From e4fa9ef18d40f37ea5e1706982fa888f4507f398 Mon Sep 17 00:00:00 2001 From: Catherine Redfield Date: Thu, 8 Feb 2024 22:22:04 -0500 Subject: [PATCH] feat(apparmor): Add kernel apparmor check to snap validation (LP: #2052789) For jammy and later, snap validation verifies that the kernel version matches the livecd-rootfs version, if available. This change bring focal in line with that paradigm. This is necessary due to the linux-$CLOUD-5.15 kernels requiring a different apparmor feature set that generic. (cherry picked from commit b2f25256707373537ce6c6f37fa5d456f1958edc) --- live-build/functions | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/live-build/functions b/live-build/functions index fa9bcda6..ca09e81e 100644 --- a/live-build/functions +++ b/live-build/functions @@ -726,13 +726,44 @@ snap_preseed() { snap_validate_seed() { local CHROOT_ROOT=$1 - + local kern_major_min=undefined + local boot_filename=undefined + + # ppc64el still uses /boot/vmlinux so we need to determine the boot file name as non ppc64el use /boot/vmlinuz + # We don't need to query the arch as we can use existence of the file to determine the boot file name. Both + # will never be present at the same time. + if [ -e ${CHROOT_ROOT}/boot/vmlinuz ]; then + boot_filename=vmlinuz + elif [ -e ${CHROOT_ROOT}/boot/vmlinux ]; then + boot_filename=vmlinux + fi + if [ ${boot_filename} != undefined ]; then # we have a known boot file so we can proceed with checking for features to mount + kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/${boot_filename} | grep --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+') + if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then + # if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels + # a snap pre-seeding issue can occur, where the incorrect apparmor features are reported + # basic copy of a directory structure overriding the "generic" feature set + # which is tied to the LTS kernel + + # Bind kernel apparmor directory to feature directory for snap preseeding + umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/" + mount --bind /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/" + fi + fi + if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}") /usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}") chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose -j `nproc` /etc/apparmor.d fi + + # Unmount kernel specific apparmor feature + # mount generic apparmor feature again (cleanup) + if [ -d /build/config/hooks.d/extra/apparmor/${kern_major_min} ]; then + umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/" + mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/" + fi } snap_from_seed() {