Re: [Touch-packages] [Bug 1990064] Re: unconfined profile denies userns_create for chromium based processes
> Previously we only had the option of using a system wide sysctl > kernel.unprivileged_userns_clone to disable unprivileged user > namespaces. Debian defaults this to off, and you have to opt in. Just to avoid misunderstandings (I failed to parse the above sentence unambiguously): in Debian, unprivileged user namespaces have been enabled by default since Bullseye. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1990064 Title: unconfined profile denies userns_create for chromium based processes Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: For Ubuntu 22.10, since the last kernel update, i can´t launch any chromium based browser, due to apparmor denying userns_create dmesg shows: apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create" This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper. Might be related to this change?: https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/ not sure if it got merged in this form though.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377338] Re: apparmor may fail to load some profiles if one is corrupted
I'm a bit confused:
* On the one hand, this bug is *not* marked is fixed in AppArmor
upstream; the only reason it was marked as "Fix Released" for Ubuntu is
the pile of kludges added in /lib/apparmor/functions, that I migrated to
rc.apparmor.functions upstream a few years back.
* On the other hand, the aforementioned pile of kludges was removed by
https://gitlab.com/apparmor/apparmor/-/commit/0b8ea047e88b250862da73a968b1cd1f8b7f6b91
because "LP:1377338 has been fixed for quite awhile".
So, it seems to me that:
* Either the parser bug was actually fixed upstream, and then the status this
bug is incorrect: it should be "Fix Released".
* Or the parser bug is still there, and then
0b8ea047e88b250862da73a968b1cd1f8b7f6b91 was done based on a misunderstanding.
Which is it?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1377338
Title:
apparmor may fail to load some profiles if one is corrupted
Status in AppArmor:
Triaged
Status in apparmor package in Ubuntu:
Fix Released
Status in click-apparmor package in Ubuntu:
Fix Released
Status in apparmor package in Ubuntu RTM:
Fix Released
Status in click-apparmor package in Ubuntu RTM:
Fix Released
Bug description:
Steps to reproduce (on the emulator):
1. sudo sh -c 'echo foo >
/var/lib/apparmor/profiles/click_com.ubuntu.music_music_1.3.638'
2. sudo start apparmor ACTION=teardown
3. sudo start apparmor
start: Job failed to start
4. sudo aa-status|egrep '^ '|grep -v '('| sort -u > /tmp/aa-status.music_bad
5. sudo rm -f /var/lib/apparmor/profiles/click_com.ubuntu.music_music_1.3.638
6. sudo aa-clickhook # regenerates the missing profile to had a good one
7. sudo start apparmor ACTION=teardown
8. sudo start apparmor
9. sudo aa-status|egrep '^ '|grep -v '('| sort -u > /tmp/aa-status.music_good
10. diff -Naur /tmp/aa-status.music_bad /tmp/aa-status.music_good
--- /tmp/aa-status.music_bad 2014-10-03 22:47:52.890906744 +
+++ /tmp/aa-status.music_good 2014-10-03 22:49:54.372739381 +
@@ -13,6 +13,10 @@
com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.18//oxide_helper
com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter-helper_1.0.18
com.ubuntu.dropping-letters_dropping-letters_0.1.2.2.66
+ com.ubuntu.music_music_1.3.638
+ com.ubuntu.shorts_shorts_0.2.330
+ com.ubuntu.sudoku_sudoku_1.1.292
+ com.ubuntu.weather_weather_1.1.374
lxc-container-default
lxc-container-default-with-mounting
lxc-container-default-with-nesting
Expected results: only com.ubuntu.music_music_1.3.638 should be
missing.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1377338/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1379535] Re: policy namespace stacking
I see this is "Fix Released" everywhere but on the upstream AppArmor project. I understand this has made its way upstream and works with mainline kernel, e.g. for LXC. If my understanding is incorrect, please clarify what's left to do here (or perhaps track it on a finer-grained follow-up bug :) ** Changed in: apparmor Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1379535 Title: policy namespace stacking Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Fix Released Status in linux source package in Xenial: Fix Released Bug description: Tracking bug for supporting stacked policy namesapaces (ie, different profiles on host, container, container in a container, etc) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1379535/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1384746] Re: Support multiple versions of AppArmor policy cache files
It seems to me this was fixed & released a while ago. https://bugs.launchpad.net/apparmor/+bug/1384746/comments/2 could be tracked on a new, follow-up bug, if still desired. ** Changed in: apparmor Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1384746 Title: Support multiple versions of AppArmor policy cache files Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: The AppArmor parser should support multiple directories of policy cache files. Directories should be specific to a certain AppArmor kernel feature set. From a distro standpoint, this would allow policy caches to be created during kernel install/upgrade. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1384746/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865519] Re: apparmor depends on python3
Fixed in 3.0.0 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1865519 Title: apparmor depends on python3 Status in AppArmor: Fix Released Status in snapd: Invalid Status in apparmor package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Invalid Bug description: The TL;DR; - AppArmor depends on python3 to support aa-status. - snapd depends on apparmor. - buildd images have no python - building snaps requires snapd - snapd does not require aa-status - building snaps unnecessarily installs python3 onto the system Proposal: - Split runtime requirements from apparmor into apparmor-minimal - have apparmor depend on apparmor-minimal - change snapd's dependency on apparmor to apparmor-minimal To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1865519/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 387657] Re: aa-logprof: doesn't handle large logs
1.5 later with no feedback, let's assume the tentative fix works. ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/387657 Title: aa-logprof: doesn't handle large logs Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Confirmed Bug description: Binary package hint: apparmor Ubuntu 8.04.2 Package: apparmor-utils Version: 2.1+1075-0ubuntu9.2 My first experience with AppArmor was finding a kernel log file that was full of 800 MB of AppArmor warnings from Samba and CUPS. I'm not sure what suddenly enabled AppArmor on this LTS system, but while fixing the problem I noticed aa-logprof, while processing an 800 MB log file, drove the load average up into the high 40's. I suspect it was trying to load the whole thing into memory (on a system with 1 GB of RAM). I'd recommend revising the architecture so that it processes the lines as it sees them. I worked around the problem by splitting the file into a dozen 75MB chunks. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/387657/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1575438] Re: usr.sbin.nscd needs r/w access to nslcd socket
Fix released in 3.0.0.
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1575438
Title:
usr.sbin.nscd needs r/w access to nslcd socket
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Committed
Bug description:
I am usinc nscd with nslcd (LDAP lookup daemon) for NSS services via
LDAP.
It is typical to configure nslcd to connect to the actual LDAP server,
and then set up /etc/ldap.conf (which is what NSS/nscd uses for "ldap"
type lookups in /etc/nsswitch.conf) with a server URI of
ldapi:///var/run/nslcd/socket . This way, only nslcd needs to talk
with the LDAP server, rather than every application that wants to do
getpwent() et al.
Unfortunately, the usr.sbin.nscd profile in apparmor-profiles
2.10.95-0ubuntu2 (Xenial) makes no mention of the nslcd socket, which
results in NSS LDAP lookups not working when the profile is enforced
in this configuration.
