:
/var/cache/apt/archives/ r,
/var/cache/apt/archives/** r,
… and then reload the profile:
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.apt-cacher-ng
Please let us know if that's enough to fix the problem for you.
Cheers,
--
intrigeri
Gilles Filippini:
> intrigeri a écrit le 28/05/2018 à 09:42 :
>> Can we please hold on a little bit on this removal?
> No problem.
>> Could you please push this preliminary work somewhere? It would help
>> us (Tails) evaluate how hard it would be to fix these problems and
e of the migration to Wayland.
Could you please push this preliminary work somewhere? It would help
us (Tails) evaluate how hard it would be to fix these problems and
then make a decision about our future course of action :)
Cheers,
--
intrigeri
on another bug report that
I could not find?
Cheers,
--
intrigeri
uest usage certification.
Worst case $someone should bisect this but I figured you might have
a hunch about what's going on here :)
Cheers,
--
intrigeri
Damyan Ivanov:
> -=| gregor herrmann, 18.05.2018 11:09:23 +0200 |=-
>> So I guess we have to consider if we're happy with the ability to
>> turn off loading objects and recommend it to consumers and close the
>> bugs; or if we want to change the defaults, which means setting
>> $YAML::LoadBlessed
ting the package from testing/sid (e.g.
uploaders to stretch-backports, Ubuntu maintainers) shall make
their own informed decision. In most cases it's probably a good
idea to disable the AppArmor profiles in backports and stable
distro releases until we reach a decision on #2.
Cheers,
--
intrigeri
Is this different from #884363 or a duplicate?
In any case: thanks a lot for working on this!
,
--
intrigeri
--
intrigeri
Linux v4.17-rc1 now supports basic socket mediation, which will allow
us to close this bug report:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56974a6fcfef69ee0825bd66ed13e92070ac5224
:)
Mattia Rizzolo:
> It's already in experimental, under the name of 'scribus-ng'
Thanks! It triggers sweet memories from the 1.3.x days :)
Cheers,
--
intrigeri
tem images
based on Debian testing/sid to do so. For example, we're trying to
make the development branch of Tails based on Buster Qt4-free.
- Gather feedback from Debian early testers to upstream.
Cheers,
--
intrigeri
s.
Cheers,
--
intrigeri
intrig...@debian.org:
> https://tickets.puppetlabs.com/browse/PUP-7654 which says that running
> an older PuppetDB/termini with a newer Puppet can fail. Perhaps this
> would be fixed by upgrading PuppetDB 5.x?
I cannot reproduce this bug with Puppet from Stretch and PuppetDB from
sid, which
DAEMON_OPTS=""
SERVERTYPE=webrick
PUPPETMASTERS=1
PORT=8140
PUPPETQD=no
PUPPETQD_OPTS=""
-- no debconf information
--
intrigeri
either we consider that we
solved this with #882218 (and then let's close this bug) or we don't
(and then let's drop the "pending" tag).
Cheers,
--
intrigeri
re does /opt/firefox/firefox come from? In other words, how did you
install this copy of Firefox?
Cheers,
--
intrigeri
Hi Peter!
intrigeri:
>> It was because I'd put some customizations into /etc/torrc.custom, (as
>> suggested by the comments at the bottom of /etc/tor/torrc. However the
>> apparmor profile in (abstractions/system_tor) limit tor to be able to
>> only read /etc/tor/.
Hi Nuno!
Brian Potkin:
> On Thu 07 Dec 2017 at 10:51:26 +0100, intrigeri wrote:
>> If using a non-standard parent directory for home directories, you'll
>> need to let AppArmor know about it. Thankfully we have everything in
>> place to do this: adding @{HOMEDIRS}+=
or this directory should be clearly licensed
-- we recommend using the GPL. Please mail suggestions or
modifications to the appar...@lists.ubuntu.com mail list:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Thanks!
Cheers,
--
intrigeri
Control: tag -1 + upstream
Felix C. Stegerman:
> I noticed that my openntpd service stopped working after apparmor was
> enabled in sid by default. I finally traced the problem to a
> remaining /etc/apparmor.d/usr.sbin.ntpd.dpkg-remove without 'x'
> permissions for /usr/sbin/ntpd. It did not
Hi,
Dererk:
> I'm copying Intrigeri in this report to see how we could align a
> solution with how apparmor is intended to be used in this case.
