snap: update vendored apparmor to 3.0.8 with userns and mqueue support (

#12836) * snap: update vendored apparmor to 3.0.8 with userns and mqueue support Update the snap build to use the latest upstream AppArmor 3.0.8 release and also add local patches to add support for userns and POSIX mqueue mediation support. Signed-off-by: Alex Murray <alex.murray@canonical.com> * build-aux/snap: fetch patches during build rather than vendor them By fetching them during the build *and* using the source of the Ubuntu apparmor package in lunar (23.04) this allows us to keep these patches in sync with what is used in Ubuntu and to show their provenance at the same time. Signed-off-by: Alex Murray <alex.murray@canonical.com> --------- Signed-off-by: Alex Murray <alex.murray@canonical.com> Co-authored-by: Michael Vogt <mvo@ubuntu.com>
snapcore · Jun 15, 2023 · 7eb7ffa · 7eb7ffa
1 parent 67cb157
commit 7eb7ffa
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/build-aux/snap/snapcraft.yaml b/build-aux/snap/snapcraft.yaml
@@ -167,8 +167,16 @@ parts:
       - bin/fc-cache-v7
   apparmor:
     plugin: autotools
-    build-packages: [bison, flex, gettext, g++, pkg-config]
-    source: https://launchpad.net/apparmor/3.0/3.0.7/+download/apparmor-3.0.7.tar.gz
+    build-packages: [bison, flex, gettext, g++, pkg-config, wget]
+    source: https://launchpad.net/apparmor/3.0/3.0.8/+download/apparmor-3.0.8.tar.gz
+    override-pull: |
+      snapcraftctl pull
+      # add support for mediating posix mqueue's and userns - these come from
+      # the ubuntu source package for lunar
+      # https://git.launchpad.net/ubuntu/+source/apparmor/tree/debian/patches/ubuntu?h=ubuntu/lunar
+      for feature in mqueue userns; do
+        wget https://git.launchpad.net/ubuntu/+source/apparmor/plain/debian/patches/ubuntu/add-${feature}-support.patch?h=ubuntu/lunar -O - | patch -p1
+      done
     override-build: |
       cd $SNAPCRAFT_PART_BUILD/libraries/libapparmor
       ./autogen.sh

diff --git a/cmd/configure.ac b/cmd/configure.ac
@@ -88,7 +88,7 @@ AS_IF([test "x$with_unit_tests" = "xyes"], [
 AS_IF([test "x$enable_apparmor" = "xyes"], [
     # Expect AppArmor3 when building as a snap under snapcraft
     AS_IF([test "x$SNAPCRAFT_PROJECT_NAME" = "xsnapd"], [
-        PKG_CHECK_MODULES([APPARMOR3], [libapparmor = 3.0.7], [
+        PKG_CHECK_MODULES([APPARMOR3], [libapparmor = 3.0.8], [
             AC_DEFINE([HAVE_APPARMOR], [1], [Build with apparmor3 support])], [
             AC_MSG_ERROR([unable to find apparmor3 for snap build of snapd])])], [
         PKG_CHECK_MODULES([APPARMOR], [libapparmor], [

diff --git a/tests/main/snapd-snap/task.yaml b/tests/main/snapd-snap/task.yaml
@@ -238,6 +238,10 @@ execute: |
     echo "Ensure sandbox-features shows the internal apparmor_parser"
     snap debug sandbox-features --required apparmor:parser:snapd-internal
 
+    echo "Ensure we support posix mqueue and userns in the internal apparmor_parser"
+    snap debug sandbox-features --required apparmor:parser:mqueue
+    snap debug sandbox-features --required apparmor:parser:userns
+    
     echo "Then we should be able to compile policy using the internal apparmor_parser"
     /snap/snapd/current/usr/lib/snapd/apparmor_parser \
       --config-file /snap/snapd/current/usr/lib/snapd/apparmor/parser.conf \