This is the new line that is needed:
/{,var/}run/nslcd/socket rw,
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1575438/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1331856] Re: apparmor-utils don't work when defining a variable on
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1331856
Title:
apparmor-utils don't work when defining a variable on
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
When a variable is set in tunables/home.d/ the apparmor-utils programs
don't work and return this error messages:
root@ws24:~# aa-logprof
Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 50, in
apparmor.loadincludes()
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4643, in
loadincludes
load_include(fi)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4520, in
load_include
incdata = parse_profile_data(data, incfile, True)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2839, in
parse_profile_data
store_list_var(profile_data[profile]['lvar'], list_var, value,
var_operation)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3279, in
store_list_var
raise AppArmorException(_('Values added to a non-existing variable: %s')
% list_var)
apparmor.common.AppArmorException: 'Values added to a non-existing variable:
@{HOMEDIRS}'
root@ws24:~#
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1331856/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1435452] Re: dh_apparmor has no dh sequencer support
** Bug watch added: Debian Bug tracker #934735 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934735 ** Also affects: apparmor (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934735 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1435452 Title: dh_apparmor has no dh sequencer support Status in apparmor package in Ubuntu: Confirmed Status in apparmor package in Debian: Unknown Bug description: As dh_apparmor timing is critical (it must run before services are started with dh_installinit), it makes sense to provide direct dh sequencer support so that maintainers don't have to remember to run it directly, and cannot mistakenly call it at the wrong point, as happened with MySQL in bug 1421303). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1435452/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1821920] Re: apparmor-profiles installs the chromium-browser profile but not the abstraction
Tyler Hicks: > It looks like the change mentioned in the above comment came from > Debian. Here's the commit: > https://salsa.debian.org/apparmor- > team/apparmor/commit/dc14f24b2c2943c29d0368f913020f1307d8f1d3 > They obviously don't have Actually, Debian has these abstractions and most of them work just fine for us. But we don't /usr/share/apparmor-profiles/abstractions/ubuntu-browsers.d/chromium-browser which is Ubuntu-only. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1821920 Title: apparmor-profiles installs the chromium-browser profile but not the abstraction Status in apparmor package in Ubuntu: In Progress Bug description: The apparmor-profiles binary package from apparmor 2.13.2-9ubuntu2 in disco-proposed is not handling the chromium-browser profile and abstraction correctly. It installs the profile but not the abstraction which makes profile loading fail. $ sudo apt install apparmor-profiles/disco-proposed Reading package lists... Done Building dependency tree Reading state information... Done Selected version '2.13.2-9ubuntu2' (Ubuntu:19.04/disco-proposed [all]) for 'apparmor-profiles' The following NEW packages will be installed: apparmor-profiles 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 32.5 kB of archives. After this operation, 353 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 apparmor-profiles all 2.13.2-9ubuntu2 [32.5 kB] Fetched 32.5 kB in 0s (95.3 kB/s) Selecting previously unselected package apparmor-profiles. (Reading database ... 119746 files and directories currently installed.) Preparing to unpack .../apparmor-profiles_2.13.2-9ubuntu2_all.deb ... Unpacking apparmor-profiles (2.13.2-9ubuntu2) ... Setting up apparmor-profiles (2.13.2-9ubuntu2) ... AppArmor parser error for /etc/apparmor.d/usr.bin.chromium-browser in /etc/apparmor.d/ usr.bin.chromium-browser at line 20: Could not open 'abstractions/ubuntu-browsers.d/chromium-browser' This makes the apparmor service fail to start: $ sudo service apparmor restart Job for apparmor.service failed because the control process exited with error code. See "systemctl status apparmor.service" and "journalctl -xe" for details. $ systemctl status apparmor.service | cat ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2019-03-27 13:05:37 UTC; 41s ago Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 5103 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE) Main PID: 5103 (code=exited, status=1/FAILURE) Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Restarting AppArmor Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Reloading AppArmor profiles Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.bin.chromium-browser at line 20: Could not open 'abstractions/ubuntu-browsers.d/chromium-browser' Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: AppArmor parser error for /etc/apparmor.d/usr.bin.chromium-browser in /etc/apparmor.d/usr.bin.chromium-browser at line 20: Could not open 'abstractions/ubuntu-browsers.d/chromium-browser' Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Error: At least one profile failed to load Mar 27 13:05:37 sec-disco-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Mar 27 13:05:37 sec-disco-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Mar 27 13:05:37 sec-disco-amd64 systemd[1]: Failed to start Load AppArmor profiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1821920/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
Meta: I've re-read the discussion from December 2017. If there were messages later than this on the thread, I missed them due to suboptimal mailing list archive presentation. Sorry if this leads me to wrong conclusions! I lack the skills to do the actual work I think should be done. The only way I can help here is by facilitating the conversation, so I'll do that: I'd like to make sure there's no misunderstanding about the various opinions that were expressed, the current state of the discussion, and what the next steps should be (e.g. who's waiting for whom). My understanding is that [my personal opinion in square brackets]: 0. Upstream acknowledges that there is a problem and that it would be nice to solve it. 1. There's indeed desire upstream for finding a good balance between sharing (via generic infrastructure and possibly message types) and taking into account that each LSM has different needs. [This makes sense to me: there are probably bits worth sharing instead of every LSM doing their own thing 100% in their dark corner. Now, obviously finding a good balance requires discussion between LSMs to identify what can be shared and what is specific to each, which has its costs (and may require different skills than writing kernel code).] 2. There's a consensus about the fact we need _some_ way to tell which LSM has sent the message. Several options have been mentioned, including adding a new lsm= identifier and using different allocated blocks (be it in the 1400 range or elsewhere). [I'm glad that the door remains open for the option we had in mind initially.] 3. The ball is in our court: upstream proposed several options and I don't see them reach actionable conclusions without our input. At this point, it seems that the next step is: AppArmor developers express their needs. For example: * Are there existing messages formats supported by the auditd suite that would work for us and we'd be happy to share with other LSMs? If yes, great: if we start using them our users will benefit from it without having to adapt existing tools. * What are our needs that we think are specific to AppArmor? (It might be that once we state them, another LSM developer will say "actually, this could be useful for us too", who knows :) * Once we have the answers to the above questions, we can start checking many AppArmor-specific identifiers we need today and how many extra spare ones we want allocated. (Without this info, nobody can decide whether we can fit in the 1400 range.) John, are we on the same page? If not, I'd love to know what we understood differently :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784023] Re: Update profiles for usrmerge
I took a look because this appeared on the Debian package tracker for
apparmor-profiles-extra. At least 1.24 (just uploaded to sid) seems to
be OK. I've not checked older versions so I don't know when exactly the
problem that affected this package (which seems unspecified here) was
fixed. If there's anything left to fix in this package, please let me
know :)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1784023
Title:
Update profiles for usrmerge
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor-profiles-extra package in Ubuntu:
New
Status in dhcpcanon package in Ubuntu:
New
Status in ejabberd package in Ubuntu:
New
Status in firefox package in Ubuntu:
In Progress
Status in fwknop package in Ubuntu:
New
Status in i2p package in Ubuntu:
New
Status in isc-dhcp package in Ubuntu:
Fix Released
Status in kopanocore package in Ubuntu:
New
Status in libvirt package in Ubuntu:
Fix Released
Status in lightdm package in Ubuntu:
Fix Released
Status in lightdm-remote-session-freerdp2 package in Ubuntu:
Fix Released
Status in lightdm-remote-session-x2go package in Ubuntu:
Fix Released
Status in man-db package in Ubuntu:
Fix Released
Status in strongswan package in Ubuntu:
Fix Released
Status in surf package in Ubuntu:
New
Status in telepathy-mission-control-5 package in Ubuntu:
Fix Released
Status in strongswan package in Debian:
New
Bug description:
this is about / and /usr merge.
/bin & /sbin merge is out of scope. Anything that was in /sbin/ will
remain in /{,usr/}sbin/.
= src:apparmor =
usr.bin.chromium-browser appears to be out of date w.r.t. apparmor-profiles
upstream git tree
/usr/share/apparmor/extra-profiles/usr.sbin.useradd needs update
upstream https://gitlab.com/apparmor/apparmor/merge_requests/152/diffs
= other packages =
Slightly more complete list: https://paste.ubuntu.com/p/4zDJ8mTc5Z/
$ sudo grep '[[:space:]]/bin' -r .
