Bug#1032020: [pkg-apparmor] Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Hi, Thanks for clearing it up. I might just take time and find that faulty profile if it ever existed. Thanks for clearing everything up. Cheers On Wed, Mar 1, 2023, 09:48 intrigeri wrote: > Control: tag -1 + unreproducible > Control: severity -1 minor > > Hi, > > Guillaume B. (2023-02-28): > > Installing fresh sid profiles with both previously stated packages > (version > > 3.0.8-3 and 1.35 respectively), I have not seen that specific mistake > made. > > > > It may have come from a loose AppArmor profile but, just to be sure, no > > such open "/** r," found in latest sid-provided > > apparmor-profiles/apparmor-profiles-extra Chromium AppArmor profile. > > I've looked at the Git history of the relevant apparmor* packages and > found no trace of them having ever distributed a Chromium profile > with a "/** r," rule. > > > dpkg-query: no path found matching pattern > /etc/apparmor.d/usr.bin.chromium > > This shows that no Debian package is currently maintaining that file. > > Frankly, I have no idea how this rule landed on your filesystem, but > I really don't see how this problem could have been directly caused by > a Debian package or upgrade. > > Cheers, > -- > intrigeri >
Bug#1032020: [pkg-apparmor] Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Control: tag -1 + unreproducible Control: severity -1 minor Hi, Guillaume B. (2023-02-28): > Installing fresh sid profiles with both previously stated packages (version > 3.0.8-3 and 1.35 respectively), I have not seen that specific mistake made. > > It may have come from a loose AppArmor profile but, just to be sure, no > such open "/** r," found in latest sid-provided > apparmor-profiles/apparmor-profiles-extra Chromium AppArmor profile. I've looked at the Git history of the relevant apparmor* packages and found no trace of them having ever distributed a Chromium profile with a "/** r," rule. > dpkg-query: no path found matching pattern /etc/apparmor.d/usr.bin.chromium This shows that no Debian package is currently maintaining that file. Frankly, I have no idea how this rule landed on your filesystem, but I really don't see how this problem could have been directly caused by a Debian package or upgrade. Cheers, -- intrigeri
Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Start quote -> " You mean Debian maintenance team, right? If you pulled in an Ubuntu apparmor package, that's a different story (and we should close this bug). If you're using Debian's apparmor-profiles package, then the bug and fix should go there. Although, if you're pulling in an Ubuntu package to get some kind of apparmor protection that Debian doesn't have, you also might want to open a wishlist bug on the Debian package asking for the feature so you don't have to mix-and-match packages across different distributions." /// I am, honestly, as confused as you. I've had profiles from the apparmor-profiles and apparmor-profiles-extra packages for a long time. This time around, though, I did not have either packages installed all the while having active apparmor.d profiles. Installing fresh sid profiles with both previously stated packages (version 3.0.8-3 and 1.35 respectively), I have not seen that specific mistake made. It may have come from a loose AppArmor profile but, just to be sure, no such open "/** r," found in latest sid-provided apparmor-profiles/apparmor-profiles-extra Chromium AppArmor profile. Cheers On Mon, Feb 27, 2023, 20:45 Andres Salomon wrote: > Control: reassign -1 apparmor-profiles > > > > On Mon, Feb 27 2023 at 08:15:37 PM +0100, Guillaume B. > wrote: > > Hi, > > > > It seems that the previous emails in our exchange got nuked out my > > account so apologies for not being able to reply using the usual > > channels. > > > > The command 'find /etc/apparmor* -name "*hromium*" | xargs dpkg -S' > > returns the following -> "dpkg-query: no path found matching pattern > > /etc/apparmor.d/usr.bin.chromium > > lightdm: /etc/apparmor.d/abstractions/lightdm_chromium-browser" > > > > /// > > > > I'm