Package: apparmor-profiles-extra
Version: 1.33
Severity: serious
Tags: patch
Hi,
see attachment, your config which doesn't allow link calls, which
sporadically breaks operation of apt-cacher-ng in unexpected ways.
The suggested change should probably be improved, I am no apparmor
expert.
[ 1451.927739] audit: type=1400 audit(1622048089.493:85): apparmor="ALLOWED"
operation="link" profile="apt-cacher-ng"
name="/var/cache/apt-cacher-ng/debrep/dists/unstable/InRelease.1622048089"
pid=36785 comm="apt-cacher-ng" requested_mask="l" denied_mask="l" fsuid=121
ouid=121 target="/var/cache/apt-cacher-ng/debrep/dists/unstable/InRelease"
Eduard.
-- System Information:
Debian Release: 11.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'),
(500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.12.0+ (SMP w/12 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor-profiles-extra depends on:
ii apparmor 2.13.6-10
apparmor-profiles-extra recommends no packages.
apparmor-profiles-extra suggests no packages.
-- Configuration Files:
/etc/apparmor.d/usr.sbin.apt-cacher-ng changed:
@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/user-tmp>
/etc/apt-cacher-ng/ r,
/etc/apt-cacher-ng/** r,
/etc/hosts.{deny,allow} r,
/usr/sbin/apt-cacher-ng mr,
/var/lib/apt-cacher-ng/** r,
/{,var/}run/apt-cacher-ng/* rw,
@{APT_CACHER_NG_CACHE_DIR}/ r,
@{APT_CACHER_NG_CACHE_DIR}/** rwl,
/var/log/apt-cacher-ng/ r,
/var/log/apt-cacher-ng/* rw,
/{,var/}run/systemd/notify w,
/{usr/,}bin/dash ixr,
/{usr/,}bin/ed ixr,
/{usr/,}bin/red ixr,
/{usr/,}bin/sed ixr,
/usr/lib/apt-cacher-ng/acngtool ixr,
# Allow serving local documentation
/etc/mime.types r,
/usr/share/doc/apt-cacher-ng/html/** r,
# used by libevent
@{PROC}/sys/kernel/random/uuid r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.apt-cacher-ng>
}
-- no debconf information
From 5eeca40ec3c93dc0d91ce3db0d9f652310087a12 Mon Sep 17 00:00:00 2001
From: Eduard Bloch <bl...@debian.org>
Date: Fri, 28 May 2021 07:11:52 +0200
Subject: [PATCH] Stop breaking latest apt-cacher-ng by blocking link
operations
---
profiles/usr.sbin.apt-cacher-ng | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/profiles/usr.sbin.apt-cacher-ng b/profiles/usr.sbin.apt-cacher-ng
index 6d2f5ff..c24c2c5 100644
--- a/profiles/usr.sbin.apt-cacher-ng
+++ b/profiles/usr.sbin.apt-cacher-ng
@@ -18,7 +18,7 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
/var/lib/apt-cacher-ng/** r,
/{,var/}run/apt-cacher-ng/* rw,
@{APT_CACHER_NG_CACHE_DIR}/ r,
- @{APT_CACHER_NG_CACHE_DIR}/** rw,
+ @{APT_CACHER_NG_CACHE_DIR}/** rwl,
/var/log/apt-cacher-ng/ r,
/var/log/apt-cacher-ng/* rw,
/{,var/}run/systemd/notify w,
--
2.32.0.rc0