./usr.bin.man: /bin/bzip2 rmCx -> _filter,
./usr.bin.man: /bin/gzip rmCx -> _filter,
./usr.bin.man: /bin/bzip2 rm,
./usr.bin.man: /bin/gzip rm,
./usr.sbin.libvirtd: /bin/* PUx,
./abstractions/lightdm: /bin/ rmix,
./abstractions/lightdm: /bin/fusermount Px,
./abstractions/lightdm: /bin/** rmix,
./abstractions/libvirt-qemu: /bin/uname rmix,
./abstractions/libvirt-qemu: /bin/grep rmix,
./usr.bin.chromium-browser: /bin/ps Uxr,
./usr.bin.chromium-browser:/bin/dash ixr,
./usr.bin.chromium-browser:/bin/grep ixr,
./usr.bin.chromium-browser:/bin/readlink ixr,
./usr.bin.chromium-browser:/bin/sed ixr,
./usr.bin.chromium-browser:/bin/which ixr,
./usr.bin.chromium-browser:/bin/mkdir ixr,
./usr.bin.chromium-browser:/bin/mv ixr,
./usr.bin.chromium-browser:/bin/touch ixr,
./usr.bin.chromium-browser:/bin/dash ixr,
./usr.bin.firefox: /bin/which ixr,
./usr.bin.firefox: /bin/ps Uxr,
./usr.bin.firefox: /bin/uname Uxr,
./usr.bin.firefox:/bin/dash ixr,
./sbin.dhclient: /bin/bash mr,
$ sudo grep '[[:space:]]/sbin' -r .
./usr.lib.telepathy:deny /sbin/ldconfig x,
./usr.sbin.libvirtd: /sbin/* PUx,
./abstractions/lightdm: /sbin/ r,
./abstractions/lightdm: /sbin/** rmixk,
./usr.bin.firefox: /sbin/killall5 ixr,
./sbin.dhclient: /sbin/dhclient mr,
./sbin.dhclient: # daemon to run arbitrary code via /sbin/dhclient-script,
it would need to be
./sbin.dhclient: /sbin/dhclient-script Uxr,
$ sudo grep '[[:space:]]/lib' -r .
./snap.core.4917.usr.lib.snapd.snap-confine:/lib/udev/snappy-app-dev ixr,
# drop
./usr.lib.snapd.snap-confine.real:/lib/udev/snappy-app-dev ixr, # drop
./abstractions/lightdm: /lib/ r,
./abstractions/lightdm: /lib/** rmixk,
./abstractions/lightdm: /lib32/ r,
./abstractions/lightdm: /lib32/** rmixk,
./abstractions/lightdm: /lib64/ r,
./abstractions/lightdm: /lib64/** rmixk,
./usr.bin.chromium-browser:/lib/libgcc_s.so* mr,
./usr.bin.chromium-browser:/lib/@{multiarch}/libgcc_s.so* mr,
./usr.bin.chromium-browser:/lib{,32,64}/libm-*.so* mr,
./usr.bin.chromium-browser:/lib/@{multiarch}/libm-*.so* mr,
./usr.bin.chromium-browser:/lib{,32,64}/libpthread-*.so* mr,
./usr.bin.chromium-browser:/lib/@{multiarch}/libpthread-*.so* mr,
./usr.bin.chromium-browser:/lib{,32,64}/libc-*.so* mr,
./usr.bin.chromium-browser:/lib/@{multiarch}/libc-*.so* mr,
./usr.bin.chromium-browser:/lib{,32,64}/libld-*.so* mr,
./usr.bin.chromium-browser:/lib/@{multiarch}/libld-*.so* mr,
./usr.bin.chromium-browser:/lib{,32,64}/ld-*.so* mr,
./usr.bin.chromium-browser:/lib/@{multiarch}/ld-*.so* mr,
./usr.bin.chromium-browser:/lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
./usr.bin.chromium-browser:/lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
[Touch-packages] [Bug 1503762] Re: Provide systemd service
FTR a systemd unit was imported upstream: https://gitlab.com/apparmor/apparmor/merge_requests/81 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1503762 Title: Provide systemd service Status in AppArmor: New Status in apparmor package in Ubuntu: New Status in apparmor package in Debian: Confirmed Status in apparmor package in Gentoo Linux: Fix Released Bug description: AppArmor is in the critical path for bootup for any systems that use it. Let's specify a systemd service file instead of having systemd use sysv compatibility mode. There seems to be a few bugs tracking the precursor this work, like https://bugs.launchpad.net/apparmor/+bug/1488179, but no actual bug for the systemd service itself. AUR has a simple service file, not sure if that would be useful - https://aur.archlinux.org/packages/apparmor/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1503762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1751402] Re: abstraction/nameservice should include allow access to /var/lib/sss/mc/initgroups
FTR this was already added upstream in commit 84cd523d8c which is part of AppArmor v2.12. So i'll be fixed whenever Ubuntu upgrades to 2.12 :) ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1751402 Title: abstraction/nameservice should include allow access to /var/lib/sss/mc/initgroups Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: New Bug description: From https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/comments/4: [2794367.925181] apparmor="DENIED" operation="open" profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111 comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 The unbound AA profile includes abstractions/nameservice which already has some rules for files under /var/lib/sss/mc. I think that adding "/var/lib/sss/mc/initgroups r" to abstractions/nameservice would make sense: $ diff -Naur abstractions/nameservice.orig abstractions/nameservice --- abstractions/nameservice.orig 2018-02-24 02:19:24.310884300 + +++ abstractions/nameservice 2018-02-24 02:20:10.578785312 + @@ -30,6 +30,7 @@ # and the nss plugin also needs to talk to a pipe /var/lib/sss/mc/group r, /var/lib/sss/mc/passwd r, + /var/lib/sss/mc/initgroups r, /var/lib/sss/pipes/nss rw, /etc/resolv.confr, To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1751402/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits
Eric Desrochers:
> The patch for bionic (devel release) has been sponsored but it is stuck in
> bionic-proposed for now waiting for the non amd64/i386 builder to be
> operational -> ppcel64, arm, s390x, ..
FWIW this patch is part of 2.12-1 that I've uploaded to Debian unstable.
No idea how exactly this will be sync'ed into Ubuntu.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1717714
Title:
@{pid} variable broken on systems with pid_max more than 6 digits
Status in AppArmor:
Fix Committed
Status in AppArmor 2.11 series:
Fix Committed
Status in apparmor package in Ubuntu:
In Progress
Status in apparmor source package in Trusty:
New
Status in apparmor source package in Xenial:
New
Status in apparmor source package in Zesty:
New
Status in apparmor source package in Artful:
New
Status in apparmor source package in Bionic:
In Progress
Status in apparmor package in Debian:
Confirmed
Bug description:
[Impact]
If PID is larger than 6 digits apparmor denies process which only
affect 64-bit systems[1] where the PID_MAX_LIMIT can be generated up
to 7 digits at the maximum.
This fix is committed, but not released. so all supporting version are
affected.
[1] - man 5 proc
--
/proc/sys/kernel/pid_max (since Linux 2.5.34)
This file specifies the value at which PIDs wrap around (i.e., the value in
this file is one greater than the maximum PID). PIDs greater than this value
are not allocated; thus, the value in this file also acts as a system-wide
limit on the total number of processes and threads. The default value for this
file, 32768, results in the same range of PIDs as on ear‐lier kernels. On
32-bit platforms, 32768 is the maximum value for pid_max. On 64-bit systems,
pid_max can be set to any value up to 2^22 (PID_MAX_LIMIT, approximately 4
million).
--
[Test Case]
1. making pid over 6 digits
#!/bin/bash
for i in {1..100}
do
touch t
done
2. snap install --dangerous core_16-2.29.4.2_amd64.snap ( snap core
16-2.30 avoids using /proc/PID/cmdline, so need to use older version
3. you can see DENIED msgs in syslog
4. change /etc/apparmor.d/tunables/kernelvars
5. service apparmor restart
6. service snapd restart
7. DENIED is gone
This is one way, can't reproduce this issue again even if you change
back to original kernelvars, and restart snapd
OR
instead of Seyeong's touch approach, things can be manually change to
7 digits range via sysctl as long as the values are below
approximately 4 millions :
Example:
$ sysctl -w kernel.pid_max=300
$ sysctl -w kernel.ns_last_pid=100
[Regression]
* This is a minor/trivial fix which changes the pid regex only, allowing 7
digits PID instead of only 6 digits PID, we don't think there is any potential
regression.
