Ubuntu
systemd package

specifying AppArmorProfile doesn't result in processes launched under the named profile

Bug #1396270 reported by Jamie Strandboge on 2014-11-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	systemd (Ubuntu)	Fix Released	High	Martin Pitt	Ubuntu ubuntu-14.11

Bug Description

Steps to reproduce

1. grab attached tarball and unpack in /tmp:
tar -zxvf /tmp/test.tar.gz

2. cd /tmp/test

3. Load the apparmor profile:
sudo apparmor_parser -r ./apparmor.profile

4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg:
$ sudo aa-status
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
   ...
   test-service
   ...

5. enable the systemd service file:
$ cat ./test.service
[Unit]
Description=test webserver
[Service]
Environment=PYTHONDONTWRITEBYTECODE=1
ExecStart=/tmp/test/bin/webserver
Restart=on-failure
WorkingDirectory=/tmp/test/www
AppArmorProfile=test-service
[Install]
WantedBy=multi-user.target

$ sudo cp ./test.service /etc/systemd/system/

$ sudo systemctl enable test.service

6. start the service
$ sudo systemctl start test.service

$ sudo systemctl --no-pager status test.service
● test.service - test webserver
   Loaded: loaded (/etc/systemd/system/test.service; enabled)
   Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago
Main PID: 1246 (webserver)
   CGroup: /system.slice/test.service
           └─1246 /usr/bin/python3 /tmp/test/bin/webserver

Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test webserver.

7. verify that the service is confined (use Main PID from the last step. You can also use aa-status):
$ ps -Z 1246
LABEL PID TTY STAT TIME COMMAND
unconfined 1246 ? Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver

Because the service file uses 'AppArmorProfile=test-service' and the 'test-service' profile is already loaded into the kernel, I would expect /tmp/test/bin/webserver to be running under the 'test-service' label, not 'unconfined'.

Note: you can manually start the webserver under apparmor using aa-exec. Eg:
$ sudo aa-exec -p test-service /tmp/test/bin/webserver

See original description

Tags:

Jamie Strandboge (jdstrand) on 2014-11-25

summary:

- AppArmorProfile doesn't launch process under the name profile
+ AppArmorProfile doesn't launch process under the named profile

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-11-25:

test.tar.gz Edit (1.5 KiB, application/x-tar)

description:

updated

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-11-25:

Fixing this bug is a requirement for enabling systemd in Ubuntu.

Changed in systemd (Ubuntu):
importance:	Undecided → Critical
importance:	Critical → High
tags:	added: aa-systemd

Jamie Strandboge (jdstrand) on 2014-11-25

summary:	- AppArmorProfile doesn't launch process under the named profile + specifying AppArmorProfile doesn't launch process under the named + profile
summary:	- specifying AppArmorProfile doesn't launch process under the named - profile + specifying AppArmorProfile doesn't result in processes launched under + the named profile

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-11-25:

systemd in vivid isn't compiled with apparmor support:

AppArmor: no

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-11-25:

systemd_215-6ubuntu2.debdiff Edit (1.3 KiB, text/plain)

Here is a debdiff to turn on AppArmor support, which appears to have solved the issue.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-11-25:

It looks like systemd isn't compiled with apparmor support. mdeslaur gave me a debdiff to add the necessary bits to debian/control to make this work. I verified that the test case results in the service running under the 'test-service' label.

Ubuntu Foundations Team Bug Bot (crichton) on 2014-11-26

tags:

added: patch

Martin Pitt (pitti) on 2014-11-26

Changed in systemd (Ubuntu):
status:	New → In Progress
milestone:	none → ubuntu-14.11
assignee:	nobody → Martin Pitt (pitti)

Revision history for this message

Martin Pitt (pitti) wrote on 2014-11-26:

Thanks! I added this locally to my tree and confirm that this works. I want to write a corresponding autopkgtest for this which tries an apparmor violation and ensures that this actually fails (but not without confinement).

Revision history for this message

Martin Pitt (pitti) wrote on 2014-11-27:

AppArmor enabled in http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu&id=026526 (note that manually specifying the binary libapparmor1 dependency is not necessary and should not be done -- dh_shlibdeps will do that in a better way).

I also added an autopkgtest to reproduce this and ensure that it stays working: http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu&id=faae385

Changed in systemd (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-11-27:

This bug was fixed in the package systemd - 215-6ubuntu2

---------------
systemd (215-6ubuntu2) vivid; urgency=medium

  [ Martin Pitt ]
  * Merge fixes from Debian master.
  * Put user slices into all cgroup controllers. This makes unprivileged user
    LXC containers work under systemd. (LP: #1396270)
  * boot-and-services autopkgtest: Test AppArmor confined units (LP #1396270)

[ Marc Deslauriers ]
* Build-depend on libapparmor-dev to enable AppArmor support. (LP: #1396270)

systemd (215-7) UNRELEASED; urgency=medium

  [ Martin Pitt ]
  * Add myself to Uploaders.
  * Add boot-and-services autopkgtest: Check booting with systemd-sysv and
    that the most crucial services behave as expected.
  * logind autopkgtest: Fix stderr output in waiting loop for scsi_debug.
  * Add nspawn test to boot-and-services autopkgtest.
  * Make systemd-nspawn@.service work out of the box: (Closes: #770275)
    - Pre-create /var/lib/container with a secure mode (0700) via tmpfiles.d.
    - Add new try-{guest,host} modes for --link-journal to silently skip
      setting up the guest journal if the host has no persistant journal.
    - Extend boot-and-services autopkgtest to cover systemd-nspawn@.service.
  * Cherry-pick upstream patch to fix SELinux unit access check (regression
    in 215).

  [ Jon Severinsson]
  * Add /run/shm -> /dev/shm symlink in debian/tmpfiles.d/debian.conf. This
    avoids breakage in Jessie for packages which still refer to /run/shm, and
    while https://wiki.debian.org/ReleaseGoals/RunDirectory is still official.
    (LP: #1320534, Closes: #674755).
-- Martin Pitt <email address hidden> Thu, 27 Nov 2014 16:38:55 +0100