mantic kernel 6.5.0.1006 Adds io_uring apparmor feature
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
livecd-rootfs (Ubuntu) |
Fix Released
|
Undecided
|
John Chittum |
Bug Description
starting with kernel package(s) 6.5.0.1006, currently in mantic-proposed, `io_uring` is added as a apparmor feature. This change results in preseeded snaps being unoptimized, as the mounted apparmor features in the chroot do not match the 6.5.0.1006 kernels. On a system running with the kernel
cat /sys/kernel/
sqpoll override_creds
1. ensure that this is correct with kernel and security teams
2. ~~ensure that this is the default going forward~~ : Create a 6.5 feature directory as it was pointed out by xnox that Mantic has more than 6.5 kernels at this time.
if 1 and 2, then set the default in `livecd-rootfs` for mounted apparmor features to include io_uring
SRU [Jammy]
====
[ Impact ]
* Users of the 6.5 kernel will have un-optimized first boot experiences due to snaps not preseeding with the correct apparmor setup. This directly affects clouds, leading to boot speed degradation of anywhere from 10-30s (depending on snaps installed)
[ Test Plan ]
* Create images with livecd-
* image must use an "edge" kernel or another forward pointing kernel as the HWE and cloud kernels have not rolled yet.
* boot image(s)
* check `snap debug seeding`. This should show successful seeding
* if a long json output is observed, check the restart-key to see what features are missing. compare to 6.5 in ubuntu/master. check with security, apparmor, and kernel teams
[ Where problems could occur ]
* If there is a difference in rules of 6.5 in mantic and 6.5 being released to Jammy
*
[ Other Info ]
* testing may be difficult, as we're trying to catch this before it lands. the codepath selecting kernel version is stable, so adding the configuration area should be safe, even if testing is not easily possible.
Related branches
- Gauthier Jolly (community): Approve
- Canonical Foundations Team: Pending requested
-
Diff: 267 lines (+43/-0)37 files modifieddebian/changelog (+7/-0)
live-build/apparmor/6.5/capability (+1/-0)
live-build/apparmor/6.5/caps/mask (+1/-0)
live-build/apparmor/6.5/dbus/mask (+1/-0)
live-build/apparmor/6.5/domain/attach_conditions/xattr (+1/-0)
live-build/apparmor/6.5/domain/change_hat (+1/-0)
live-build/apparmor/6.5/domain/change_hatv (+1/-0)
live-build/apparmor/6.5/domain/change_onexec (+1/-0)
live-build/apparmor/6.5/domain/change_profile (+1/-0)
live-build/apparmor/6.5/domain/computed_longest_left (+1/-0)
live-build/apparmor/6.5/domain/fix_binfmt_elf_mmap (+1/-0)
live-build/apparmor/6.5/domain/post_nnp_subset (+1/-0)
live-build/apparmor/6.5/domain/stack (+1/-0)
live-build/apparmor/6.5/domain/version (+1/-0)
live-build/apparmor/6.5/file/mask (+1/-0)
live-build/apparmor/6.5/io_uring/mask (+1/-0)
live-build/apparmor/6.5/ipc/posix_mqueue (+1/-0)
live-build/apparmor/6.5/mount/mask (+1/-0)
live-build/apparmor/6.5/namespaces/mask (+1/-0)
live-build/apparmor/6.5/namespaces/pivot_root (+1/-0)
live-build/apparmor/6.5/namespaces/profile (+1/-0)
live-build/apparmor/6.5/network/af_mask (+1/-0)
live-build/apparmor/6.5/network/af_unix (+1/-0)
live-build/apparmor/6.5/network_v8/af_mask (+1/-0)
live-build/apparmor/6.5/policy/outofband (+1/-0)
live-build/apparmor/6.5/policy/set_load (+1/-0)
live-build/apparmor/6.5/policy/versions/v5 (+1/-0)
live-build/apparmor/6.5/policy/versions/v6 (+1/-0)
live-build/apparmor/6.5/policy/versions/v7 (+1/-0)
live-build/apparmor/6.5/policy/versions/v8 (+1/-0)
live-build/apparmor/6.5/policy/versions/v9 (+1/-0)
live-build/apparmor/6.5/ptrace/mask (+1/-0)
live-build/apparmor/6.5/query/label/data (+1/-0)
live-build/apparmor/6.5/query/label/multi_transaction (+1/-0)
live-build/apparmor/6.5/query/label/perms (+1/-0)
live-build/apparmor/6.5/rlimit/mask (+1/-0)
live-build/apparmor/6.5/signal/mask (+1/-0)
- Utkarsh Gupta: Approve
- Thomas Bechtold (community): Approve
- Philip Roche (community): Approve
- Jess Jang (community): Approve
- Canonical Foundations Team: Pending requested
-
Diff: 252 lines (+36/-0)36 files modifiedlive-build/apparmor/6.5/capability (+1/-0)
live-build/apparmor/6.5/caps/mask (+1/-0)
live-build/apparmor/6.5/dbus/mask (+1/-0)
live-build/apparmor/6.5/domain/attach_conditions/xattr (+1/-0)
live-build/apparmor/6.5/domain/change_hat (+1/-0)
live-build/apparmor/6.5/domain/change_hatv (+1/-0)
live-build/apparmor/6.5/domain/change_onexec (+1/-0)