* If a regression arise, which we highly doubt, one can quickly revert
the change manually and restart the service by modifying
"/etc/apparmor.d/tunables/kernelvars" file to its original state
(before this SRU).
[Others]
* Upstream commit:
https://gitlab.com/apparmor/apparmor/commit/630cb2a981cdc731847e8fdaafc45bcd337fe747
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3722
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886732
* commit 630cb2a981cdc731847e8fdaafc45bcd337fe747
Author: Vincas Dargis
Date: Sat Sep 30 15:28:15 2017 +0300
Allow seven digit pid
* Affecting releases : TXZAB
--
$ git describe --contains 630cb2a9
v2.11.95~5^2
$ rmadison apparmor
apparmor | 2.8.95~2430-0ubuntu5 | trusty
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-security
apparmor | 2.10.95-0ubuntu2.6~14.04.1 | trusty-updates
apparmor | 2.10.95-0ubuntu2 | xenial
apparmor | 2.10.95-0ubuntu2.6 | xenial-security
apparmor | 2.10.95-0ubuntu2.7 | xenial-updates
apparmor | 2.11.0-2ubuntu4| zesty
apparmor | 2.11.0-2ubuntu17 | artful
apparmor | 2.11.0-2ubuntu18 | bionic
$ rmadison -u debian apparmor
apparmor | 2.11.1-4 | unstable
--
[Original Description]
If your kernel.pid_max sysctl is set higher than the default, say at 7
digits, the @{pid} variable no longer matches all pids, causing some
breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
[Touch-packages] [Bug 1331856] Re: apparmor-utils don't work when defining a variable on
Vincas, do you want to test the proposed patch?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1331856
Title:
apparmor-utils don't work when defining a variable on
Status in AppArmor:
Triaged
Status in apparmor package in Ubuntu:
New
Bug description:
When a variable is set in tunables/home.d/ the apparmor-utils programs
don't work and return this error messages:
root@ws24:~# aa-logprof
Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 50, in
apparmor.loadincludes()
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4643, in
loadincludes
load_include(fi)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4520, in
load_include
incdata = parse_profile_data(data, incfile, True)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2839, in
parse_profile_data
store_list_var(profile_data[profile]['lvar'], list_var, value,
var_operation)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3279, in
store_list_var
raise AppArmorException(_('Values added to a non-existing variable: %s')
% list_var)
apparmor.common.AppArmorException: 'Values added to a non-existing variable:
@{HOMEDIRS}'
root@ws24:~#
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1331856/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1738958] Re: Ordering of start and apparmor reload upgrade can cause issues
Indeed, steps 3 and 4 should ideally happen in the reverse order. I don't know if debhelper provides facilities to order autoscript snippets though. In passing, once https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1385414 is done I think we should use systemd's AppArmorProfile= directive and it will do the right thing, i.e. compile the updated policy just before starting the upgraded daemon. But we're not there yet. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1738958 Title: Ordering of start and apparmor reload upgrade can cause issues Status in apparmor package in Ubuntu: New Status in ntp package in Ubuntu: New Bug description: We found this in ntp, but I think it is a general issue in the ordering. The tail of NTPs postinst looks like that: if [ "$1" = "triggered" ]; then # The default configuration uses a leapfile from tzdata # restart ntp on changes invoke-rc.d ntp try-restart || true fi #DEBHELPER# Therefore on an upgrade it is restarted one more time restarted "the old way". E.g. if there are changes delivered by #DEBHELPER# generated maintainer script snippets e.g. apparmor profiles, then this try-restart will be without them. Also this might be a bad "combo" with "--no-restart-after-upgrade" that is set in debian/rules. --no-restart-after-upgrade Undo a previous --restart-after-upgrade (or the default of compat 10). If no other options are given, this will cause the service to be stopped in the prerm script and started again in the postinst script. I think no-restart-after-upgrade + try-restart means try-restart will do nothing as "try-restart" on the (now stopped service) does nothing. So what happens seems to be this: 1. prerm stops ntp 2. postinst try-restart does nothing as it is stopped (not important to this cases but good to know) 3. postinst dh_installinit will "invoke-rc.d ntp start" with the old profile 4. postinst dh_apparmor reloads apparmor profiles So if you have issues triggered by the start on #3 before the new profile is in place due to #4 this causes issues. I think #3 (as well as similar systemd things) and #4 should be reordered so that the new profile is loaded BEFORE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1738958/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1730536] Re: "Unable to open external link" in Evince when google-chrome-unstable is the default browser
** Changed in: apparmor Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1730536 Title: "Unable to open external link" in Evince when google-chrome-unstable is the default browser Status in AppArmor: Fix Committed Status in apparmor package in Ubuntu: Confirmed Status in apparmor package in Debian: Confirmed Bug description: TO REPRODUCE: I attempt to open a URL from a PDF document in Evince. EXPECTED: The browser opens the URL. OBSERVED: I'm shown an error message: Unable to open external link Failed to execute child process “/usr/bin/google-chrome-unstable” (Permission denied) journalctl shows: Nov 06 19:19:18 khaeru-laptop audit[22110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Nov 06 19:19:18 khaeru-laptop kernel: audit: type=1400 audit(1510013958.773:590): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 EXTRA INFORMATION: - As the messages imply, I'm using Google Chrome "unstable". - The file /usr/bin/google-chrome-unstable …is symlinked to: /opt/google/chrome-unstable/google-chrome-unstable - I note that previous bugs, eg. bug #964510, resulted in lines being added to /etc/apparmor.d/abstractions/ubuntu-helpers that refer to paths in /opt/google/chrome/. This directory does not exist on my system. $ lsb_release -rd && apt-cache policy apparmor evince google-chrome-unstable Description:Ubuntu 17.10 Release:17.10 apparmor: Installed: 2.11.0-2ubuntu17 Candidate: 2.11.0-2ubuntu17 Version table: *** 2.11.0-2ubuntu17 500 500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages 100 /var/lib/dpkg/status evince: Installed: 3.26.0-1 Candidate: 3.26.0-1 Version table: *** 3.26.0-1 500 500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages 100 /var/lib/dpkg/status google-chrome-unstable: Installed: 64.0.3251.0-1 Candidate: 64.0.3253.3-1 Version table: 64.0.3253.3-1 500 500 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages *** 64.0.3251.0-1 100 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: apparmor 2.11.0-2ubuntu17 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 ApportVersion: 2.20.7-0ubuntu3.1 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Nov 6 19:20:34 2017 EcryptfsInUse: Yes InstallationDate: Installed on 2017-10-11 (26 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.13.0-16-generic.efi.signed root=UUID=39ca3c53-0313-4699-a5da-403522e2ff14 ro quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: Upgraded to artful on 2017-10-19 (18 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1730536/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1730536] Re: "Unable to open external link" in Evince when google-chrome-unstable is the default browser
https://gitlab.com/apparmor/apparmor/merge_requests/9 fixes this bug on my Debian sid test VM. