I'm a bit confused:
* On the one hand, this bug is *not* marked is fixed in AppArmor
upstream; the only reason it was marked as "Fix Released" for Ubuntu is
the pile of kludges added in /lib/apparmor/functions, that I migrated to
rc.apparmor.functions upstream a few years back.
* On the other
I see this is "Fix Released" everywhere but on the upstream AppArmor
project. I understand this has made its way upstream and works with
mainline kernel, e.g. for LXC. If my understanding is incorrect, please
clarify what's left to do here (or perhaps track it on a finer-grained
follow-up bug :)
It seems to me this was fixed & released a while ago.
https://bugs.launchpad.net/apparmor/+bug/1384746/comments/2 could be
tracked on a new, follow-up bug, if still desired.
** Changed in: apparmor
Status: In Progress => Fix Released
--
You received this bug notification because you are
Fixed in 3.0.0
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865519
Title:
apparmor depends on python3
To manage
1.5 later with no feedback, let's assume the tentative fix works.
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/387657
Title:
Fix released in 3.0.0.
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1575438
Title:
usr.sbin.nscd needs r/w access to nslcd
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1331856
Title:
apparmor-utils don't work when defining a variable on
To manage
** Bug watch added: Debian Bug tracker #934735
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934735
** Also affects: apparmor (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934735
Importance: Unknown
Status: Unknown
--
You received this bug notification
Tyler Hicks:
> It looks like the change mentioned in the above comment came from
> Debian. Here's the commit:
> https://salsa.debian.org/apparmor-
> team/apparmor/commit/dc14f24b2c2943c29d0368f913020f1307d8f1d3
> They obviously don't have
Actually, Debian has these abstractions and most of
Meta: I've re-read the discussion from December 2017. If there were
messages later than this on the thread, I missed them due to suboptimal
mailing list archive presentation. Sorry if this leads me to wrong
conclusions!
I lack the skills to do the actual work I think should be done. The only
way
I took a look because this appeared on the Debian package tracker for
apparmor-profiles-extra. At least 1.24 (just uploaded to sid) seems to
be OK. I've not checked older versions so I don't know when exactly the
problem that affected this package (which seems unspecified here) was
fixed. If
FTR a systemd unit was imported upstream:
https://gitlab.com/apparmor/apparmor/merge_requests/81
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1503762
Title:
Provide systemd service
To manage
FTR this was already added upstream in commit 84cd523d8c which is part
of AppArmor v2.12. So i'll be fixed whenever Ubuntu upgrades to 2.12 :)
** Also affects: apparmor
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => Fix Released
--
You received this
> This was partially done. unfortunately the profiles are all missing a
/
I think that's been fixed in Debian already.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1284507
Title:
apparmor profile
Eric Desrochers:
> The patch for bionic (devel release) has been sponsored but it is stuck in
> bionic-proposed for now waiting for the non amd64/i386 builder to be
> operational -> ppcel64, arm, s390x, ..
FWIW this patch is part of 2.12-1 that I've uploaded to Debian unstable.
No idea how
Vincas, do you want to test the proposed patch?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1331856
Title:
apparmor-utils don't work when defining a variable on
To manage notifications about
Indeed, steps 3 and 4 should ideally happen in the reverse order. I
don't know if debhelper provides facilities to order autoscript snippets
though.
In passing, once
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1385414 is done
I think we should use systemd's AppArmorProfile= directive
I guess this package needs the Ubuntu equivalent of what we call a
binNMU in Debian.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1579548
Title:
OTR plugin does not load in Xenial
To manage
** Changed in: apparmor
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1730536
Title:
"Unable to open external link" in Evince when google-chrome-unstable
https://gitlab.com/apparmor/apparmor/merge_requests/9 fixes this bug on
my Debian sid test VM.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1730536
Title:
"Unable to open external link" in Evince
This should be easy to fix with something very similar to
https://gitlab.com/apparmor/apparmor/merge_requests/7. While I'm at it
I'll check that google-chrome-stable works too.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
** Also affects: apparmor
Importance: Undecided
> The kernel patch causing the issue has been reverted. So 4.14-rc7
should work as pre 4.14-rc2
Great! (Modulo Linus' commit messageā¦)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
See https://bugs.launchpad.net/apparmor-profiles/+bug/1727993 for a
discussion about this topic.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1042771
Title:
sanitized_helper prevents proper
> I am aware this is a non-default configuration, but I think this
should work.
