Package: release.debian.org Severity: normal X-Debbugs-Cc: [email protected] Control: affects -1 + src:lomiri-online-accounts User: [email protected] Usertags: unblock
Please unblock package lomiri-online-accounts Let src/utils.cpp:apparmorProfileOfPeer() always return 'unconfined'. [ Reason ] Debian's (and the upstream) Linux kernel lacks proper LinuxSecurityContext support. There is an Apparmor-specific kernel patch that has never made it to Linux upstream for now. Details: It appears that AppArmor SO_PEERSEC support for unix domain sockets bound to a filesystem path name is missing from the upstream kernel and is only enabled as a side effect of a patch distributed with AppArmor: https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch Ubuntu kernels contain a rebased variant of the patch which is likely why SO_PEERSEC works on Ubuntu. See: https://bugs.debian.org/1092591 [ Impact ] Calendar Sync and Contact Sync in lomiri-{addressbook,calendar}-app won't be able to add online accounts such as nextcloud or owncloud accounts. [ Tests ] Manual tests in Debian trixie VM. [ Risks ] Regressions might impact lomiri-calendar-app or lomiri-addressbook-app. There is still a problem in lomiri-cloudsync-app with Nextcloud sync which I will address in lomiri-cloudsync-app itself. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Relevant to Lomiri in Debian. unblock lomiri-online-accounts/0.16-4
diff -Nru lomiri-online-accounts-0.16/debian/changelog lomiri-online-accounts-0.16/debian/changelog --- lomiri-online-accounts-0.16/debian/changelog 2025-04-16 23:54:57.000000000 +0200 +++ lomiri-online-accounts-0.16/debian/changelog 2025-06-15 23:57:27.000000000 +0200 @@ -1,3 +1,14 @@ +lomiri-online-accounts (0.16-4) unstable; urgency=medium + + * debian/patches: + + Add 2001_no-functional-LinuxSecurityContext-support-in-Debians- + kernel.patch. Let src/utils.cpp:apparmorProfileOfPeer() always return + 'unconfined'. Required due to apparmor-specific limitation in + Debian's Linux kernel. (See also: #1092591). This is needed to + make Lomiri Online Accounts setups functional on Debian systems. + + -- Mike Gabriel <[email protected]> Sun, 15 Jun 2025 23:57:27 +0200 + lomiri-online-accounts (0.16-3) unstable; urgency=medium * debian/rules: diff -Nru lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch --- lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch 1970-01-01 01:00:00.000000000 +0100 +++ lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch 2025-06-15 23:55:34.000000000 +0200 @@ -0,0 +1,44 @@ +Description: Let src/utils.cpp:apparmorProfileOfPeer() always return 'unconfined'. +Author: Mike Gabriel <[email protected]> +Abstract: + Debian's kernel lacks proper LinuxSecurityContext support. There is an + Apparmor-specific kernel patch that has never made it to Linux upstream + for now. + . + Details: It appears that AppArmor SO_PEERSEC support for unix domain + sockets bound to a filesystem path name is missing from the upstream + kernel and is only enabled as a side effect of a patch distributed with + AppArmor: + https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch + . + Ubuntu kernels contain a rebased variant of the patch which is likely + why SO_PEERSEC works on Ubuntu. + . + See: https://bugs.debian.org/1092591 + +--- a/online-accounts-service/src/utils.cpp ++++ b/online-accounts-service/src/utils.cpp +@@ -33,6 +33,23 @@ + { + static QString ourProfile; + ++ /* Debian's kernel lacks proper LinuxSecurityContext support. There is an ++ * Apparmor-specific kernel patch that has never made it to Linux upstream ++ * for now. ++ * ++ * Details: It appears that AppArmor SO_PEERSEC support for unix domain ++ * sockets bound to a filesystem path name is missing from the upstream ++ * kernel and is only enabled as a side effect of a patch distributed with ++ * AppArmor: ++ * https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch ++ * ++ * Ubuntu kernels contain a rebased variant of the patch which is likely ++ * why SO_PEERSEC works on Ubuntu. ++ * ++ * See: https://bugs.debian.org/1092591 ++ */ ++ return QString("unconfined"); ++ + QString uniqueConnectionId = message.service(); + /* This is mainly for unit tests: real messages on the session bus always + * have a service name. */ diff -Nru lomiri-online-accounts-0.16/debian/patches/series lomiri-online-accounts-0.16/debian/patches/series --- lomiri-online-accounts-0.16/debian/patches/series 2024-08-20 19:18:33.000000000 +0200 +++ lomiri-online-accounts-0.16/debian/patches/series 2025-06-15 23:03:40.000000000 +0200 @@ -1 +1,2 @@ 1001_drop-encoding-key-from-desktop-file.patch +2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch