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1730536 Title: "Unable to open external link" in Evince when google-chrome-unstable is the default browser Status in AppArmor: Confirmed Status in apparmor package in Ubuntu: Confirmed Status in apparmor package in Debian: Confirmed Bug description: TO REPRODUCE: I attempt to open a URL from a PDF document in Evince. EXPECTED: The browser opens the URL. OBSERVED: I'm shown an error message: Unable to open external link Failed to execute child process “/usr/bin/google-chrome-unstable” (Permission denied) journalctl shows: Nov 06 19:19:18 khaeru-laptop audit[22110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Nov 06 19:19:18 khaeru-laptop kernel: audit: type=1400 audit(1510013958.773:590): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 EXTRA INFORMATION: - As the messages imply, I'm using Google Chrome "unstable". - The file /usr/bin/google-chrome-unstable …is symlinked to: /opt/google/chrome-unstable/google-chrome-unstable - I note that previous bugs, eg. bug #964510, resulted in lines being added to /etc/apparmor.d/abstractions/ubuntu-helpers that refer to paths in /opt/google/chrome/. This directory does not exist on my system. $ lsb_release -rd && apt-cache policy apparmor evince google-chrome-unstable Description:Ubuntu 17.10 Release:17.10 apparmor: Installed: 2.11.0-2ubuntu17 Candidate: 2.11.0-2ubuntu17 Version table: *** 2.11.0-2ubuntu17 500 500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages 100 /var/lib/dpkg/status evince: Installed: 3.26.0-1 Candidate: 3.26.0-1 Version table: *** 3.26.0-1 500 500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages 100 /var/lib/dpkg/status google-chrome-unstable: Installed: 64.0.3251.0-1 Candidate: 64.0.3253.3-1 Version table: 64.0.3253.3-1 500 500 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages *** 64.0.3251.0-1 100 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: apparmor 2.11.0-2ubuntu17 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 ApportVersion: 2.20.7-0ubuntu3.1 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Nov 6 19:20:34 2017 EcryptfsInUse: Yes InstallationDate: Installed on 2017-10-11 (26 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.13.0-16-generic.efi.signed root=UUID=39ca3c53-0313-4699-a5da-403522e2ff14 ro quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: Upgraded to artful on 2017-10-19 (18 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1730536/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1730536] Re: "Unable to open external link" in evince
This should be easy to fix with something very similar to https://gitlab.com/apparmor/apparmor/merge_requests/7. While I'm at it I'll check that google-chrome-stable works too. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Also affects: apparmor Importance: Undecided Status: New ** Also affects: apparmor (Debian) Importance: Undecided Status: New ** Changed in: apparmor (Debian) Status: New => Confirmed ** Changed in: apparmor Status: New => Confirmed ** Summary changed: - "Unable to open external link" in evince + "Unable to open external link" in Evince when google-chrome-unstable is the default browser ** Tags added: aa-policy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1730536 Title: "Unable to open external link" in Evince when google-chrome-unstable is the default browser Status in AppArmor: Confirmed Status in apparmor package in Ubuntu: Confirmed Status in apparmor package in Debian: Confirmed Bug description: TO REPRODUCE: I attempt to open a URL from a PDF document in Evince. EXPECTED: The browser opens the URL. OBSERVED: I'm shown an error message: Unable to open external link Failed to execute child process “/usr/bin/google-chrome-unstable” (Permission denied) journalctl shows: Nov 06 19:19:18 khaeru-laptop audit[22110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Nov 06 19:19:18 khaeru-laptop kernel: audit: type=1400 audit(1510013958.773:590): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 EXTRA INFORMATION: - As the messages imply, I'm using Google Chrome "unstable". - The file /usr/bin/google-chrome-unstable …is symlinked to: /opt/google/chrome-unstable/google-chrome-unstable - I note that previous bugs, eg. bug #964510, resulted in lines being added to /etc/apparmor.d/abstractions/ubuntu-helpers that refer to paths in /opt/google/chrome/. This directory does not exist on my system. $ lsb_release -rd && apt-cache policy apparmor evince google-chrome-unstable Description:Ubuntu 17.10 Release:17.10 apparmor: Installed: 2.11.0-2ubuntu17 Candidate: 2.11.0-2ubuntu17 Version table: *** 2.11.0-2ubuntu17 500 500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages 100 /var/lib/dpkg/status evince: Installed: 3.26.0-1 Candidate: 3.26.0-1 Version table: *** 3.26.0-1 500 500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages 100 /var/lib/dpkg/status google-chrome-unstable: Installed: 64.0.3251.0-1 Candidate: 64.0.3253.3-1 Version table: 64.0.3253.3-1 500 500 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages *** 64.0.3251.0-1 100 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: apparmor 2.11.0-2ubuntu17 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 ApportVersion: 2.20.7-0ubuntu3.1 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Nov 6 19:20:34 2017 EcryptfsInUse: Yes InstallationDate: Installed on 2017-10-11 (26 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.13.0-16-generic.efi.signed root=UUID=39ca3c53-0313-4699-a5da-403522e2ff14 ro quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: Upgraded to artful on 2017-10-19 (18 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1730536/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later
> The kernel patch causing the issue has been reverted. So 4.14-rc7 should work as pre 4.14-rc2 Great! (Modulo Linus' commit message…) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Xenial: Invalid Status in apparmor source package in Zesty: Invalid Status in apparmor source package in Artful: Invalid Bug description: With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor 2.10.95-0ubuntu2.7, in the system log each second the error message below is printed to. ``` […] [Mi Okt 4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" [Mi Okt 4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557): apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" […] ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1042771] Re: sanitized_helper prevents proper transition to other profiles
See https://bugs.launchpad.net/apparmor-profiles/+bug/1727993 for a
discussion about this topic.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1042771
Title:
sanitized_helper prevents proper transition to other profiles
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
When an application using the sanitized_helper launches another binary
also covered by another apparmor profile, the launched binary is
running with the sanitized_helper profile instead of transiting. Here
is way to reproduce/observe the problem:
Launch firefox to open a PDF through Evince:
1) firefox https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
Observe the Apparmor profiles loaded:
2) ps Zaux| grep -v ^unconfined
/usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052
pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox
https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4
561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf
I would expect Evince to run with its own profile like it does
normally:
3) evince /tmp/serverguide.pdf
4) ps Zaux| grep -v ^unconfined
/usr/bin/evince simon20218 12.7 0.4 560240 35124 pts/5
Sl+ 10:22 0:00 evince /tmp/serverguide.pdf
$ lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04
$ apt-cache policy apparmor firefox evince
apparmor:
Installed: 2.7.102-0ubuntu3.1
Candidate: 2.7.102-0ubuntu3.1
Version table:
*** 2.7.102-0ubuntu3.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64
Packages
100 /var/lib/dpkg/status
2.7.102-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
firefox:
Installed: 14.0.1+build1-0ubuntu0.12.04.3
Candidate: 14.0.1+build1-0ubuntu0.12.04.3
Version table:
*** 14.0.1+build1-0ubuntu0.12.04.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64
Packages
100 /var/lib/dpkg/status
14.0.1+build1-0ubuntu0.12.04.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64
Packages
11.0+build1-0ubuntu4 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
evince:
Installed: 3.4.0-0ubuntu1.3
Candidate: 3.4.0-0ubuntu1.3
Version table:
*** 3.4.0-0ubuntu1.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64
Packages
100 /var/lib/dpkg/status
3.4.0-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27
Uname: Linux 3.2.0-30-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Tue Aug 28 10:12:30 2012
ProcEnviron:
LANGUAGE=en_CA:en
TERM=xterm
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic
root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1
i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1042771/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1717714] [NEW] @{pid} variable broken on systems with pid_max more than 6 digits
> I am aware this is a non-default configuration, but I think this
should work.
