Bug#845005: [apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-21 Thread Christian Boltz 
Hello,

Am Montag, 21. November 2016, 15:13:55 CET schrieb Seth Arnold:
> On Sun, Nov 20, 2016 at 05:41:09PM +0100, Christian Boltz wrote:
> > [patch] Update abstractions/gnome with versioned gtk paths
> > 
> > I propose this patch for trunk, 2.10 and 2.9.
> 
> Acked-by: Seth Arnold 
> 
> Acked for all three

Commited to bzr trunk r3588, 2.10 branch r3365 and 2.9 branch r3033, 
which means the fix will be included in AppArmor 2.11, 2.10.2 and 2.9.4 
whenever we release them ;-)

Updating abstractions/gnome should be enough to get this bug fixed. 
I don't see a need to update the icedove profile.


Regards,

Christian Boltz
-- 
Actually the _real_ "minimal package set" is having no package at
all because having no package at all resolves all dependencies of
the packages and there is no package left  someone might claim to
be unneeded.   [Robert Schiele in opensuse-factory]


signature.asc
Description: This is a digitally signed message part.

Bug#845005: [apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-21 Thread anonym 
Meta: I'm dropping apparmor@ since we're back in Debian-only land now,
AFAICT.

u:
> Hi Christian & anonym,
> 
> does Christian's patch fix this issue (% it'll be merged upstream)?

Yes! My KDE-hosted Icedove looks very pretty with the same lines added
in the local include. :)

> If yes, can we close this Debian bug on Icedove and not modify the
> Icedove profile itself?

I'm fine the local include until the upstream fix trickles down into
Debian Sid. So, imho, yes.

> Or is there anything else left to add to the
> Icedove profile now? If so, can you update your initial patch please?

If we think this is important to address sooner than Stretch, I could
provide the patch, although I'm unsure we care that much. Perhaps I'm
alone using KDE + Icedove + Apparmor while still caring about how my
Icedove looks? :)

Cheers!

Bug#845005: [apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-21 Thread Seth Arnold 
On Sun, Nov 20, 2016 at 05:41:09PM +0100, Christian Boltz wrote:
> [patch] Update abstractions/gnome with versioned gtk paths
> 
> I propose this patch for trunk, 2.10 and 2.9.

Acked-by: Seth Arnold 

Acked for all three

Thanks

> 
> 
> [ abstractions-gnome.diff ]
> 
> === modified file 'profiles/apparmor.d/abstractions/gnome'
> --- profiles/apparmor.d/abstractions/gnome  2016-11-06 09:23:51 +
> +++ profiles/apparmor.d/abstractions/gnome  2016-11-20 16:31:56 +
> @@ -22,6 +22,8 @@
>/etc/gtk/*  r,
>/usr/lib{,32,64}/gtk/** mr,
>/usr/lib/@{multiarch}/gtk/**mr,
> +  /usr/lib{,32,64}/gtk-[0-9]*/**  mr,
> +  /usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
>/usr/share/themes/  r,
>/usr/share/themes/**r,
>  


signature.asc
Description: PGP signature

Bug#845005: [apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-21 Thread u 
Hi Christian & anonym,

does Christian's patch fix this issue (% it'll be merged upstream)?

If yes, can we close this Debian bug on Icedove and not modify the
Icedove profile itself? Or is there anything else left to add to the
Icedove profile now? If so, can you update your initial patch please?

Cheers!
u.

Bug#845005: [apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-20 Thread u 
Hi!

> (adding back u. to CC - sorry, I didn't realize mails for this bugreport 
> don't get delivered to pkg-apparmor when cleaning up the recipients)

Thanks!

> So here's the patch I hereby propose upstream:

Thank you very much Christian! :))

Take care,
ulrike

Bug#845005: [apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-20 Thread Christian Boltz 
Hello,

(adding back u. to CC - sorry, I didn't realize mails for this bugreport 
don't get delivered to pkg-apparmor when cleaning up the recipients)

Am Sonntag, 20. November 2016, 13:00:00 CET schrieb anonym:
> At least on my system, I have
> 
>   /usr/lib/x86_64-linux-gnu/gtk-2.0
>   /usr/lib/x86_64-linux-gnu/gtk-3.0
> 
> and nothings else, so your suggseted change looks good to me.