live-build/apparmor/6.5/domain/change_profile (+1/-0)
live-build/apparmor/6.5/domain/computed_longest_left (+1/-0)
live-build/apparmor/6.5/domain/fix_binfmt_elf_mmap (+1/-0)
live-build/apparmor/6.5/domain/post_nnp_subset (+1/-0)
live-build/apparmor/6.5/domain/stack (+1/-0)
live-build/apparmor/6.5/domain/version (+1/-0)
live-build/apparmor/6.5/file/mask (+1/-0)
live-build/apparmor/6.5/io_uring/mask (+1/-0)
live-build/apparmor/6.5/ipc/posix_mqueue (+1/-0)
live-build/apparmor/6.5/mount/mask (+1/-0)
live-build/apparmor/6.5/namespaces/mask (+1/-0)
live-build/apparmor/6.5/namespaces/pivot_root (+1/-0)
live-build/apparmor/6.5/namespaces/profile (+1/-0)
live-build/apparmor/6.5/network/af_mask (+1/-0)
live-build/apparmor/6.5/network/af_unix (+1/-0)
live-build/apparmor/6.5/network_v8/af_mask (+1/-0)
live-build/apparmor/6.5/policy/outofband (+1/-0)
live-build/apparmor/6.5/policy/set_load (+1/-0)
live-build/apparmor/6.5/policy/versions/v5 (+1/-0)
live-build/apparmor/6.5/policy/versions/v6 (+1/-0)
live-build/apparmor/6.5/policy/versions/v7 (+1/-0)
live-build/apparmor/6.5/policy/versions/v8 (+1/-0)
live-build/apparmor/6.5/policy/versions/v9 (+1/-0)
live-build/apparmor/6.5/ptrace/mask (+1/-0)
live-build/apparmor/6.5/query/label/data (+1/-0)
live-build/apparmor/6.5/query/label/multi_transaction (+1/-0)
live-build/apparmor/6.5/query/label/perms (+1/-0)
live-build/apparmor/6.5/rlimit/mask (+1/-0)
live-build/apparmor/6.5/signal/mask (+1/-0)
Changed in livecd-rootfs (Ubuntu): | |
assignee: | nobody → John Chittum (jchittum) |
description: | updated |
Did the following to ensure that current features, as listed in the files, are the same:
1. uploaded livecd- rootfs/ live-build/ apparmor/ generic to test machine $(realpath $filename) security/ apparmor/ features/ ${filename: 2}" security/ apparmor/ features/ ${filename: 2}
2. ran following snippet
for dirn in ./*; do
for filename in ${dirn}/*; do
if [[ -f $filename ]]; then
diffname=
echo "diffing $diffname to /sys/kernel/
diff $diffname /sys/kernel/
fi
done
done
diffing /home/ubuntu/ caps/mask to /sys/kernel/ security/ apparmor/ features/ caps/mask dbus/mask to /sys/kernel/ security/ apparmor/ features/ dbus/mask domain/ change_ hat to /sys/kernel/ security/ apparmor/ features/ domain/ change_ hat domain/ change_ hatv to /sys/kernel/ security/ apparmor/ features/ domain/ change_ hatv domain/ change_ onexec to /sys/kernel/ security/ apparmor/ features/ domain/ change_ onexec domain/ change_ profile to /sys/kernel/ security/ apparmor/ features/ domain/ change_ profile domain/ computed_ longest_ left to /sys/kernel/ security/ apparmor/ features/ domain/ computed_ longest_ left domain/ fix_binfmt_ elf_mmap to /sys/kernel/ security/ apparmor/ features/ domain/ fix_binfmt_ elf_mmap domain/ post_nnp_ subset to /sys/kernel/ security/ apparmor/ features/ domain/ post_nnp_ subset domain/ stack to /sys/kernel/ security/ apparmor/ features/ domain/ stack domain/ version to /sys/kernel/ security/ apparmor/ features/ domain/ version file/mask to /sys/kernel/ security/ apparmor/ features/ file/mask ipc/posix_ mqueue to /sys/kernel/ security/ apparmor/ features/ ipc/posix_ mqueue mount/mask to /sys/kernel/ security/ apparmor/ features/ mount/mask namespaces/ mask to /sys/kernel/ security/ apparmor/ features/ namespaces/ mask namespaces/ pivot_root to /sys/kernel/ security/ apparmor/ features/ namespaces/ pivot_root namespaces/ profile to /sys/kernel/ security/ apparmor/ features/ namespaces/ profile network/ af_mask to /sys/kernel/ security/ apparmor/ features/ network/ af_mask network/ af_unix to /sys/kernel/ security/ apparmor/ features/ network/ af_unix network_ v8/af_mask to /sys/kernel/ security/ apparmor/ features/ network_ v8/af_mask policy/ outofband to /sys/kernel/ security/ apparmor/ features/ policy/ outofband policy/ set_load to /sys/kernel/ security/ apparmor/ features/ policy/ set_load ptrace/ mask to /sys/kernel/ security/ apparmor/ features/ ptrace/ mask rlimit/ mask to /sys/kernel/ security/ apparmor/ features/ rlimit/ mask signal/ mask to /sys/kernel/ security/ apparmor/ features/ signal/ mask
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
diffing /home/ubuntu/
not perfect, but it does show nothing, file to file that i matched, has changed.
From the snap perspective:
snap debug seeding
seeded: true features" : [
preseeded: true
image-preseeding: 5.988s
seed-completion: 3.098s
preseed-system-key: {
"apparmor-
"caps",
"dbus",
...