using AppArmor profiles found in the "apparmor-profiles" package. > > Having recently updated from stable, I was able to keep the profiles > > without the package being installed; i.e., the update couldn't have > > come from an apparmor-profile package update. > > > Ah, okay, that makes more sense. Reassigning to the apparmor-profiles > package, then. > > > > > > Dealing with the issue, I have not made a backup of the updated > > Chromium AppArmor profile but simply did some file comparison and > > reverted to a previous profile, nuking the updated profile in the > > copying process. > > > > The "updated" AppArmor profile was dated either january or february > > of this year and had been modified by an Ubuntu email. > > > > TLDR; There was an update to the Chromium AppArmor profile, not sure > > how, but it happened. > > > > I might just take it up with the Ubuntu Chromium AppArmor profile > > maintenance team, in which case, sorry to have wasted your time. > > > > Regards > > > > You mean Debian maintenance team, right? If you pulled in an Ubuntu > apparmor package, that's a different story (and we should close this > bug). If you're using Debian's apparmor-profiles package, then the bug > and fix should go there. Although, if you're pulling in an Ubuntu > package to get some kind of apparmor protection that Debian doesn't > have, you also might want to open a wishlist bug on the Debian package > asking for the feature so you don't have to mix-and-match packages > across different distributions. > > > >
Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Control: reassign -1 apparmor-profiles On Mon, Feb 27 2023 at 08:15:37 PM +0100, Guillaume B. wrote: Hi, It seems that the previous emails in our exchange got nuked out my account so apologies for not being able to reply using the usual channels. The command 'find /etc/apparmor* -name "*hromium*" | xargs dpkg -S' returns the following -> "dpkg-query: no path found matching pattern /etc/apparmor.d/usr.bin.chromium lightdm: /etc/apparmor.d/abstractions/lightdm_chromium-browser" /// I'm using AppArmor profiles found in the "apparmor-profiles" package. Having recently updated from stable, I was able to keep the profiles without the package being installed; i.e., the update couldn't have come from an apparmor-profile package update. Ah, okay, that makes more sense. Reassigning to the apparmor-profiles package, then. Dealing with the issue, I have not made a backup of the updated Chromium AppArmor profile but simply did some file comparison and reverted to a previous profile, nuking the updated profile in the copying process. The "updated" AppArmor profile was dated either january or february of this year and had been modified by an Ubuntu email. TLDR; There was an update to the Chromium AppArmor profile, not sure how, but it happened. I might just take it up with the Ubuntu Chromium AppArmor profile maintenance team, in which case, sorry to have wasted your time. Regards You mean Debian maintenance team, right? If you pulled in an Ubuntu apparmor package, that's a different story (and we should close this bug). If you're using Debian's apparmor-profiles package, then the bug and fix should go there. Although, if you're pulling in an Ubuntu package to get some kind of apparmor protection that Debian doesn't have, you also might want to open a wishlist bug on the Debian package asking for the feature so you don't have to mix-and-match packages across different distributions.
Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Hi Andres, Will take care of it tonight. Regards On Sun, Feb 26, 2023, 22:58 Andres Salomon wrote: > Hi, > > I'm a bit confused by this bug report, as chromium doesn't include any > apparmor profiles. > > Please run the following commands to hopefully figure out what package > is actually providing the profile: > > find /etc/apparmor* -name "*hromium*" | xargs dpkg -S > > Thanks, > Andres > > On Sun, Feb 26 2023 at 05:48:38 PM +0100, Will B. > wrote: > > Package: chromium > > Version: 110.0.5481.177-1 > > Severity: important > > Tags: upstream > > X-Debbugs-Cc: ksu...@gmail.com > > > > Dear Maintainer, > > > > Before I begin, the Chromium AppArmor profile in Sid was updated > > after apt-get > > update && apt-get upgrade. > > Please redirect to relevant authority if Chromium reportbug is not > > the right > > source. > > > >/// > > > > * What led up to the situation? -> Chromium AppArmor profile update > > after apt- > > get update && apt-get upgrade. > > * What exactly did you do (or not do) that was effective (or > > ineffective)? -> > > fixed the issue by adding a missing "/" to the profile. > > * What was the outcome of this action? -> The Chromium AppArmor > > profile > > restricted access as it should have done. > > * What outcome did you expect instead? -> None, fix fixed it. > > > > /// > > > > Hi, > > > > After a Chromium Sid update in which the AppArmor profile was updated > > (last > > date -> 02/07/2023), > > a missing "/" opened up browsing to the whole system i.e. -> "/** r," > > instead > > of "/**/ r,". > > Switching to the "enclosed" stars symbol fixes the issue. > > > > Regards > > > > > > -- System Information: > > Debian Release: bookworm/sid > > APT prefers testing > > APT policy: (990, 'testing'), (50, 'unstable') > > Architecture: amd64 (x86_64) > > Foreign Architectures: i386 > > > > Kernel: Linux 6.1.0-3-amd64 (SMP w/12 CPU threads; PREEMPT) > > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > > LANGUAGE=en_US:en > > Shell: /bin/sh linked to /usr/bin/dash > > Init: systemd (via /run/systemd/system) > > LSM: AppArmor: enabled > > > > Versions of packages chromium depends on: > > ii chromium-common > > 110.0.5481.177-1 > > ii libasound2 1.2.8-1+b1 > > ii libatk-bridge2.0-0 2.46.0-5 > > ii libatk1.0-0 2.46.0-5 > > ii libatomic1 12.2.0-14 > > ii libatspi2.0-02.46.0-5 > > ii libbrotli1 1.0.9-2+b6 > > ii libc62.36-8 > > ii libcairo21.16.0-7 > > ii libcups2 2.4.2-1+b2 > > ii libdbus-1-3 1.14.6-1 > > ii libdouble-conversion33.2.1-1 > > ii libdrm2 2.4.114-1 > > ii libevent-2.1-7 > > 2.1.12-stable-5+b1 > > ii libexpat12.5.0-1 > > ii libflac121.4.2+ds-2 > > ii libfontconfig1 2.14.1-4 > > ii libfreetype6 2.12.1+dfsg-4 > > ii libgbm1 22.3.3-1 > > ii libgcc-s112.2.0-14 > > ii libglib2.0-0 2.74.5-1 > > ii libgtk-3-0 3.24.36-4 > > ii libjpeg62-turbo 1:2.1.5-2 > > ii libjsoncpp25 1.9.5-4 > > ii liblcms2-2 2.14-1+b1 > > ii libminizip1 1.1-8+b1 > > ii libnspr4 2:4.35-1 > > ii libnss3 2:3.87.1-1 > > ii libopenjp2-7 2.5.0-1+b1 > > ii libopus0 1.3.1-3 > > ii libpango-1.0-0 1.50.12+ds-1 > > ii libpng16-16 1.6.39-2 > > ii libpulse0 > > 16.1+dfsg1-2+b1 > > ii libre2-9 > > 20220601+dfsg-1+b1 > > ii libsnappy1v5 1.1.9-2 > > ii libstdc++6 12.2.0-14 > > ii libwebp7 1.2.4-0.1 > > ii libwebpdemux21.2.4-0.1 > > ii libwebpmux3 1.2.4-0.1 > > ii libwoff1 1.0.2-2 > > ii libx11-6 2:1.8.3-3 > > ii libxcb1
Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Hi, I'm a bit confused by this bug report, as chromium doesn't include any apparmor profiles. Please run the following commands to hopefully figure out what package is actually providing the profile: find /etc/apparmor* -name "*hromium*" | xargs dpkg -S Thanks, Andres On Sun, Feb 26 2023 at 05:48:38 PM +0100, Will B. wrote: Package: chromium Version: 110.0.5481.177-1 Severity: important Tags: upstream X-Debbugs-Cc: ksu...@gmail.com Dear Maintainer, Before I begin, the Chromium AppArmor profile in Sid was updated after apt-get update && apt-get upgrade. Please redirect to relevant authority if Chromium reportbug is not the right source. /// * What led up to the situation? -> Chromium AppArmor profile update after apt- get update && apt-get upgrade. * What exactly did you do (or not do) that was effective (or ineffective)? -> fixed the issue by adding a missing "/" to the profile. * What was the outcome of this action? -> The Chromium AppArmor profile restricted access as it should have done. * What outcome did you expect instead? -> None, fix fixed it. /// Hi, After a Chromium Sid update in