From 5ba66e9fe4ca571a81d609f28f7a1478e928e109 Mon Sep 17 00:00:00 2001
From: Philipp Wendler <uni@philippwendler.de>
Date: Tue, 11 Jun 2024 16:48:06 +0200
Subject: [PATCH] Add an AppArmor profile for BenchExec to its .deb package

On Ubuntu since 24.04, user namespaces are forbidden for regular users
(cf. #1041 and #1042).
There is a global sysctl switch to enable them again,
but applications whose AppArmor profile allows this can also use it.
(Typically, AppArmor only restricts application,
but in this case an AppArmor profile can actually provide a privilege
than an unconfined application does not have.)
More explanations are at
https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

In order to make BenchExec usable out-of-the-box after installing
the .deb package we want to ship such an AppArmor profile.
This is made complicated by the fact that the AppArmor profile
that is necessary on Ubuntu 24.04+
breaks AppArmor on previous Ubuntu versions.
So we have to install this profile conditionally.
I found a way to do so using ucf (a tool for handling config files)
and this seems to work in my tests on Ubuntu 22.04 (old AppArmor),
Ubuntu 24.04 (new AppArmor), and Debian 12 (old AppArmor),
as well as installation without AppArmor present.

There are two known remaining problems:
- If one upgrades from Ubuntu 22.04 to Ubuntu 24.04 while having
  BenchExec installed, the AppArmor profile will not be installed,
  so BenchExec will not work.
  Upgrading or reinstalling the BenchExec package makes it work.
- The command "python3 -m benchexec.test_tool_info" will not work,
  because the AppArmor profile won't match it.
  One has to either disable container mode or temporarily allow
  the use of user namespaces for the whole system.
  If we implement #1053 this would just work.

Part of #1041.
---
 .../usr/share/benchexec/apparmor.d/benchexec  | 22 +++++++++++++++
 debian/benchexec.postinst                     | 10 ++++++-
 debian/benchexec.postrm                       | 27 +++++++++++++++++++
 debian/control                                |  3 ++-
 debian/install                                |  1 +
 debian/rules                                  |  4 +++
 doc/INSTALL.md                                | 13 ++++-----
 7 files changed, 72 insertions(+), 8 deletions(-)
 create mode 100644 debian/additional_files/usr/share/benchexec/apparmor.d/benchexec
 create mode 100644 debian/benchexec.postrm

diff --git a/debian/additional_files/usr/share/benchexec/apparmor.d/benchexec b/debian/additional_files/usr/share/benchexec/apparmor.d/benchexec
new file mode 100644
index 000000000..a0f5f5de4
--- /dev/null
+++ b/debian/additional_files/usr/share/benchexec/apparmor.d/benchexec
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# This file is part of BenchExec, a framework for reliable benchmarking:
+# https://github.com/sosy-lab/benchexec
+#
+# SPDX-FileCopyrightText: 2024 Dirk Beyer <https://www.sosy-lab.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# based on example in
+# https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile benchexec /usr/bin/{bench,container,run}exec flags=(default_allow) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/benchexec>
+}
diff --git a/debian/benchexec.postinst b/debian/benchexec.postinst
index b804eff9d..b61945ee6 100644
--- a/debian/benchexec.postinst
+++ b/debian/benchexec.postinst
@@ -3,7 +3,7 @@
 # This file is part of BenchExec, a framework for reliable benchmarking:
 # https://github.com/sosy-lab/benchexec
 #
-# SPDX-FileCopyrightText: 2019-2020 Dirk Beyer <https://www.sosy-lab.org>
+# SPDX-FileCopyrightText: 2019-2024 Dirk Beyer <https://www.sosy-lab.org>
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -26,4 +26,12 @@ case "$1" in
     ;;
 esac
 
