From 7abfc1baf7b9200b52fadbf9c89d3d1b1fd854a7 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 19 Feb 2025 16:05:57 -0800
Subject: [PATCH] profiles: fix sbuild to work with the unprivileged_unshare
 profile

sbuild is an unconfined profile allowing it to by-pass the unprivlieged
user namespace restritction.

unconfined profiles us a pix transition which means when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calls unshare it will transition to the unprivileged_unshare
profile.

This will break sbuild because it needs capabilities within the
user namespace.

However we can not just add a x transition rule to unconfined profiles,
the transitions won't be respected. Instead we have to make the profile
a default allow profile, and add a transition that will override
the default pix transition of allow all.

We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 profiles/apparmor.d/sbuild               | 7 ++++++-
 profiles/apparmor.d/sbuild-abort         | 7 ++++++-
 profiles/apparmor.d/sbuild-adduser       | 7 ++++++-
 profiles/apparmor.d/sbuild-apt           | 7 ++++++-
 profiles/apparmor.d/sbuild-checkpackages | 7 ++++++-
 profiles/apparmor.d/sbuild-clean         | 7 ++++++-
 profiles/apparmor.d/sbuild-createchroot  | 7 ++++++-
 profiles/apparmor.d/sbuild-destroychroot | 7 ++++++-
 profiles/apparmor.d/sbuild-distupgrade   | 7 ++++++-
 profiles/apparmor.d/sbuild-hold          | 7 ++++++-
 profiles/apparmor.d/sbuild-shell         | 7 ++++++-
 profiles/apparmor.d/sbuild-unhold        | 7 ++++++-
 profiles/apparmor.d/sbuild-update        | 7 ++++++-
 profiles/apparmor.d/sbuild-upgrade       | 7 ++++++-
 14 files changed, 84 insertions(+), 14 deletions(-)

diff --git a/profiles/apparmor.d/sbuild b/profiles/apparmor.d/sbuild
index 1b9bae999..28f3e41d7 100644
--- a/profiles/apparmor.d/sbuild
+++ b/profiles/apparmor.d/sbuild
@@ -4,9 +4,14 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild /usr/bin/sbuild flags=(unconfined) {
+profile sbuild /usr/bin/sbuild flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
   userns,
 
+  # override default pix
+  /usr/bin/unshare ix,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/sbuild>
 }
diff --git a/profiles/apparmor.d/sbuild-abort b/profiles/apparmor.d/sbuild-abort
index b147d5b3b..77b60db3f 100644
--- a/profiles/apparmor.d/sbuild-abort
+++ b/profiles/apparmor.d/sbuild-abort
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-abort /usr/bin/sbuild-abort flags=(unconfined) {
+profile sbuild-abort /usr/bin/sbuild-abort flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-adduser b/profiles/apparmor.d/sbuild-adduser
index a7f1322ba..bb67c50e7 100644
--- a/profiles/apparmor.d/sbuild-adduser
+++ b/profiles/apparmor.d/sbuild-adduser
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-adduser /usr/sbin/sbuild-adduser flags=(unconfined) {
+profile sbuild-adduser /usr/sbin/sbuild-adduser flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-apt b/profiles/apparmor.d/sbuild-apt
index 0257e4574..f50fc4f3b 100644
--- a/profiles/apparmor.d/sbuild-apt
+++ b/profiles/apparmor.d/sbuild-apt
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-apt /usr/bin/sbuild-apt flags=(unconfined) {
+profile sbuild-apt /usr/bin/sbuild-apt flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-checkpackages b/profiles/apparmor.d/sbuild-checkpackages
index aa52207eb..c4f8812d1 100644
--- a/profiles/apparmor.d/sbuild-checkpackages
+++ b/profiles/apparmor.d/sbuild-checkpackages
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-checkpackages /usr/bin/sbuild-checkpackages flags=(unconfined) {
+profile sbuild-checkpackages /usr/bin/sbuild-checkpackages flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-clean b/profiles/apparmor.d/sbuild-clean
index c2ecc9cf7..eca646a51 100644
--- a/profiles/apparmor.d/sbuild-clean
+++ b/profiles/apparmor.d/sbuild-clean
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-clean /usr/bin/sbuild-clean flags=(unconfined) {
+profile sbuild-clean /usr/bin/sbuild-clean flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-createchroot b/profiles/apparmor.d/sbuild-createchroot
index e58b130c3..85ffa3ed6 100644
--- a/profiles/apparmor.d/sbuild-createchroot
+++ b/profiles/apparmor.d/sbuild-createchroot
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-createchroot /usr/bin/sbuild-createchroot flags=(unconfined) {
+profile sbuild-createchroot /usr/bin/sbuild-createchroot flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-destroychroot b/profiles/apparmor.d/sbuild-destroychroot
index 217809723..7232c2ce6 100644
--- a/profiles/apparmor.d/sbuild-destroychroot
+++ b/profiles/apparmor.d/sbuild-destroychroot
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-destroychroot /usr/sbin/sbuild-destroychroot flags=(unconfined) {
+profile sbuild-destroychroot /usr/sbin/sbuild-destroychroot flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-distupgrade b/profiles/apparmor.d/sbuild-distupgrade
index c5c6f7dfd..8df44146f 100644
--- a/profiles/apparmor.d/sbuild-distupgrade
+++ b/profiles/apparmor.d/sbuild-distupgrade
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(unconfined) {
+profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-hold b/profiles/apparmor.d/sbuild-hold
index 7f592f1cc..0a07994ec 100644
--- a/profiles/apparmor.d/sbuild-hold
+++ b/profiles/apparmor.d/sbuild-hold
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-hold /usr/bin/sbuild-hold flags=(unconfined) {
+profile sbuild-hold /usr/bin/sbuild-hold flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-shell b/profiles/apparmor.d/sbuild-shell
index be97320fd..d93b70e6d 100644
--- a/profiles/apparmor.d/sbuild-shell
+++ b/profiles/apparmor.d/sbuild-shell
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-shell /usr/bin/sbuild-shell flags=(unconfined) {
+profile sbuild-shell /usr/bin/sbuild-shell flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-unhold b/profiles/apparmor.d/sbuild-unhold
index c06f56deb..13c009633 100644
--- a/profiles/apparmor.d/sbuild-unhold
+++ b/profiles/apparmor.d/sbuild-unhold
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-unhold /usr/bin/sbuild-unhold flags=(unconfined) {
+profile sbuild-unhold /usr/bin/sbuild-unhold flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-update b/profiles/apparmor.d/sbuild-update
index dcca130df..764c11e26 100644
--- a/profiles/apparmor.d/sbuild-update
+++ b/profiles/apparmor.d/sbuild-update
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-update /usr/bin/sbuild-update flags=(unconfined) {
+profile sbuild-update /usr/bin/sbuild-update flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/sbuild-upgrade b/profiles/apparmor.d/sbuild-upgrade
index be154b03e..3ee9d328a 100644
--- a/profiles/apparmor.d/sbuild-upgrade
+++ b/profiles/apparmor.d/sbuild-upgrade
@@ -4,7 +4,12 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile sbuild-upgrade /usr/bin/sbuild-upgrade flags=(unconfined) {
+profile sbuild-upgrade /usr/bin/sbuild-upgrade flags=(attach_disconnected mediate_deleted) {
+  allow all,
+
+  # override default pix
+  /usr/bin/unshare ix,
+
   userns,
 
   # Site-specific additions and overrides. See local/README for details.