snapd icon indicating copy to clipboard operation
snapd copied to clipboard
verified publisher icon snapcore

s/apparmor,features: add checks for prompt support in apparmor parser and kernel

Open olivercalder opened this issue 1 year ago • 3 comments

This PR splits off a portion of the work from #13670 related to AppArmor feature support for prompting.

Notably, this also adjusts the apparmor kernel and parser feature probing, since the prompt kernel feature support is marked as the prompt string occurring in /sys/kernel/security/apparmor/features/policy/permstable32.

This file, on my system, contains the following:

$ cat /sys/kernel/security/apparmor/features/policy/permstable32
allow deny subtree cond kill complain prompt audit quiet hide xindex tag label

If this should be extended to other features besides prompt, I'm happy to add those as well -- the current handling is specific to prompt but could be generalized.

olivercalder avatar Apr 11 '24 21:04 olivercalder

The check for parser features tests $2^{|\text{parserFeatures}|}$, which means adding prompt to the checked parser features doubles the test runtime (to ~45s on my rather fast 13700H). I tried refactoring the task to use a threadpool, but the way files are mocked and used makes running these tests in parallel difficult. Is this test runtime increase okay, or should the test in question TestProbeAppArmorParserFeatures be refactored?

Edit: Actually, the total test runtime for sandbox/apparmor increased from 18s to 47s on my machine, a nearly 3x test runtime increase :(

olivercalder avatar Apr 12 '24 01:04 olivercalder

I just looked on my system and the unit tests in the package are extremely inefficient (14 seconds on my macbook).

Looking closely this is the culprit:

PASS: apparmor_test.go:266: apparmorSuite.TestProbeAppArmorParserFeatures	14.000s

This test is weird and I don't understand what we are actually attempting to measure here. We are calling a fake parser, through a shell script, a zillion times. I think the whole test needs to be refactored, and the crazy loop removed.

On top of that inside that large loop we call defer restore() - effectively stashing on stack a huge number of deferred calls. If we were not using gopkg.in/check.v1 which does not expose *testing.T, we could have used testing.T.Run to both parallelise this (but I think the whole test is broken so please don't rewrite it) as well as to wrap each iteration with a function so that we restore each time.

zyga avatar Apr 12 '24 06:04 zyga

Note from last week about the slow test: we should refactor the test to not make $2^N$ checks, especially given this is exercising combinations of independent features on a fake parser. This refactor should be independent of this PR, so should not be a blocker.

olivercalder avatar Apr 15 '24 16:04 olivercalder

Force pushed to rebase on master and clean up commit history. This should be rebased when merging rather than squash merged, as the changes to sandbox/apparmor don't just relate to prompting.

olivercalder avatar Apr 17 '24 15:04 olivercalder

Force pushed to rebase on master and squash the feature sorting commit into the main apparmor-related commit.

olivercalder avatar Apr 25 '24 17:04 olivercalder