> > +  /usr/share/themes/** r,
> > 
> > This is already included in abstractions/gnome, so I wonder why you
> > needed to add it.
> 
> Sorry! It is not needed (and the explanation for why I included it by
> mistake is just to boring to share here).

Nothing is too boring (and often someone can learn from it), so I'm all 
ears ;-)

> So, in the end, your suggested update to abstractions/gnome (the gtk
> path) seems like the only thing needed, and indeed better than my
> patch.

Thanks for the feedback!

So here's the patch I hereby propose upstream:



[patch] Update abstractions/gnome with versioned gtk paths

I propose this patch for trunk, 2.10 and 2.9.


[ abstractions-gnome.diff ]

=== modified file 'profiles/apparmor.d/abstractions/gnome'
--- profiles/apparmor.d/abstractions/gnome  2016-11-06 09:23:51 +
+++ profiles/apparmor.d/abstractions/gnome  2016-11-20 16:31:56 +
@@ -22,6 +22,8 @@
   /etc/gtk/*  r,
   /usr/lib{,32,64}/gtk/** mr,
   /usr/lib/@{multiarch}/gtk/**mr,
+  /usr/lib{,32,64}/gtk-[0-9]*/**  mr,
+  /usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
   /usr/share/themes/  r,
   /usr/share/themes/**r,
 


Regards,

Christian Boltz
-- 
> I also prefer realnames. But if people want to use a _spellable_
> alias, it's ok for me too.
> However, I hate aliases like "fE3,x7~5X" ;-)
Noone should use his/her password as a mail name ;-)
[> Christian Boltz and meister(at)netz00.com in opensuse]


signature.asc
Description: This is a digitally signed message part.

Bug#845005: [apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-20 Thread anonym 
Christian Boltz:
> Hello,
> 
> Am Samstag, 19. November 2016, 12:43:00 CET schrieb u:
>> anonym:
>>> As a KDE user I want Icedove to look like a native application
>>> despite it using GTK, which can be achieved with the
>>> gtk2-engines-pixbuf package and some gtk*-engines-* package (e.g.
>>> gtk3-engines-breeze). However, the current Icedove AppArmor profile
>>> blocks the paths used by these packages.
>> Looks good.
>>
>>> The attached patch fixes the profile for me. A proper solution for
>>> AppArmor upstream might be to add the new lines to the appropriate
>>> abstraction file (perhaps abstractions/gnome?).
>>
>> I've put the upstream list and the original author of the profile in
>> Cc:. @Upstream, what do you think?
> 
> Looks good, and it would indeed be a candidate for abstractions/gnome. 
> 
> Some notes and questions:
> 
> +  /usr/lib/@{multiarch}/gtk-*/*/engines/libpixmap.so* mr,
> 
> does not match the openSUSE patchs. Therefore I propose to also add
> 
> /usr/lib*/gtk-*/*/engines/libpixmap.so* mr,
> 
> to make this a cross-distro compatible change ;-)

Great!

> Looking at the gnome abstraction again, I see
> 
>   /usr/lib{,32,64}/gtk/** mr,
>   /usr/lib/@{multiarch}/gtk/**mr,
> 
> Both directories don't exist on my openSUSE system. Instead there is
> /usr/lib64/gtk-2.0/ and /usr/lib64/gtk-3.0/. Maybe we should update 
> these rules to match the versioned paths (and, as a side effect, include 
> libpixmap.so)? That would mean to add
> 
>   /usr/lib{,32,64}/gtk-[0-9]*/** mr,
>   /usr/lib/@{multiarch}/gtk-[0-9]*/**mr,
> 
> 
> Does /usr/lib{,32,64}/gtk/ and/or /usr/lib/@{multiarch}/gtk/  still 
> exist on Debian?