I'm trying hard to not be a single point of failure for All Things
AppArmor in Debian, so next time please use the help-needed usertag
when yo
grades)
finally: unload the old profile
This should fix the two failure modes I've described above.
I'll let the active package maintainers make the call. I'm happy to
provide more info if needed :)
Cheers,
--
intrigeri
.2.9-2~ for the first time and if so, display the same
recommendation (in a non-interactive way). But let's not block on
that :)
Cheers,
--
intrigeri
nt for the load method calls the
original one:
https://salsa.debian.org/ruby-team/ruby-rjb/blob/master/debian/patches/0005-Fill-JAVA_HOME-with-a-sensible-value-if-not-set-when.patch
But dropping that patch does not change anything.
Cheers,
--
intrigeri
ivacy team or outside :)
Cheers,
--
intrigeri
ier. Perhaps some of you
could subscribe to the pkg-apparmor-team list? :)
Cheers,
--
intrigeri
Jeremy Bicha:
> libgoo-canvas-perl is the last package keeping the old goocanvas
> library in Debian. libgoo-canvas has no reverse dependencies and was
> already removed from Testing 2 months ago.
> I got approval from Debian Perl maintainer intrigeri before filing this bug.
Confir
it the scope of my work on torbrowser-launcher to the
AppArmor-related issues so I'll let the currently active maintainers
of this package handle this problem on #893308 :)
Cheers,
--
intrigeri
Control: tag -1 - moreinfo
Control: retitle -1 Document which download/upload directory is supported by
the AppArmor policy
Vladimir Stavrinov:
> On Sun, Mar 18, 2018 at 12:14 PM, intrigeri <intrig...@debian.org> wrote:
>> Can you please try uploading a file from the Tor Brows
intrigeri:
> Even though currently this bug affects Debian/Ubuntu-specific code,
> this problem is being (slowly!) researched/discussed upstream, because
> we would like something that works cross-distro as much as possible:
> currently Debian/Ubuntu use a custom initscript and sup
h is why I'm
giving it minor severity.
Cheers,
--
intrigeri
I think it's fine to add these lines to usr.lib.libvirt.virt-aa-helper.
Cheers,
--
intrigeri
Hi,
Tyler Hicks:
> On 02/28/2018 04:56 AM, intrigeri wrote:
>> 1. Start using the ubuntu/* namespace on the Git repo on salsa for the
>>Ubuntu packaging. I've already imported your work up to
>>2.11.0-2ubuntu19 there.
> Done! […]
>> 2. Merge the latest
in-container[55dc7d264000+2]
At first glance, the AppArmor profiles we ship do not grant access to
that Desktop directory.
Can you please try uploading a file from the Tor Browser's "Downloads"
directory, that is likely:
$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/Downloads/
?
Cheers,
--
intrigeri
2
capname="net_admin"
I'll file a dedicated bug (+patch) for that one once I've confirmed
it's orthogonal to the HPLIP issue.)
Cheers,
--
intrigeri
s) or do you have a specific reason to want to see this
fixed in the archive sooner?
Cheers,
--
intrigeri
r distros :)
Cheers,
--
intrigeri
Adrian Bunk:
> Alternatively, I can fix it for stretch if you don't object.
Yes, please :)
Cheers,
--
intrigeri
Adam D. Barratt:
> Please feel free to upload.
Uploaded, thanks.
aching 2 updated debdiffs: one from the version in Stretch and
the other one from the version that's already in stable p-u.
Cheers,
--
intrigeri
diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install 2017-03-28 12:23:0
oldtechaa:
> Do you want it in both the package description and README.debian?
One of those is sufficient (and duplicated info would inevitably end
up de-synchronized).
oldtechaa:
> So the options are generally either keep it in $PATH and add docs or move
> it to /usr/share/doc/?
Yes.
> If I were to work on thie docs and submit a patch,
> how long would you be willing to wait? I might not be able to get to it
> right away.
