Package: apparmor Version: 4.1.3-1 Followup-For: Bug #1121917 X-Debbugs-Cc: [email protected]
Hello, first I'm very sorry for reacting slowly, and thank you for your responses. (I didn't notice them until this weekend, for some reason). To make it short, good news: The bug still exists with the latest sid packages, but Mr. Johansens upstream commits/merges over the last few weeks fixes it. As there is a v5.0.0-alpha6 around, probably we'll see a new release soon, and putting that into sid will resolve everything. As I found some time on the weekend to narrow it down, just to notice the fix later: For the record, the actual main bug was in userland apparmor_parser, but happens only if the kernel apparmorfs exposes /sys/kernel/security/apparmor/features/policy/permstable32_version > 1, which happens with kernel commit 2e12c5f060176ede209673e4f63ea5d0e3c5814c . Current stable kernel doesn't do this yet. If this is the case, the parser compiles some types of rulesets wrong, in a way that make the kernel checks on importing fail (in policy_unpack.c, function unpack_perms_table, the AA_ARRAYEND part). I can upload some example file if someone still wants one, but as mentioned, there's a fix already. Have a nice day everyone, -- System Information: Debian Release: forky/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.18.8+deb14-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor depends on: ii debconf [debconf-2.0] 1.5.91 ii libc6 2.42-11+b1 apparmor recommends no packages. Versions of packages apparmor suggests: pn apparmor-profiles-extra <none> ii apparmor-utils 4.1.3-1 -- Configuration Files: /etc/apparmor.d/firefox changed [not included] /etc/apparmor.d/tunables/home changed [not included] -- debconf information excluded