which the AppArmor profile was updated (last date -> 02/07/2023), a missing "/" opened up browsing to the whole system i.e. -> "/** r," instead of "/**/ r,". Switching to the "enclosed" stars symbol fixes the issue. Regards -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-3-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages chromium depends on: ii chromium-common 110.0.5481.177-1 ii libasound2 1.2.8-1+b1 ii libatk-bridge2.0-0 2.46.0-5 ii libatk1.0-0 2.46.0-5 ii libatomic1 12.2.0-14 ii libatspi2.0-02.46.0-5 ii libbrotli1 1.0.9-2+b6 ii libc62.36-8 ii libcairo21.16.0-7 ii libcups2 2.4.2-1+b2 ii libdbus-1-3 1.14.6-1 ii libdouble-conversion33.2.1-1 ii libdrm2 2.4.114-1 ii libevent-2.1-7 2.1.12-stable-5+b1 ii libexpat12.5.0-1 ii libflac121.4.2+ds-2 ii libfontconfig1 2.14.1-4 ii libfreetype6 2.12.1+dfsg-4 ii libgbm1 22.3.3-1 ii libgcc-s112.2.0-14 ii libglib2.0-0 2.74.5-1 ii libgtk-3-0 3.24.36-4 ii libjpeg62-turbo 1:2.1.5-2 ii libjsoncpp25 1.9.5-4 ii liblcms2-2 2.14-1+b1 ii libminizip1 1.1-8+b1 ii libnspr4 2:4.35-1 ii libnss3 2:3.87.1-1 ii libopenjp2-7 2.5.0-1+b1 ii libopus0 1.3.1-3 ii libpango-1.0-0 1.50.12+ds-1 ii libpng16-16 1.6.39-2 ii libpulse0 16.1+dfsg1-2+b1 ii libre2-9 20220601+dfsg-1+b1 ii libsnappy1v5 1.1.9-2 ii libstdc++6 12.2.0-14 ii libwebp7 1.2.4-0.1 ii libwebpdemux21.2.4-0.1 ii libwebpmux3 1.2.4-0.1 ii libwoff1 1.0.2-2 ii libx11-6 2:1.8.3-3 ii libxcb1 1.15-1 ii libxcomposite1 1:0.4.5-1 ii libxdamage1 1:1.1.6-1 ii libxext6 2:1.3.4-1+b1 ii libxfixes3 1:6.0.0-2 ii libxkbcommon0
Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Package: chromium Version: 110.0.5481.177-1 Severity: important Tags: upstream X-Debbugs-Cc: ksu...@gmail.com Dear Maintainer, Before I begin, the Chromium AppArmor profile in Sid was updated after apt-get update && apt-get upgrade. Please redirect to relevant authority if Chromium reportbug is not the right source. /// * What led up to the situation? -> Chromium AppArmor profile update after apt- get update && apt-get upgrade. * What exactly did you do (or not do) that was effective (or ineffective)? -> fixed the issue by adding a missing "/" to the profile. * What was the outcome of this action? -> The Chromium AppArmor profile restricted access as it should have done. * What outcome did you expect instead? -> None, fix fixed it. /// Hi, After a Chromium Sid update in which the AppArmor profile was updated (last date -> 02/07/2023), a missing "/" opened up browsing to the whole system i.e. -> "/** r," instead of "/**/ r,". Switching to the "enclosed" stars symbol fixes the issue. Regards -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-3-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages chromium depends on: ii chromium-common 110.0.5481.177-1 ii libasound2 1.2.8-1+b1 ii libatk-bridge2.0-0 2.46.0-5 ii libatk1.0-0 2.46.0-5 ii libatomic1 12.2.0-14 ii libatspi2.0-02.46.0-5 ii libbrotli1 1.0.9-2+b6 ii libc62.36-8 ii libcairo21.16.0-7 ii libcups2 2.4.2-1+b2 ii libdbus-1-3 1.14.6-1 ii libdouble-conversion33.2.1-1 ii libdrm2 2.4.114-1 ii libevent-2.1-7 2.1.12-stable-5+b1 ii libexpat12.5.0-1 ii libflac121.4.2+ds-2 ii libfontconfig1 2.14.1-4 ii libfreetype6 2.12.1+dfsg-4 ii libgbm1 22.3.3-1 ii libgcc-s112.2.0-14 ii libglib2.0-0 2.74.5-1 ii libgtk-3-0 3.24.36-4 ii libjpeg62-turbo 1:2.1.5-2 ii libjsoncpp25 1.9.5-4 ii liblcms2-2 2.14-1+b1 ii libminizip1 1.1-8+b1 ii libnspr4 2:4.35-1 ii libnss3 2:3.87.1-1 ii libopenjp2-7 2.5.0-1+b1 ii libopus0 1.3.1-3 ii libpango-1.0-0 1.50.12+ds-1 ii libpng16-16 1.6.39-2 ii libpulse016.1+dfsg1-2+b1 ii libre2-9 20220601+dfsg-1+b1 ii libsnappy1v5 1.1.9-2 ii libstdc++6 12.2.0-14 ii libwebp7 1.2.4-0.1 ii libwebpdemux21.2.4-0.1 ii libwebpmux3 1.2.4-0.1 ii libwoff1 1.0.2-2 ii libx11-6 2:1.8.3-3 ii libxcb1 1.15-1 ii libxcomposite1 1:0.4.5-1 ii libxdamage1 1:1.1.6-1 ii libxext6 2:1.3.4-1+b1 ii libxfixes3 1:6.0.0-2 ii libxkbcommon01.5.0-1 ii libxml2 2.9.14+dfsg-1.1+b3 ii libxnvctrl0 525.85.05-1 ii libxrandr2 2:1.5.2-2+b1 ii libxslt1.1 1.1.35-1 ii xdg-desktop-portal-gtk [xdg-desktop-portal-backend] 1.14.1-