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
+  # Our AppArmor profiles depend on abi/4.0, so install only if this is available.
+  if [ -f "/etc/apparmor.d/abi/4.0" ]; then
+    ucf "/usr/share/benchexec/apparmor.d/benchexec" "/etc/apparmor.d/benchexec"
+    ucfr benchexec "/etc/apparmor.d/benchexec"
+  fi
+fi
+
 #DEBHELPER#
diff --git a/debian/benchexec.postrm b/debian/benchexec.postrm
new file mode 100644
index 000000000..bbd41cb3a
--- /dev/null
+++ b/debian/benchexec.postrm
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# This file is part of BenchExec, a framework for reliable benchmarking:
+# https://github.com/sosy-lab/benchexec
+#
+# SPDX-FileCopyrightText: 2024 Dirk Beyer <https://www.sosy-lab.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+# Only relevant for Ubuntu 24.04+, but works safely everywhere.
+# Based on what dh_ucf/13.6ubuntu1 would produce.
+if [ "$1" = "purge" ]; then
+  for ext in .ucf-new .ucf-old .ucf-dist ""; do
+    rm -f "/etc/apparmor.d/benchexec$ext"
+  done
+
+  if [ -x "`command -v ucf`" ]; then
+    ucf --purge "/etc/apparmor.d/benchexec"
+  fi
+  if [ -x "`command -v ucfr`" ]; then
+    ucfr --purge benchexec "/etc/apparmor.d/benchexec"
+  fi
+fi
+
+#DEBHELPER#
diff --git a/debian/control b/debian/control
index 7078ead5c..768b0f5a0 100644
--- a/debian/control
+++ b/debian/control
@@ -3,6 +3,7 @@ Section: utils
 Priority: optional
 Maintainer: Philipp Wendler <debian@philippwendler.de>
 Build-Depends: debhelper (>= 11),
+               dh-apparmor,
                dh-python,
                python3 (>= 3.7),
                python3-setuptools,
@@ -17,7 +18,7 @@ Vcs-Browser: https://github.com/sosy-lab/benchexec
 
 Package: benchexec
 Architecture: all
-Depends: ${python3:Depends}, python3-pkg-resources, ${misc:Depends}
+Depends: ${python3:Depends}, python3-pkg-resources, ${misc:Depends}, ucf
 Recommends: cpu-energy-meter, libseccomp2, lxcfs, python3-coloredlogs, python3-pystemd
 Description: Framework for Reliable Benchmarking and Resource Measurement
  BenchExec allows benchmarking non-interactive tools on Linux systems.
diff --git a/debian/install b/debian/install
index 23e5a64a3..6cab75f37 100644
--- a/debian/install
+++ b/debian/install
@@ -1 +1,2 @@
 debian/additional_files/lib/* lib/
+debian/additional_files/usr/* usr/
diff --git a/debian/rules b/debian/rules
index 7ce8d46ad..85c6a887e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -29,6 +29,10 @@ override_dh_auto_install:
 	dh_auto_install
 	python3 setup.py install --root=$(CURDIR)/debian/$(DEB_SOURCE) --install-layout=deb
 
+override_dh_install:
+	dh_install
+	dh_apparmor --profile-name=benchexec
+
 override_dh_installchangelogs:
 	dh_installchangelogs CHANGELOG.md
 
diff --git a/doc/INSTALL.md b/doc/INSTALL.md
index 06cb567d7..98db33727 100644
--- a/doc/INSTALL.md
+++ b/doc/INSTALL.md
@@ -170,17 +170,18 @@ that are not usable on all distributions by default:
 
 - **User Namespaces**: This is available on most distros
   (the kernel option is `CONFIG_USER_NS`),
-  but Debian and Arch Linux disable this feature for regular users,
-  so the system administrator needs to enable it
-  with `sudo sysctl -w kernel.unprivileged_userns_clone=1` or a respective entry
+  but many distributions disable this feature for regular users,
+  so the system administrator needs to enable it.
+  On *Debian* or *Arch* it can be necessary to enable this feature with
+  `sudo sysctl -w kernel.unprivileged_userns_clone=1` or a respective entry
   in `/etc/sysctl.conf`.
-  On CentOS it can be necessary to enable this feature with
+  On *CentOS* it can be necessary to enable this feature with
   `sudo sysctl -w user.max_user_namespaces=10000` or a respective entry
   in `/etc/sysctl.conf` (the exact value is not important).
-  On Ubuntu 24.04 (or newer versions) it can be necessary to enable this feature with
+  On *Ubuntu*, we recommend to use our Ubuntu package, which takes care of this.
+  Alternatively, on 24.04 or newer one can enable this feature with
   `sysctl -w kernel.apparmor_restrict_unprivileged_userns=0` or a respective entry
   in `/etc/sysctl.conf`.
-  
 
 - **Unprivileged Overlay Filesystem**: This is only available since Linux 5.11
   (kernel option `CONFIG_OVERLAY_FS`),