Merge profiles: fix sbuild to work with the unprivileged_unshare profile

sbuild is an unconfined profile allowing it to bypass the unprivlieged
user namespace restriction.

unconfined profiles use a pix transition which means that when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calling unshare will cause a transition to the unprivileged_unshare
profile.

This will break sbuild because it needs capabilities within the
user namespace.

However we cannot just add a x transition rule to unconfined profiles, as
the transitions won't be respected. Instead, we have to make the profile
a default allow profile and add a transition that will override
the default pix transition of allow all.

We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.

Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1555
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>

profiles/apparmor.d/sbuild

@@ -4,9 +4,14 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild /usr/bin/sbuild flags=(unconfined) {
+profile sbuild /usr/bin/sbuild flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
   userns,
 
+  # override default pix
+  /usr/bin/unshare ix,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/sbuild>
 }

profiles/apparmor.d/sbuild-abort

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-abort /usr/bin/sbuild-abort flags=(unconfined) {
+profile sbuild-abort /usr/bin/sbuild-abort flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-adduser

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-adduser /usr/sbin/sbuild-adduser flags=(unconfined) {
+profile sbuild-adduser /usr/sbin/sbuild-adduser flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-apt

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-apt /usr/bin/sbuild-apt flags=(unconfined) {
+profile sbuild-apt /usr/bin/sbuild-apt flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-checkpackages

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-checkpackages /usr/bin/sbuild-checkpackages flags=(unconfined) {
+profile sbuild-checkpackages /usr/bin/sbuild-checkpackages flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-clean

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-clean /usr/bin/sbuild-clean flags=(unconfined) {
+profile sbuild-clean /usr/bin/sbuild-clean flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-createchroot

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-createchroot /usr/bin/sbuild-createchroot flags=(unconfined) {
+profile sbuild-createchroot /usr/bin/sbuild-createchroot flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-destroychroot

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-destroychroot /usr/sbin/sbuild-destroychroot flags=(unconfined) {
+profile sbuild-destroychroot /usr/sbin/sbuild-destroychroot flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-distupgrade

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(unconfined) {
+profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-hold

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-hold /usr/bin/sbuild-hold flags=(unconfined) {
+profile sbuild-hold /usr/bin/sbuild-hold flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-shell

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-shell /usr/bin/sbuild-shell flags=(unconfined) {
+profile sbuild-shell /usr/bin/sbuild-shell flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-unhold

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-unhold /usr/bin/sbuild-unhold flags=(unconfined) {
+profile sbuild-unhold /usr/bin/sbuild-unhold flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-update

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-update /usr/bin/sbuild-update flags=(unconfined) {
+profile sbuild-update /usr/bin/sbuild-update flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/sbuild-upgrade

@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-upgrade /usr/bin/sbuild-upgrade flags=(unconfined) {
+profile sbuild-upgrade /usr/bin/sbuild-upgrade flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.