ptrace/mask (+1/-0)
live-build/apparmor/5.19/query/label/data (+1/-0)
live-build/apparmor/5.19/query/label/multi_transaction (+1/-0)
live-build/apparmor/5.19/query/label/perms (+1/-0)
live-build/apparmor/5.19/rlimit/mask (+1/-0)
live-build/apparmor/5.19/signal/mask (+1/-0)
live-build/functions (+12/-1)
This bug still needs a "regression potential" / "where problems might occur" section.