At least on my system, I have

  /usr/lib/x86_64-linux-gnu/gtk-2.0
  /usr/lib/x86_64-linux-gnu/gtk-3.0

and nothings else, so your suggseted change looks good to me.

> (bzr blame says these lines of the gnome abstractions were last touched 
> in 2011, so things might have changed since then ;-)

Indeed! :)

> +  /usr/share/themes/** r,
> 
> This is already included in abstractions/gnome, so I wonder why you 
> needed to add it.

Sorry! It is not needed (and the explanation for why I included it by
mistake is just to boring to share here).

So, in the end, your suggested update to abstractions/gnome (the gtk
path) seems like the only thing needed, and indeed better than my patch.

Cheers!




signature.asc
Description: OpenPGP digital signature

Bug#845005: [apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-20 Thread Christian Boltz 
Hello,

Am Samstag, 19. November 2016, 12:43:00 CET schrieb u:
> anonym:
> > As a KDE user I want Icedove to look like a native application
> > despite it using GTK, which can be achieved with the
> > gtk2-engines-pixbuf package and some gtk*-engines-* package (e.g.
> > gtk3-engines-breeze). However, the current Icedove AppArmor profile
> > blocks the paths used by these packages.
> Looks good.
> 
> > The attached patch fixes the profile for me. A proper solution for
> > AppArmor upstream might be to add the new lines to the appropriate
> > abstraction file (perhaps abstractions/gnome?).
> 
> I've put the upstream list and the original author of the profile in
> Cc:. @Upstream, what do you think?

Looks good, and it would indeed be a candidate for abstractions/gnome. 

Some notes and questions:

+  /usr/lib/@{multiarch}/gtk-*/*/engines/libpixmap.so* mr,

does not match the openSUSE patchs. Therefore I propose to also add

/usr/lib*/gtk-*/*/engines/libpixmap.so* mr,

to make this a cross-distro compatible change ;-)


Looking at the gnome abstraction again, I see

  /usr/lib{,32,64}/gtk/** mr,
  /usr/lib/@{multiarch}/gtk/**mr,

Both directories don't exist on my openSUSE system. Instead there is
/usr/lib64/gtk-2.0/ and /usr/lib64/gtk-3.0/. Maybe we should update 
these rules to match the versioned paths (and, as a side effect, include 
libpixmap.so)? That would mean to add

  /usr/lib{,32,64}/gtk-[0-9]*/** mr,
  /usr/lib/@{multiarch}/gtk-[0-9]*/**mr,


Does /usr/lib{,32,64}/gtk/ and/or /usr/lib/@{multiarch}/gtk/  still 
exist on Debian?
(bzr blame says these lines of the gnome abstractions were last touched 
in 2011, so things might have changed since then ;-)


+  /usr/share/themes/** r,

This is already included in abstractions/gnome, so I wonder why you 
needed to add it.


Regards,

Christian Boltz
-- 
I just fixed your bug, now you need to find something else to bitch
and flame about ;P
[Cristian Rodriguez on 
http://seifesrants.blogspot.de/2013/05/the-systemd-journal-is-broken-piece-of.html]


signature.asc
Description: This is a digitally signed message part.

Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-19 Thread u 
Hi!

anonym:
> Package: icedove
> Version: 1:45.4.0-1

> As a KDE user I want Icedove to look like a native application despite
> it using GTK, which can be achieved with the gtk2-engines-pixbuf package
> and some gtk*-engines-* package (e.g. gtk3-engines-breeze). However, the
> current Icedove AppArmor profile blocks the paths used by these packages.

Looks good.

> The attached patch fixes the profile for me. A proper solution for
> AppArmor upstream might be to add the new lines to the appropriate
> abstraction file (perhaps abstractions/gnome?).

I've put the upstream list and the original author of the profile in
Cc:. @Upstream, what do you think?

Cheers!
u.

Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

2016-11-19 Thread anonym 
Package: icedove
Version: 1:45.4.0-1
Severity: minor
Tags: patch
X-Debbugs-Cc: u...@451f.org

Dear Maintainer,

As a KDE user I want Icedove to look like a native application despite
it using GTK, which can be achieved with the gtk2-engines-pixbuf package
and some gtk*-engines-* package (e.g. gtk3-engines-breeze). However, the
current Icedove AppArmor profile blocks the paths used by these packages.