Any time before the end of August
oldtechaa:
> Just out of curiosity, would the package description be a bad place to put
> documentation on dependencies for perli11ndoc?
Works for me!
page (e.g. add POD and generate a manpage from it at
build time or similar).
Cheers,
--
intrigeri
, not just
> those in $PATH. Is there any way we can follow standards but keep
> perli11ndoc, even if it's slightly less convenient?
Cheers,
--
intrigeri
Vincas Dargis:
> Looks like it's enough to add:
> /dev/shm/org.chromium.* rw,
> To make Thunderbird 58 work again.
Fixed on the debian/experimental branch!
e know and
I'll handle this with higher priority :)
Cheers,
--
intrigeri
Hi maintainers of src:apparmor in Ubuntu,
[keeping Simon in Cc because I suspect he's interested in this topic
for Apertis — whose fork of Ubuntu's src:apparmor is already
maintained in Git.]
intrigeri wrote (2018-01-29):
> [explicitly Cc'ing the Ubuntu maintainers; if you missed the beginn
th different numbers of vCPUs allocated to the VM
and CONFIG_AUFS_DEBUG enabled. I could reproduce the bug with 1 vCPU,
2 vCPUs, and with my original settings (4 vCPUs).
Cheers,
--
intrigeri
do this (either apparmor or the kernel package) so cc'ing
> the apparmor maintainers.
This should be fixed in Stretch 9.4 assuming my stable update is accepted:
https://bugs.debian.org/879585
https://bugs.debian.org/882697#80
Cheers,
--
intrigeri
s/
would be more suitable. What do you think?
Cheers,
--
intrigeri
> Utility perli11ndoc requires the *.gir files for introspected libraries to be
> installed to view documentation. I can't find anywhere in the documentation
> for this
> package that notes that the .gir files can be installed with the -dev
> packages for
> base libraries, i.e. libgtk-3-dev must
intrigeri:
> intrigeri:
>> 1. ensure the blocking kernel bug is fixed:
>>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883703#32
> That's now done in stretch-backports: linux-latest was updated and for
> example linux-image-amd64 now pulls linux-image-4.14.0-0.b
for Stretch users running an outdated Linux 4.14.x).
May I upload (with s/UNRELEASED/stretch/ of course)?
Cheers,
--
intrigeri
diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install 2017-03-28 12:23:08.0 +0200
Adam D. Barratt:
> # Broken Depends:
> onionshare/contrib: onionshare
So I guess Jessie should first get the fix we applied to onionshare in
testing/sid, i.e. move torbrowser-launcher to Recommends.
t support
for this feature, I would see no "microcode updated early to" in the
logs). Sorry!
Cheers,
--
intrigeri
sf...@users.sourceforge.net:
> intrigeri:
>> Same problem without debug=1:
> That is not what I meant.
OK, sorry. I got confused by:
I am interested in why you set '1' to the aufs module parameter "debug".
If you had not set, this bug would not appear I guess. Di
intrigeri:
> sf...@users.sourceforge.net:
>> I am interested in why you set '1' to the aufs module parameter "debug".
> IIRC I added it after having noticed the bug, in the hope it would
> yield more useful information for developers to fix it.
>> If you had not s
ess. Did you see
> something wrong without setting "debug"? And you tried debugging? If so,
> I want to know the original problem too.
OK, I'll retry without debug=1.
Thanks!
Cheers,
--
intrigeri
're likely to be looking at freezing p-u for the next point
> release in a couple of weeks time.
I've been following the Stretch 9.4 scheduling thread with this in
mind. My current plan is to prepare an updated stable p-u around
February 24-25.
Thanks for the ping! :)
Cheers,
--
intrigeri
transition smooth :)
[1] https://lists.debian.org/debian-release/2018/02/msg00239.html
Cheers,
--
intrigeri
.
Thanks!
Cheers,
--
intrigeri
u have?
