feat(apparmor): Add kernel apparmor check to snap validation (LP: #2052789)

For jammy and later, snap validation verifies that the kernel version matches the livecd-rootfs version, if available. This change bring focal in line with that paradigm. This is necessary due to the linux-$CLOUD-5.15 kernels requiring a different apparmor feature set that generic. (cherry picked from commit b2f25256707373537ce6c6f37fa5d456f1958edc)
11 months ago · e4fa9ef18d
parent 2c3cab4f9d
commit e4fa9ef18d
1 changed files with 32 additions and 1 deletions
--- a/live-build/functions
+++ b/live-build/functions
@ -726,13 +726,44 @@ snap_preseed() {

 snap_validate_seed() {
    local CHROOT_ROOT=$1
-
+    local kern_major_min=undefined
+    local boot_filename=undefined
+
+    # ppc64el still uses /boot/vmlinux so we need to determine the boot file name as non ppc64el use /boot/vmlinuz
+    # We don't need to query the arch as we can use existence of the file to determine the boot file name. Both
+    # will never be present at the same time.
+    if [ -e ${CHROOT_ROOT}/boot/vmlinuz ]; then
+        boot_filename=vmlinuz
+    elif [ -e ${CHROOT_ROOT}/boot/vmlinux ]; then
+        boot_filename=vmlinux
+    fi
+    if [ ${boot_filename} != undefined ]; then  # we have a known boot file so we can proceed with checking for features to mount
+        kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/${boot_filename} | grep  --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+')
+        if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then
+            # if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels
+            # a snap pre-seeding issue can occur, where the incorrect apparmor features are reported
+            # basic copy of a directory structure overriding the "generic" feature set
+            # which is tied to the LTS kernel
+    
+            # Bind kernel apparmor directory to feature directory for snap preseeding
+            umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+            mount --bind /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+        fi
+    fi 
+    
    if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
        snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
        /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")
        /usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}")
        chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose  -j `nproc` /etc/apparmor.d
    fi
+    
+    # Unmount kernel specific apparmor feature
+    # mount generic apparmor feature again (cleanup)
+    if [ -d /build/config/hooks.d/extra/apparmor/${kern_major_min} ]; then
+        umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+        mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+    fi
 }

 snap_from_seed() {