Makes sense. Do you want to send a merge request?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1717714
Title:
FWIW: Jamie, while reviewing the Debian..Ubuntu packaging log in order
to merge the Ubuntu one into the Debian source package, I see a few
instances of duplicate packaging work going on (e.g. the fix for this
bug, upstart job removal). Such duplicate work could have been avoided
by merging from
FTR Debian sid still defaults to python3 == Python 3.5, but will soon
switch to 3.6
(https://release.debian.org/transitions/html/python3.6-supported.html)
and will therefore be affected.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
FTR this was raised as a potential blocker for enabling AppArmor by
default on Debian: https://bugs.debian.org/872726. I'm going to
investigate why this is a blocker there.
tl;dr: as the audit maintainers said in 2014
(https://www.redhat.com/archives/linux-audit/2014-May/msg00119.html) and
2016
FWIW current Ubuntu citrain branch seems to apply exactly the same patch
twice for some reason:
debian/patches/adjust-nameservice-for-systemd-resolved.patch
debian/patches/profiles-grant-access-to-systemd-resolved.patch
Not sure what's going on, but anyway we don't apply this patch in Debian
so
** Bug watch added: Debian Bug tracker #870697
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870697
** Also affects: apparmor (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870697
Importance: Unknown
Status: Unknown
** Also affects: apparmor (Ubuntu)
Thanks! So we still need an AppArmor task, not just a systemd one,
right? (My question came up because all the AppArmor tasks are marked as
"Fix released", and thus I thought the only remaining thing to do is on
the systemd side, but your answer suggests that's not actually the
case.)
--
You
Anyone interested in moving this forward: please send a merge request.
We're apparently not very good at tracking patches attached to bug
reports, sorry!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I could ask for help to the person who implemented the initial AppArmor
support in systemd. But first I would need a clearer task description
than "Add systemd task since it needs an update to make it use the cache
loading library". What exactly do we need systemd to do?
--
You received this bug
This was fixed in 2.11.0 so it's fixed in zesty.
** Summary changed:
- Evince's Apparmour profile prevents opening docs from other apps under Wayland
+ Evince's AppArmor profile prevents opening docs from other apps under Wayland
** Changed in: apparmor (Ubuntu)
Status: New => Fix
FWIW Stretch was released for Linux architectures only, and I doubt
it'll change any time soon. I believe the Debian landscape looked
different when Steve filed this bug in 2011. Nowadays I'm not sure
what's the value of keeping this bug open.
--
You received this bug notification because you
This bug report is about the custom profile shipped by Ubuntu in their
apparmor-profiles package (and nowhere else AFAIK), not about the
apparmor-profiles project (yeah, it's confusing, I know).
** Changed in: apparmor-profiles
Status: Triaged => Invalid
--
You received this bug
This bug report is about the custom profile shipped by Ubuntu in their
apparmor-profiles package (and nowhere else AFAIK), not about the
apparmor-profiles project (yeah, it's confusing, I know).
** Project changed: apparmor-profiles => apparmor (Ubuntu)
--
You received this bug notification
FYI I've applied this patch in the usr.sbin.tcpdump profile included in
Debian's apparmor-profiles-extra 1.11. And I intend to have this profile
moved to the tcpdump package proper at the beginning of the Debian 10
(Buster) development cycle, i.e. once Stretch is released.
--
You received this
Ping? Colder stages of the Debian Stretch freeze will soon be in effect,
so it would be nice to have this reviewed & applied earlier :)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647188
Title:
Public bug reported:
merged-/usr is already available in Debian, will likely be the default
in Debian Stretch.
The attached patch makes the included AppArmor profile support this use
case.
Thanks for considering :)
** Affects: tcpdump (Ubuntu)
Importance: Undecided
Status: New
Cherry-picked in Debian's Vcs-Bzr, will be part of the apparmor
2.10.95-7 upload. Thanks everybody!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507469
Title:
Evince's Apparmour profile prevents
> Well then could you apply the patch to make apparmor installable?
The dependency on any kind of initramfs-tools has been dropped in Debian
a while ago (2.9.0-3+exp1), because AFAIK it was needed only for the
early modules loading code, that was removed a while ago. For some
undocumented reason,
> I'm confused then. Why is the Architecture field in debian/control set
to any?
> And why debian/patches/non-linux.patch, debian/non-
linux/apparmor_parser?
I find it marginally useful to build on Debian/kFreeBSD: this can
sometimes help discover real bugs that affect Linux but would not be
Hi! What kind of (realistic) timeline can we expect here? (With the move
to ZFS for containers, I wonder :)
E.g. is this part of your goals for 16.10? (I mean: for the AppArmor
/Ubuntu-specific parts, as I've learnt to be patient wrt. the
upstreaming to Linux mainline.)
Thanks for your work on
Another workaround would be to run mysqld unconfined (e.g. with aa-
unconfined, or by copying/hardlinking the binary to a different file and
running that one) for whatever operations the postinst has to do. I
won't pretend it's nicer than what you've done already, but that's
another option on the
I'm not sure I get what's the problem: what exact variable (or tunable
file containing variables) do you think should be made available to
every profile, and is currently not?
My understanding of this comment (as a non-native English speaker) is
that there is a possibility that some tunables
Along with LP: #1488179, this is one source of ugliness in current
Debian/Ubuntu initscript, that makes it harder than needed to port it to
systemd.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
46 matches
Mail list logo