Cheers,
--
intrigeri
Control: tag -1 + patch
intrigeri:
>> B) remove the AppArmor profile entirely and rely on seccomp instead
>> C) don't enable "no new privs" and rely on AppArmor instead
> I think B is fine given all the non-AppArmor hardening efforts Colin
> has been putting into m
intrigeri:
> A) drop the child profiles (groff, filter), merge their rules into the
>main /usr/bin/man profile, and use ix instead of Cx; these rules
>are not particularly scary so this doesn't seem crazy an option
I had a closer look and what's scary is not the rules that can
top of that, didn't check recently, sorry). Marking/disabling
apparmor.service merely prevents policy loading on boot and might not
be what you want.
Cheers,
--
intrigeri
crazy an option
B) remove the AppArmor profile entirely and rely on seccomp instead
C) don't enable "no new privs" and rely on AppArmor instead
Personally my choice would be A >> B >> C.
Colin, if you need help with option A, please let us know :)
Cheers,
--
intrigeri
bian Stretch.
Cheers,
--
intrigeri
/apparmor/tree/ubuntu/gbp-pq/debian/patches
… that I'd like to merge into ubuntu/master if the Ubuntu
maintainers are happy with it. I've done my best to preserve the
current Ubuntu delta on that branch but you should double-check
before uploading :)
Thoughts?
Cheers,
--
intrigeri
on this bug report
are documented in some place that power users can find
→ back then, Ulrike had volunteered to do this. Is this still on
your radar or do you prefer someone else to step up and take over?
Cheers,
--
intrigeri
Control: severity -1 wishlist
Hi,
intrigeri:
> IIRC the goals was to allow package maintainers, who ship AppArmor
> policy, or whose packages are affected by policy shipped via other
> means, to easily identify when a bug reported to them might be caused
> by AppArmor. This will ea
Control: done -1 2.11.1-4
intrigeri:
> I believe the blockers have been resolved in current testing/sid: the
> kernel now has mount mediation support and the pinned feature set in
> the apparmor package enables it. I see no bug with "apparmor" in its
> title on the sr
of:
/usr/lib/postfix
with:
/usr/lib/postfix{,/sbin}
… should to the trick :)
Cheers,
--
intrigeri
else should feel free to take
it: just let me know so we avoid duplicating work :)
[1] https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056
.d/* r,
/usr/share/tor/** r,
/usr/bin/obfsproxy PUx,
Please test and report back :)
> I wasn't sure if this should go to this open bug, or get its own new
> wishlist bug.
I believe this is off-topic on this bug report so I'm cloning it to
a new one. Please follow-up on the new one.
Cheers,
--
intrigeri
ts are in the right
order? I guess we could add a check for that in debian/rules but
perhaps the gbp pq workflow provides a better way to guarantee
that ordering?
Thanks for your valuable input!
Cheers,
--
intrigeri
from
http://dl.amnesia.boum.org/tails/stable/tails-amd64-3.5/ and boot it
in a VM).
Perhaps we should take it upstream and hope the debug trace will ring
a bell for them?
Cheers,
--
intrigeri
intrigeri:
> 1. ensure the blocking kernel bug is fixed:
>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883703#32
That's now done in stretch-backports: linux-latest was updated and for
example linux-image-amd64 now pulls linux-image-4.14.0-0.bpo.3-amd64
(version 4.14.13-1~bpo9+1
anonym:
> I guess that you, Jan, are *not* mounting a tmpfs on /tmp and I am guessing
> that you,
> intrigeri, *are*. Am I correct? :)
I am indeed. Jan, can you reproduce if the underlying filesystem is tmpfs?
> At least for me, the segfault only triggers when the underlying fs
Control: forcemerge 882070 -1
Indeed, this bug *did* exist in the past but it's been fixed in
2.12-1 :)
Hi,
Seth Arnold:
> On Thu, Aug 10, 2017 at 05:50:41PM -0400, intrigeri wrote:
>> Context: this is about the apparmor-profiles package, that has no
>> reverse-dependency, so this whole thing is not such a big deal (users
>> [...]
>> 2. Install *all* the profi
Control: tag -1 + patch
https://salsa.debian.org/apparmor-team/apparmor/merge_requests/1
l on Debian (#830502).