Makes sense. Do you want to send a merge request?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1717714
Title:
@{pid} variable broken on systems with pid_max more than 6 digits
Status in apparmor package in Ubuntu:
New
Bug description:
If your kernel.pid_max sysctl is set higher than the default, say at 7
digits, the @{pid} variable no longer matches all pids, causing some
breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open"
profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3"
name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86"
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
(2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this
should work.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1710487] Re: evince silently crashes with apparmor error on artful
FWIW: Jamie, while reviewing the Debian..Ubuntu packaging log in order to merge the Ubuntu one into the Debian source package, I see a few instances of duplicate packaging work going on (e.g. the fix for this bug, upstart job removal). Such duplicate work could have been avoided by merging from Debian first… which would also have avoided mistakes like keeping the obsolete ubuntu-manpage-updates.patch, and removing the initscript by mistake to re-add it 3 versions later. Let me know if I can adjust my workflow in a way that makes it easier for you folks to merge from Debian more consistently, I'm open to requests & suggestions :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1710487 Title: evince silently crashes with apparmor error on artful Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Released Bug description: On an up to date Ubuntu Artful system, evince is not runnable. $ evince (evince:1954): Gdk-WARNING **: Failed to load cursor theme DMZ-White (evince:1954): Gdk-WARNING **: Failed to load cursor theme DMZ-White ** Gdk:ERROR:/build/gtk+3.0-f0nGiQ/gtk+3.0-3.22.17/./gdk/wayland/gdkdisplay-wayland.c:1039:_gdk_wayland_display_get_scaled_cursor_theme: assertion failed: (display_wayland->cursor_theme_name) Aborted In the syslog. [Sun Aug 13 01:58:49 2017] audit: type=1400 audit(1502642630.119:120387): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince" name="/run/user/1000/wayland-cursor-shared-sWj8Hz" pid=1988 comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [Sun Aug 13 01:58:49 2017] audit: type=1400 audit(1502642630.147:120388): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince" name="/run/user/1000/wayland-cursor-shared-nEkncR" pid=1988 comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: evince 3.24.1-0ubuntu1 ProcVersionSignature: Ubuntu 4.11.0-13.19-generic 4.11.12 Uname: Linux 4.11.0-13-generic x86_64 NonfreeKernelModules: zfs zunicode zavl zcommon znvpair ApportVersion: 2.20.6-0ubuntu5 Architecture: amd64 CurrentDesktop: GNOME Date: Sun Aug 13 17:41:34 2017 InstallationDate: Installed on 2017-08-02 (11 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha amd64 (20170712) SourcePackage: evince UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1710487/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1661766] Re: aa-genprof crashes on start due to python 3.6 bug
FTR Debian sid still defaults to python3 == Python 3.5, but will soon switch to 3.6 (https://release.debian.org/transitions/html/python3.6-supported.html) and will therefore be affected. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1661766 Title: aa-genprof crashes on start due to python 3.6 bug Status in AppArmor: Fix Committed Status in apparmor package in Ubuntu: Fix Released Bug description: aa-genprof crashes with the following error message on start: http://pastebin.com/SWvk4GAj It seem to be realated to the following bug with python 3.6: https://github.com/kennethreitz/tablib/issues/254 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1661766/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
FTR this was raised as a potential blocker for enabling AppArmor by default on Debian: https://bugs.debian.org/872726. I'm going to investigate why this is a blocker there. tl;dr: as the audit maintainers said in 2014 (https://www.redhat.com/archives/linux-audit/2014-May/msg00119.html) and 2016 (https://www.redhat.com/archives/linux- audit/2016-April/msg00129.html), we should use events ids from the range that has been allocated to us (1500-1599) instead of from the range assigned to SELinux. Any plans / ETA to fix this? Regardless of how you would prioritize this problem otherwise, the fact it might prevent AppArmor from being enabled by default in Debian could be a reason to handle it ASAP :) ** Bug watch added: Debian Bug tracker #872726 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
FWIW current Ubuntu citrain branch seems to apply exactly the same patch twice for some reason: debian/patches/adjust-nameservice-for-systemd-resolved.patch debian/patches/profiles-grant-access-to-systemd-resolved.patch Not sure what's going on, but anyway we don't apply this patch in Debian so this only affects the Ubuntu-specific bits of the packaging. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved Status in AppArmor: Triaged Status in apparmor package in Ubuntu: Fix Released Status in ntp package in Ubuntu: Invalid Status in apparmor source package in Yakkety: Fix Released Status in ntp source package in Yakkety: Invalid Bug description: [ Impact ] Processes confined by AppArmor profiles making use of the nameservice AppArmor abstraction are unable to access the systemd-resolved network name resolution service. The nsswitch.conf file shipped in Yakkety puts the nss-resolve plugin to use which talks to systemd-resolved over D-Bus. The D-Bus communication is blocked for the confined processes described above and those processes will fallback to the traditional means of name resolution. [ Test Case ] * Use ntpd to test: $ sudo apt-get install -y ntp ... $ sudo systemctl stop ntp # in another terminal, watch for AppArmor denials $ dmesg -w # in the original terminal, start ntp $ sudo systemctl start ntp # You'll see a number of denials on the system_bus_socket file: audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0 * Use tcpdump to test: # Capture traffic on whichever network interface you're currently using $ sudo tcpdump -i eth0 # Look in /var/log/syslog for denials on the system_bus_socket file: audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 In both situations, ntpd and tcpdump will seemingly work as expected due to the name resolution fallback configured in nsswitch.conf. However, neither confined process will be using systemd-resolved for name resolution. [ Regression Potential ] This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined- by-default programs to start using systemd-resolved. There is some potential for regression since those applications have not been previously using systemd-resolved. [ Original bug description ] On this plain install of Xenial apparmor complains about ntpd: [ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.426246] audit: type=1400 audit(146762.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.771326] audit: type=1400 audit(146762.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the problem: #include To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1503762] Re: Provide systemd service
** Bug watch added: Debian Bug tracker #870697 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870697 ** Also affects: apparmor (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870697 Importance: Unknown Status: Unknown ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1503762 Title: Provide systemd service Status in AppArmor: New Status in apparmor package in Ubuntu: New Status in apparmor package in Debian: Unknown Status in apparmor package in Gentoo Linux: New Bug description: AppArmor is in the critical path for bootup for any systems that use it. Let's specify a systemd service file instead of having systemd use sysv compatibility mode. There seems to be a few bugs tracking the precursor this work, like https://bugs.launchpad.net/apparmor/+bug/1488179, but no actual bug for the systemd service itself. AUR has a simple service file, not sure if that would be useful - https://aur.archlinux.org/packages/apparmor/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1503762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
Thanks! So we still need an AppArmor task, not just a systemd one, right? (My question came up because all the AppArmor tasks are marked as "Fix released", and thus I thought the only remaining thing to do is on the systemd side, but your answer suggests that's not actually the case.) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1331856] Re: apparmor-utils don't work when defining a variable on
Anyone interested in moving this forward: please send a merge request.
