FS#68943 - AppArmor aa_getcon fails on LTS kernel

Attached to Project: Arch Linux
Opened by David Parrish (dmp1ce) - Friday, 11 December 2020, 15:00 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 21 April 2021, 12:00 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

AppArmor on LTS seems to behave differently than non-LTS kernels. Running the following script (https://gist.github.com/bboozzoo/840cdbd066ab81ca438fab6b0b75ea1b) I get an error:

```
david@bar:/tmp/apparmor_test$ gcc a.c -lapparmor
david@bar:/tmp/apparmor_test$ ls
a.c a.out
david@bar:/tmp/apparmor_test$ ./a.out
aa_getcon: Invalid argument
1 david@bar:/tmp/apparmor_test$ uname -a
Linux bar 5.4.82-1-lts #1 SMP Tue, 08 Dec 2020 12:10:59 +0000 x86_64 GNU/Linux
```

Script:

```
// gcc -lapparmor
#include <sys/apparmor.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
char *label, *mode = NULL;
if (aa_getcon(&label, &mode) == -1) {
perror("aa_getcon");
exit(EXIT_FAILURE);
}
printf("label: %s\nmode: %s\n", label, mode);
free(label);
free(mode);
return 0;
}
```

I'm not sure the reason for this, but it is causing some of my custom application to fail on LTS.


Steps to reproduce:

1. Install LTS
2. Setup AppArmor
3. Try to run the aa_getcon function as shown in the gist: https://gist.github.com/bboozzoo/840cdbd066ab81ca438fab6b0b75ea1b
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Wednesday, 21 April 2021, 12:00 GMT
Reason for closing:  None
Additional comments about closing:  current supported LTS kernel is 5.10.x
Comment by salim (salim) - Monday, 22 February 2021, 23:05 GMT
It is working again in kernel version 5.10.17-1-lts.
Comment by Steve Beattie (sbeattie) - Wednesday, 24 February 2021, 04:43 GMT
Hi David, sorry you're having an issue.

If you still can reproduce this, can you attach the output from running your test program under strace? e.g. "strace -f -o apparmor_test.output ./a.out".

Doing so would help confirm whether the issue that is causing the problem you're experiencing is what I think it might be.

Thanks!
Comment by David Parrish (dmp1ce) - Wednesday, 24 February 2021, 19:48 GMT
Now I get the following so I'm thinking this issue has been resolved for me.

```
david@bar:/tmp$ gcc a.c -lapparmor
david@bar:/tmp$ ./a.out
label: unconfined
mode: (null)
david@bar:/tmp$ uname -a
Linux bar 5.10.17-1-lts #1 SMP Wed, 17 Feb 2021 11:11:31 +0000 x86_64 GNU/Linux
```
Comment by David Parrish (dmp1ce) - Wednesday, 24 February 2021, 19:51 GMT
Same result for non-LTS

```
david@bar:/tmp$ gcc a.c -lapparmor
david@bar:/tmp$ ./a.out
label: unconfined
mode: (null)
david@bar:/tmp$ uname -a
Linux bar 5.10.16-arch1-1 #1 SMP PREEMPT Sat, 13 Feb 2021 20:50:18 +0000 x86_64 GNU/Linux
```
Comment by loqs (loqs) - Wednesday, 24 February 2021, 20:13 GMT
@dmp1ce what about 5.4.100? As you could never produce it on the 5.10 series.
Comment by David Parrish (dmp1ce) - Wednesday, 24 February 2021, 20:22 GMT
I don't have the 5.4 kernel any longer to test against.
Comment by loqs (loqs) - Wednesday, 24 February 2021, 20:26 GMT
It is available from kernel-lts [1].

[1] https://wiki.archlinux.org/index.php/Unofficial_user_repositories#kernel-lts
Comment by David Parrish (dmp1ce) - Wednesday, 24 February 2021, 20:39 GMT
I didn't know that I could get older kernels from the AUR. Thanks!

I'm not interested in the 5.4 kernel anymore though. Perhaps someone can reproduce with the steps I provided.

Loading...