If you're annoyed by these warnings in the logs you can fully disable
the profile with aa-disable. If you actually want to confine dovecot
with AppArmor, great: please report this bug upstream
(https://launchpad.net/apparmor); the fix should be a one-liner.
Cheers,
--
intrigeri
>> It seems that this wrapper [1] and the corresponding 'default' file
>> [2] were introduced three years ago in pidgin-sipe 1.13.1-2.1, as
>> a way to make it slightly easier for users of to communicate with
>> Microsoft OCS/Lync servers that had not got the fixes for the BEAST
>> attack
Control: severity -1 wishlist
To make this happen, someone would need to step up, test the missing
profiles on current Debian, ensure they work in the vast common
configurations and commit to handle regressions and bug reports about
these profiles at least for one Debian release cycle (say 1 year
relevant USB device nodes to $profile.files, which
explains the VM is actually forbidden to access them.
And indeed, if I add this line to
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
/sys/bus/usb/devices/ r,
… then virt-aa-helper successfully adds that line to
/etc/apparmor.d/libvirt/libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef.files:
"/dev/bus/usb/002/007" rw,
… and the VM starts just fine.
This change was already applied upstream (commit
59249778705693e54df21710116ae213b194fa50) so we'll get it once the
latest release is packaged for Debian.
Cheers,
--
intrigeri
solitone:
> Thank you for your swift and detailed response, intrigeri.
> I've tried your solution, and I confirm that now the guest shuts down
> correctly.
:)
For the record, which one of the proposed solutions did you try?
> Still I cannot add an external USB drive from the vir
ion (as is currently the case in testing/sid as
per proposed experiment), then #702030 becomes moot and in turn this
Lintian feature request becomes moot as well.
Cheers,
--
intrigeri
iation will be broken if
you do that. This may or may not break your libvirt use case. But if
you run Linux 4.14.13 or newer, the above steps should fix the problem
you're experiencing.
Cheers,
--
intrigeri
Journal.
- The attached disk is visible in the guest.
Guido, can you please confirm?
If this now works for you on current testing/sid, let's close this
bug… finally. Thanks for your patience!
I didn't check if the bugfix was brought by a kernel upgrade, AppArmor
parser upgrade, or something else entirely.
Cheers,
--
intrigeri
Hi,
FWIW I've been using dracut without any such issue in a similar setup
on my laptop for 2.5 years: my root filesystem is on a LV that's in
a VG whose only PV is a LUKS-encrypted partition.
Cheers!
I believe this is a duplicate of https://bugs.debian.org/879900.
Until someone focuses on preparing a proposed update for Stretch,
please install the profile from apparmor-profiles-extra/testing.
Cheers,
--
intrigeri
Salvatore Bonaccorso:
> On Mon, Jan 08, 2018 at 01:46:54AM -0800, John Johansen wrote:
>> On 01/06/2018 07:50 AM, intrigeri wrote:
>> > What's the status of this patch?
>> >
>> it is in 4.15-rc7, and has started working its way into the 4.14 stable
>> t
Control: reassign -1 linux-image-4.14.0-2-amd64
Control: found -1 4.14.7-1
Laszlo KERTESZ:
> So it happened again with no apparmor loaded.Twice.
Thanks for reporting! I'm therefore reassigning this bug to the
affected Linux kernel package.
Cheers,
--
intrigeri
(and label it "Team upload", no need to call it a NMU).
Cheers,
--
intrigeri
gresql jobs.
Can you please share the output of `backupninja --now --debug'?
(Make sure it does not contain any password :)
Cheers,
--
intrigeri
Control: tag -1 + patch
Hi!
Sebastian Andrzej Siewior:
> On 2018-01-07 14:59:54 [+0100], intrigeri wrote:
>> So with my AppArmor in Debian maintainer hat, I would find it
>> reasonable if the clamav-daemon maintainers decided to leave it as-is,
>> possibly improving a li
intrigeri:
> Rene Engelhard:
>> done already, though in complain mode..
> Thanks! I'll follow up on the next steps on a new bug report, quoting
> the useful bits from this one :)
FTR that's #886548.
701 - 800 of 3753 matches
Mail list logo