We're apparently not very good at tracking patches attached to bug
reports, sorry!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1331856
Title:
apparmor-utils don't work when defining a variable on
Status in AppArmor:
Triaged
Status in apparmor package in Ubuntu:
New
Bug description:
When a variable is set in tunables/home.d/ the apparmor-utils programs
don't work and return this error messages:
root@ws24:~# aa-logprof
Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 50, in
apparmor.loadincludes()
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4643, in
loadincludes
load_include(fi)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4520, in
load_include
incdata = parse_profile_data(data, incfile, True)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2839, in
parse_profile_data
store_list_var(profile_data[profile]['lvar'], list_var, value,
var_operation)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3279, in
store_list_var
raise AppArmorException(_('Values added to a non-existing variable: %s')
% list_var)
apparmor.common.AppArmorException: 'Values added to a non-existing variable:
@{HOMEDIRS}'
root@ws24:~#
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1331856/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
I could ask for help to the person who implemented the initial AppArmor support in systemd. But first I would need a clearer task description than "Add systemd task since it needs an update to make it use the cache loading library". What exactly do we need systemd to do? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507469] Re: Evince's AppArmor profile prevents opening docs from other apps under Wayland
This was fixed in 2.11.0 so it's fixed in zesty. ** Summary changed: - Evince's Apparmour profile prevents opening docs from other apps under Wayland + Evince's AppArmor profile prevents opening docs from other apps under Wayland ** Changed in: apparmor (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1507469 Title: Evince's AppArmor profile prevents opening docs from other apps under Wayland Status in AppArmor: Fix Released Status in AppArmor 2.10 series: Fix Released Status in apparmor package in Ubuntu: Fix Released Bug description: Evince fails to run when launched from another app (Nautilus, Ephy, etc) and running under Wayland. For example, nothing appears to happen when double-clicking on a PDF file in Nautilus. Evince is launched, but its Apparmour profile is preventing access to a Wayland socket, hence it immediately exits. The following is typical of the reported error: > Oct 19 15:06:40 payens kernel: audit: type=1400 audit(1445227600.333:26): apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/run/user/1000/wayland-0" pid=12956 comm="evince" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Adding the following lines to it's local Apparmour config and reloading Apparmour fixes the problem: > owner /run/user/*/wayland-* rw, > owner /run/user/*/weston-shared-* rw, ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: evince 3.16.1-0ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3 Uname: Linux 4.2.0-16-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: GNOME Date: Mon Oct 19 17:49:19 2015 InstallationDate: Installed on 2015-07-22 (89 days ago) InstallationMedia: Ubuntu-GNOME 15.04 "Vivid Vervet" - Release amd64 (20150422) SourcePackage: evince UpgradeStatus: Upgraded to wily on 2015-08-27 (52 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1507469/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740510] Re: multiarch paths in abstractions should not be Linux-specific
FWIW Stretch was released for Linux architectures only, and I doubt it'll change any time soon. I believe the Debian landscape looked different when Steve filed this bug in 2011. Nowadays I'm not sure what's the value of keeping this bug open. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/740510 Title: multiarch paths in abstractions should not be Linux-specific Status in AppArmor: Triaged Status in apparmor package in Ubuntu: Triaged Bug description: Binary package hint: apparmor The latest changes in natty to allow multiarch paths for apparmor use /lib/*-linux-gnu/ in their paths. This is sufficient for all the architectures Ubuntu supports, and it's sufficient for native binaries on these architectures, but multiarch is intended to be fully cross- platform and be usable for binaries for other kernels. Even if apparmor itself doesn't run on BSD, Hurd kernels, Debian builds packages for these architectures and these will be cross-installable on multiarch systems... and some of them may even run, by way of kernel syscall emulation layers (in-kernel, qemu, etc). So the apparmor abstractions should account for this and not be limited to linux-gnu triplets. (This is obviously a low-priority edge case.) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/740510/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 776648] Re: apparmor profile for chromium browser
This bug report is about the custom profile shipped by Ubuntu in their apparmor-profiles package (and nowhere else AFAIK), not about the apparmor-profiles project (yeah, it's confusing, I know). ** Changed in: apparmor-profiles Status: Triaged => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/776648 Title: apparmor profile for chromium browser Status in AppArmor Profiles: Invalid Status in apparmor package in Ubuntu: Fix Released Bug description: Packages: apparmor 2.6.1-0ubuntu3 + apparmor-profiles 2.6.1-0ubuntu3 installed on natty. I would like to thank first of all that is made of the Chromium browser apparmor profile. We are delighted to have found that it works perfectly. First installation of the profile works well. After software update, the Chromium browser "11.0.696.057 (82,915) 11.4 Ubuntu" no longer starts. Only "complain" mode in the / etc / apparmor.d / usr.bin.chromium rule used by the browser. Read permissions to the request / sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq and / sys/devices/pci: 00/: 00:00.0 / resource access. The "aa-logprof" command I can not be improved. Thank you in advance for your help. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/776648/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1101298] Re: More resources must be added into Chromium profile
This bug report is about the custom profile shipped by Ubuntu in their apparmor-profiles package (and nowhere else AFAIK), not about the apparmor-profiles project (yeah, it's confusing, I know). ** Project changed: apparmor-profiles => apparmor (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1101298 Title: More resources must be added into Chromium profile Status in apparmor package in Ubuntu: New Bug description: When I install apparmor-profiles package and set Chromium AppArmor profile to enforce mode, Chromium cannot detect the default browser and claims that it is not the default browser even though I set so. And I see this line in dmesg: ... type=1400 audit(1358526376.204:84): apparmor="DENIED" operation="exec" parent=6216 profile="/usr/lib/chromium-browser /chromium-browser//xdgsettings" name="/usr/bin/gawk" pid=6220 comm ="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Now, there is only /usr/bin/mawk line in Chromium apparmor profile but users may use a different implementation thanks to the alternatives system. In addition, my dmesg is flooded by these lines: ... type=1400 audit(1358527121.548:197): apparmor="DENIED" operation="open" parent=6072 profile="/usr/lib/chromium-browser /chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=8984 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 It would be nice to see "/sys/devices/system/**/cpufreq/cpuinfo_max_freq r," added to the profile. My patch regarding the issue is attached. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1101298/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507469] Re: Evince's Apparmour profile prevents opening docs from other apps under Wayland
Cherry-picked in Debian's Vcs-Bzr, will be part of the apparmor 2.10.95-7 upload. Thanks everybody! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1507469 Title: Evince's Apparmour profile prevents opening docs from other apps under Wayland Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: Evince fails to run when launched from another app (Nautilus, Ephy, etc) and running under Wayland. For example, nothing appears to happen when double-clicking on a PDF file in Nautilus. Evince is launched, but its Apparmour profile is preventing access to a Wayland socket, hence it immediately exits. The following is typical of the reported error: > Oct 19 15:06:40 payens kernel: audit: type=1400 audit(1445227600.333:26): apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/run/user/1000/wayland-0" pid=12956 comm="evince" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Adding the following lines to it's local Apparmour config and reloading Apparmour fixes the problem: > owner /run/user/*/wayland-* rw, > owner /run/user/*/weston-shared-* rw, ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: evince 3.16.1-0ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3 Uname: Linux 4.2.0-16-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: GNOME Date: Mon Oct 19 17:49:19 2015 InstallationDate: Installed on 2015-07-22 (89 days ago) InstallationMedia: Ubuntu-GNOME 15.04 "Vivid Vervet" - Release amd64 (20150422) SourcePackage: evince UpgradeStatus: Upgraded to wily on 2015-08-27 (52 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1507469/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1600524] Re: ubuntuBSD support
> Well then could you apply the patch to make apparmor installable? The dependency on any kind of initramfs-tools has been dropped in Debian a while ago (2.9.0-3+exp1), because AFAIK it was needed only for the early modules loading code, that was removed a while ago. For some undocumented reason, last time Ubuntu merged Debian's packaging (2.10-3ubuntu1), these deps were kept in Ubuntu, so I'm afraid there's nothing I can personally do about it. Sorry! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1600524 Title: ubuntuBSD support Status in apparmor package in Ubuntu: New Bug description: Hi Please could you make this change to support ubuntuBSD in apparmor? (initramfs-tools is only installable on Linux) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1600524/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1600524] Re: ubuntuBSD support
> I'm confused then. Why is the Architecture field in debian/control set to any? > And why debian/patches/non-linux.patch, debian/non- linux/apparmor_parser? I find it marginally useful to build on Debian/kFreeBSD: this can sometimes help discover real bugs that affect Linux but would not be immediately visible there. But if this ever becomes too tedious, I won't bother and will drop the non-Linux targets. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1600524 Title: ubuntuBSD support Status in apparmor package in Ubuntu: New Bug description: Hi Please could you make this change to support ubuntuBSD in apparmor? (initramfs-tools is only installable on Linux) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1600524/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
Hi! What kind of (realistic) timeline can we expect here? (With the move
to ZFS for containers, I wonder :)
E.g. is this part of your goals for 16.10? (I mean: for the AppArmor
/Ubuntu-specific parts, as I've learnt to be patient wrt. the
upstreaming to Linux mainline.)
