Add an AppArmor profile for BenchExec to its .deb package

On Ubuntu since 24.04, user namespaces are forbidden for regular users (cf. #1041 and #1042). There is a global sysctl switch to enable them again, but applications whose AppArmor profile allows this can also use it. (Typically, AppArmor only restricts application, but in this case an AppArmor profile can actually provide a privilege than an unconfined application does not have.) More explanations are at https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces In order to make BenchExec usable out-of-the-box after installing the .deb package we want to ship such an AppArmor profile. This is made complicated by the fact that the AppArmor profile that is necessary on Ubuntu 24.04+ breaks AppArmor on previous Ubuntu versions. So we have to install this profile conditionally. I found a way to do so using ucf (a tool for handling config files) and this seems to work in my tests on Ubuntu 22.04 (old AppArmor), Ubuntu 24.04 (new AppArmor), and Debian 12 (old AppArmor), as well as installation without AppArmor present. There are two known remaining problems: - If one upgrades from Ubuntu 22.04 to Ubuntu 24.04 while having BenchExec installed, the AppArmor profile will not be installed, so BenchExec will not work. Upgrading or reinstalling the BenchExec package makes it work. - The command "python3 -m benchexec.test_tool_info" will not work, because the AppArmor profile won't match it. One has to either disable container mode or temporarily allow the use of user namespaces for the whole system. If we implement #1053 this would just work. Part of #1041.
sosy-lab · Jun 13, 2024 · 7753c4a · 7753c4a
1 parent 765e3ee
commit 7753c4a
Show file tree

Hide file tree

Showing 7 changed files with 72 additions and 8 deletions.
diff --git a/debian/additional_files/usr/share/benchexec/apparmor.d/benchexec b/debian/additional_files/usr/share/benchexec/apparmor.d/benchexec
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# This file is part of BenchExec, a framework for reliable benchmarking:
+# https://github.com/sosy-lab/benchexec
+#
+# SPDX-FileCopyrightText: 2024 Dirk Beyer <https://www.sosy-lab.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# based on example in
+# https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile benchexec /usr/bin/{bench,container,run}exec flags=(default_allow) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/benchexec>
+}
diff --git a/debian/benchexec.postinst b/debian/benchexec.postinst
@@ -3,7 +3,7 @@
 # This file is part of BenchExec, a framework for reliable benchmarking:
 # https://github.com/sosy-lab/benchexec
 #
-# SPDX-FileCopyrightText: 2019-2020 Dirk Beyer <https://www.sosy-lab.org>
+# SPDX-FileCopyrightText: 2019-2024 Dirk Beyer <https://www.sosy-lab.org>
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -26,4 +26,12 @@ case "$1" in
     ;;
 esac
 
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
+  # Our AppArmor profiles depend on abi/4.0, so install only if this is available.
+  if [ -f "/etc/apparmor.d/abi/4.0" ]; then
+    ucf "/usr/share/benchexec/apparmor.d/benchexec" "/etc/apparmor.d/benchexec"
+    ucfr benchexec "/etc/apparmor.d/benchexec"
+  fi
+fi
+
 #DEBHELPER#
diff --git a/debian/benchexec.postrm b/debian/benchexec.postrm
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# This file is part of BenchExec, a framework for reliable benchmarking:
+# https://github.com/sosy-lab/benchexec
+#
+# SPDX-FileCopyrightText: 2024 Dirk Beyer <https://www.sosy-lab.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+# Only relevant for Ubuntu 24.04+, but works safely everywhere.
+# Based on what dh_ucf/13.6ubuntu1 would produce.
+if [ "$1" = "purge" ]; then
+  for ext in .ucf-new .ucf-old .ucf-dist ""; do
+    rm -f "/etc/apparmor.d/benchexec$ext"
+  done
+
+  if [ -x "`command -v ucf`" ]; then
+    ucf --purge "/etc/apparmor.d/benchexec"
+  fi
+  if [ -x "`command -v ucfr`" ]; then
+    ucfr --purge benchexec "/etc/apparmor.d/benchexec"
+  fi
+fi
+
+#DEBHELPER#
diff --git a/debian/control b/debian/control
@@ -3,6 +3,7 @@ Section: utils
 Priority: optional
 Maintainer: Philipp Wendler <[email protected]>
 Build-Depends: debhelper (>= 11),
+               dh-apparmor,
                dh-python,
                python3 (>= 3.7),
                python3-setuptools,
@@ -17,7 +18,7 @@ Vcs-Browser: https://github.com/sosy-lab/benchexec
 
 Package: benchexec
 Architecture: all
-Depends: ${python3:Depends}, python3-pkg-resources, ${misc:Depends}
+Depends: ${python3:Depends}, python3-pkg-resources, ${misc:Depends}, ucf
 Recommends: cpu-energy-meter, libseccomp2, lxcfs, python3-coloredlogs, python3-pystemd
 Description: Framework for Reliable Benchmarking and Resource Measurement
  BenchExec allows benchmarking non-interactive tools on Linux systems.

diff --git a/debian/install b/debian/install
@@ -1 +1,2 @@
 debian/additional_files/lib/* lib/
+debian/additional_files/usr/* usr/
diff --git a/debian/rules b/debian/rules
@@ -29,6 +29,10 @@ override_dh_auto_install:
 	dh_auto_install
 	python3 setup.py install --root=$(CURDIR)/debian/$(DEB_SOURCE) --install-layout=deb
 
+override_dh_install:
+	dh_install
+	dh_apparmor --profile-name=benchexec
+
 override_dh_installchangelogs:
 	dh_installchangelogs CHANGELOG.md
 

diff --git a/doc/INSTALL.md b/doc/INSTALL.md
@@ -170,17 +170,18 @@ that are not usable on all distributions by default:
 
 - **User Namespaces**: This is available on most distros
   (the kernel option is `CONFIG_USER_NS`),
-  but Debian and Arch Linux disable this feature for regular users,
-  so the system administrator needs to enable it
-  with `sudo sysctl -w kernel.unprivileged_userns_clone=1` or a respective entry
+  but many distributions disable this feature for regular users,
+  so the system administrator needs to enable it.
+  On *Debian* or *Arch* it can be necessary to enable this feature with
+  `sudo sysctl -w kernel.unprivileged_userns_clone=1` or a respective entry
   in `/etc/sysctl.conf`.
-  On CentOS it can be necessary to enable this feature with
+  On *CentOS* it can be necessary to enable this feature with
   `sudo sysctl -w user.max_user_namespaces=10000` or a respective entry
   in `/etc/sysctl.conf` (the exact value is not important).
-  On Ubuntu 24.04 (or newer versions) it can be necessary to enable this feature with
+  On *Ubuntu*, we recommend to use our Ubuntu package, which takes care of this.
+  Alternatively, on 24.04 or newer one can enable this feature with
   `sysctl -w kernel.apparmor_restrict_unprivileged_userns=0` or a respective entry
   in `/etc/sysctl.conf`.
-
 
 - **Unprivileged Overlay Filesystem**: This is only available since Linux 5.11
   (kernel option `CONFIG_OVERLAY_FS`),