The attached patch fixes the profile for me. A proper solution for
AppArmor upstream might be to add the new lines to the appropriate
abstraction file (perhaps abstractions/gnome?).

Cheers!

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages icedove depends on:
ii  debianutils   4.8.1
ii  fontconfig2.11.0-6.7
ii  libasound21.1.2-1
ii  libatk1.0-0   2.22.0-1
ii  libc6 2.24-5
ii  libcairo2 1.14.6-1.1
ii  libdbus-1-3   1.10.12-1
ii  libdbus-glib-1-2  0.108-1
ii  libevent-2.0-52.0.21-stable-2.1
ii  libffi6   3.2.1-6
ii  libfontconfig12.11.0-6.7
ii  libfreetype6  2.6.3-3+b1
ii  libgcc1   1:6.2.0-13
ii  libgdk-pixbuf2.0-02.36.0-1
ii  libglib2.0-0  2.50.2-1
ii  libgtk2.0-0   2.24.31-1
ii  libhunspell-1.4-0 1.4.1-2+b1
ii  libicu57  57.1-4
ii  libnspr4  2:4.12-6
ii  libnss3   2:3.26.2-1
ii  libpango-1.0-01.40.3-3
ii  libpangocairo-1.0-0   1.40.3-3
ii  libpangoft2-1.0-0 1.40.3-3
ii  libpixman-1-0 0.34.0-1
ii  libsqlite3-0  3.15.1-1
ii  libstartup-notification0  0.12-4
ii  libstdc++66.2.0-13
ii  libvpx4   1.6.0-3
ii  libx11-6  2:1.6.3-1
ii  libxcomposite11:0.4.4-1
ii  libxdamage1   1:1.1.4-2+b1
ii  libxext6  2:1.3.3-1
ii  libxfixes31:5.0.2-1
ii  libxrender1   1:0.9.9-2
ii  libxt61:1.1.5-1
ii  psmisc22.21-2.1+b1
ii  zlib1g1:1.2.8.dfsg-2+b3

Versions of packages icedove recommends:
ii  hunspell-en-gb [hunspell-dictionary]  1:5.2.3-1
ii  hunspell-en-us [hunspell-dictionary]  20070829-6
ii  iceowl-extension  1:45.4.0-1

Versions of packages icedove suggests:
ii  apparmor  2.10.95-6
ii  fonts-lyx 2.2.0-2
ii  libgssapi-krb5-2  1.15~beta1-1

-- Configuration Files:
/etc/apparmor.d/usr.bin.icedove changed [not included]

-- no debconf information
From 834472a72adfc922bf47e34cc6ff155956f9269c Mon Sep 17 00:00:00 2001
From: anonym 
Date: Sat, 19 Nov 2016 11:59:21 +0100
Subject: [PATCH] AppArmor profile: allow gtk-engines-bixbuf and themes.

This will give Icedove a native look in e.g. KDE (if something like
gtk3-engines-breeze is installed), instead of a look reminding us of the
aestethics found in Windows 95.
---
 debian/apparmor/usr.bin.icedove | 4 
 1 file changed, 4 insertions(+)

diff --git a/debian/apparmor/usr.bin.icedove b/debian/apparmor/usr.bin.icedove
index ba023cd..96abeec 100644
--- a/debian/apparmor/usr.bin.icedove
+++ b/debian/apparmor/usr.bin.icedove
@@ -175,6 +175,10 @@ profile icedove /usr/lib/icedove/icedove {
   /bin/uname Uxr,
   /usr/bin/locale Uxr,
 
+  # Theme support for desktop environments not based on GTK
+  /usr/lib/@{multiarch}/gtk-*/*/engines/libpixmap.so* mr,
+  /usr/share/themes/** r,
+
   /usr/bin/gpg Cx -> gpg,
 
   profile gpg {
-- 
2.10.2