fix: bind correct apparmor feature for validating snap seed

During Realtime kernel image build, there was an error during validating snap seed which derivative images copied 5.19 apparmor feature and can't validate when Realtime kernel (5.15) installed [0]. To prevent this, bind correct apparmor feature with kernel version. [0] https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2024639 (cherry picked from commit 6b54faa6be6286017eb2dc701534cf780ae462ce)
2025-02-23 11:21:12 +00:00 · 2023-07-07 10:50:17 -05:00 · 2023-07-07 10:50:17 -05:00 · 5e96ff013e
commit 5e96ff013e
parent 774b7c6c5a
1 changed files with 22 additions and 0 deletions
--- a/live-build/functions
+++ b/live-build/functions
@ -756,12 +756,34 @@ snap_preseed() {
 snap_validate_seed() {
    local CHROOT_ROOT=$1

+    if [ -e ${CHROOT_ROOT}/boot/vmlinuz ]; then
+        local kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/vmlinuz | grep  --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+')
+        if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then
+            # if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels
+            # a snap pre-seeding issue can occur, where the incorrect apparmor features are reported
+            # basic copy of a directory structure overriding the "generic" feature set
+            # which is tied to the LTS kernel
+
+            # Bind kernel apparmor directory to feature directory for snap preseeding
+            umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+            mount --bind /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+        fi
+    fi
+
    if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
        snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
        /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")
        /usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}")
        chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose  -j `nproc` /etc/apparmor.d
    fi
+
+    # Unmount kernel specific apparmor feature
+    # mount generic apparmor feature again (cleanup)
+    if [ -d /build/config/hooks.d/extra/apparmor/${kern_major_min} ]; then
+        umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+        mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+    fi
+
 }

 list_packages_from_seed () {