Thanks for your work on AppArmor!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
In Progress
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Triaged
Bug description:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include
profile foo {
#include
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char* argv[]) {
int i = 0;
int len = 0;
int ret = 0;
char* options;
if (geteuid())
unshare(CLONE_NEWUSER);
unshare(CLONE_NEWNS);
for (i = 1; i < argc; i++) {
if (i == 1) {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/", argv[i]);
}
else {
len = strlen(argv[i]) + strlen("upperdir=,lowerdir=/mnt") + 2;
options = alloca(len);
ret = snprintf(options, len, "upperdir=%s,lowerdir=/mnt",
argv[i]);
}
mount("overlayfs", "/mnt", "overlayfs", MS_MGC_VAL, options);
}
chdir("/mnt");
pivot_root(".", ".");
chroot(".");
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
$ sudo apparmor_parser -r ./profile && aa-exec -p foo -- ./a.out /tmp
[255]
...
Dec 12 14:31:38 localhost kernel: [57278.040216] audit: type=1400
audit(1418387498.613:712): apparmor="DENIED" operation="exec" info="Failed name
lookup - disconnected path" error=-13 profile="foo" name="/bin/bash" pid=18255
comm="a.out" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
With the above, the expectation was for the denial to be /mnt/bin/bash. There
are three ways forward:
1. the correct solution is to patch overlayfs to properly track the loopback,
but this will take a while, may ultimately be unachievable. UPDATE: upstream is
currently working on this and Ubuntu will engage with them
2. we could rely on the fact that overlayfs creates a private unshared
submount, and provide a way to not mediate the path when that is present, and
tagged. This would take a bit of time, and might be the preferred method over 1
longer term
3. we could extend attach_disconnected so that we can define the attach root.
Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash'
maps to '/mnt/bin/bash'. UPDATE: THIS IS NOT VIABLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1399845] Re: tunables/global doesn't include all defined variables
I'm not sure I get what's the problem: what exact variable (or tunable file containing variables) do you think should be made available to every profile, and is currently not? My understanding of this comment (as a non-native English speaker) is that there is a possibility that some tunables (e.g. the dovecot and ntpd ones) are not globals, don't need to be made available to every profile, and thus should not be included in tunables/global. It makes sense to me from a design PoV, and also from a profile author PoV. Did I miss anything? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1399845 Title: tunables/global doesn't include all defined variables Status in apparmor package in Ubuntu: New Bug description: The comment at the top of tunables/global says: # All the tunables definitions that should be available to every profile # should be included here But not all defined variables are included: $ grep include global # should be included here #include tunables/home #include tunables/multiarch #include tunables/proc #include tunables/alias #include tunables/kernelvars #include tunables/xdg-user-dirs vs $ ls -1 alias apparmorfs dovecot global home home.d kernelvars multiarch multiarch.d ntpd proc securityfs sys xdg-user-dirs xdg-user-dirs.d Thanks ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor 2.8.95~2430-0ubuntu5.1 ProcVersionSignature: Ubuntu 3.13.0-40.69-generic 3.13.11.10 Uname: Linux 3.13.0-40-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 CurrentDesktop: Unity Date: Fri Dec 5 17:21:51 2014 InstallationDate: Installed on 2012-10-18 (778 days ago) InstallationMedia: Ubuntu 12.04.1 LTS Precise Pangolin - Release amd64 (20120823.1) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-40-generic root=UUID=7b8c2e1b-d2e6-47d9-9030-c078e9701a1d ro quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: Upgraded to trusty on 2014-04-12 (238 days ago) modified.conffile..etc.apparmor.d.abstractions.ubuntu.browsers.d.text.editors: [modified] mtime.conffile..etc.apparmor.d.abstractions.ubuntu.browsers.d.text.editors: 2013-03-26T13:10:49 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1399845/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1435368] Re: dh_apparmor does not assist postinst scripts that need to run the constrained binary before the postinst completes
Another workaround would be to run mysqld unconfined (e.g. with aa- unconfined, or by copying/hardlinking the binary to a different file and running that one) for whatever operations the postinst has to do. I won't pretend it's nicer than what you've done already, but that's another option on the table. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1435368 Title: dh_apparmor does not assist postinst scripts that need to run the constrained binary before the postinst completes Status in apparmor package in Ubuntu: New Bug description: This affects mysql-5.6. mysql-server-5.6.postinst needs to run /usr/sbin/mysqld for bootstrapping purposes before starting the daemon proper. It calls dh_apparmor from dh_override_install in debian/rules. The profile for mysqld has changed between 5.5 and 5.6: it now permits read from /etc/mysql/**, since /etc/mysql/mysql.conf.d/ is now used in addition to the original /etc/mysql/my.cnf, along with some other files. On upgrade from the previous 5.5 packaging, mysql-server-5.6.postinst attempts to run /usr/sbin/mysqld which then fails because the old profile is still active, since dh_apparmor has only added the snippet to the end of the postinst (after this point). It appears to include some logic about /etc/apparmor.d/local/ which I can't easily call from earlier in the postinst instead. Workaround: I added an extra apparmor_parser call when I need it. But this fails if /etc/apparmor.d/local/usr.sbin.mysqld doesn't exist, which is the case on first install of the package. So I have to ignore errors. This isn't ideal though. It would be better if we could somehow arrange dh_apparmor to ensure that the apparmor profile is active earlier, or at least define some way that the maintainer's postinst code can make it happen earlier - for example by wrapping the logic into something the maintainer can call. Or perhaps dh_apparmor should unload the profile in the prerm or something, so that the postinst always runs without the profile loaded (as already happens on first install). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1435368/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377338] Re: apparmor may fail to load some profiles if one is corrupted
Along with LP: #1488179, this is one source of ugliness in current
Debian/Ubuntu initscript, that makes it harder than needed to port it to
systemd.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1377338
Title:
apparmor may fail to load some profiles if one is corrupted
Status in AppArmor:
Triaged
Status in apparmor package in Ubuntu:
Fix Released
Status in click-apparmor package in Ubuntu:
Fix Released
Status in apparmor package in Ubuntu RTM:
Fix Released
Status in click-apparmor package in Ubuntu RTM:
Fix Released
Bug description:
Steps to reproduce (on the emulator):
1. sudo sh -c 'echo foo
/var/lib/apparmor/profiles/click_com.ubuntu.music_music_1.3.638'
2. sudo start apparmor ACTION=teardown
3. sudo start apparmor
start: Job failed to start
4. sudo aa-status|egrep '^ '|grep -v '('| sort -u /tmp/aa-status.music_bad
5. sudo rm -f /var/lib/apparmor/profiles/click_com.ubuntu.music_music_1.3.638
6. sudo aa-clickhook # regenerates the missing profile to had a good one
7. sudo start apparmor ACTION=teardown
8. sudo start apparmor
9. sudo aa-status|egrep '^ '|grep -v '('| sort -u /tmp/aa-status.music_good
10. diff -Naur /tmp/aa-status.music_bad /tmp/aa-status.music_good
--- /tmp/aa-status.music_bad 2014-10-03 22:47:52.890906744 +
+++ /tmp/aa-status.music_good 2014-10-03 22:49:54.372739381 +
@@ -13,6 +13,10 @@
com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.18//oxide_helper
com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter-helper_1.0.18
com.ubuntu.dropping-letters_dropping-letters_0.1.2.2.66
+ com.ubuntu.music_music_1.3.638
+ com.ubuntu.shorts_shorts_0.2.330
+ com.ubuntu.sudoku_sudoku_1.1.292
+ com.ubuntu.weather_weather_1.1.374
lxc-container-default
lxc-container-default-with-mounting
lxc-container-default-with-nesting
Expected results: only com.ubuntu.music_music_1.3.638 should be
missing.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1377338/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
