felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: enable re-attach disconnected path by default

Browse source 
Ignored on Ubuntu 25.04 and abi3.0
This commit is contained in:
Alexandre Pujol 2025-08-15 18:22:07 +02:00
parent c51943934e
commit 483c0c107d
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
3 changed files with 50 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/tunables/multiarch.d/system
View file

@ -69,8 +69,9 @@
@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254
@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511
# Attachment path for attach_disconnected.path flag. # Default attachment path when re-attached path disconnected path is ignored.
# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. # Disabled on abi3 and Ubuntu 25.04+
# See https://apparmor.pujol.io/development/internal/#re-attached-path
@{att}=/ @{att}=/
alias // -> /, alias // -> /,

11
pkg/prebuild/cli/cli.go
View file

@ -108,7 +108,16 @@ func Configure() {
case 3: case 3:
builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
case 4: case 4:
// builder.Register("attach") // Re-attach disconnected path // Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak
// that fully prevent profiles compilation with re-attached paths.
// See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730
if prebuild.Distribution != "ubuntu" {
builder.Register("attach")
prepare.Register("attach")
} else if prebuild.Release["VERSION_CODENAME"] == "noble" {
builder.Register("attach")
prepare.Register("attach")
}
default: default:
logging.Fatal("Invalid ABI version: %d", prebuild.ABI) logging.Fatal("Invalid ABI version: %d", prebuild.ABI)
} }

37
pkg/prebuild/prepare/attach.go Normal file
View file

@ -0,0 +1,37 @@
// apparmor.d - Full set of apparmor profiles
// Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
// SPDX-License-Identifier: GPL-2.0-only
package prepare
import (
"strings"
"github.com/roddhjav/apparmor.d/pkg/prebuild"
)
type ReAttach struct {
prebuild.Base
}
func init() {
RegisterTask(&ReAttach{
Base: prebuild.Base{
Keyword: "attach",
Msg: "Configure tunable for re-attached path",
},
})
}
func (p ReAttach) Apply() ([]string, error) {
res := []string{}
// Remove the @{att} tunable that is going to be defined in profile header
path := prebuild.RootApparmord.Join("tunables/multiarch.d/system")
out, err := path.ReadFileAsString()
if err != nil {
return res, err
}
out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/")
return res, path.WriteFile([]byte(out))
}