templates/20.04/unconfined: Transition child processes to unconfined (!31) · Merge requests · UBports / Development / Core / apparmor-easyprof-ubuntu

Alfred Neumayer requested to merge personal/fredldotme/actuallyunconfined into main Nov 13, 2023

The git-confined snap has trouble being used inside the unconfined Lomiri Terminal app, since transition of the profile along the way disallow the inheritance of stdin/out/err fd's:

Nov 13 10:22:14 ubuntu-phablet kernel: audit: type=1400 audit(1699867334.442:1286): apparmor="DENIED" operation="file_inherit" profile="snap.git-confined.git-confined" name="/apparmor/.null" pid=7365 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=0

The special .null file is where the fd gets dup'd at instead of getting closed, which is a result of fd's being disallowed: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660836

To allow proper execution of the Terminal and turning "seemingly unconfined" into "actually unconfined" execution of child processes, transition children into the unconfined profile first, resulting in an environment similar to SSH or ADB. Confined Snaps will still transition to their own profiles as set by snap-confine.

The idea is based on a workaround similar to this snapd bug comment: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1849753/comments/14

templates/20.04/unconfined: Transition child processes to unconfined

Merge request reports