Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

.14's are mount and signal mediation. > Do we need to "sprint" for 4.14-possibly-introducing issues? I'm not sure how urgently we should handle #880078 and (transitively) #877581. I'd welcome your input about it on #880078, where I've started discussing the pros & cons. Cheers, -- intrigeri

Bug#878040: tails-installer: Creates non-bootable USB sticks on current testing/sid

Control: tag -1 + fixed-upstream intrigeri: > So we're now only waiting for the tails-installer fixes to be released > upstream Done in 5.0.2, that's been packaged as 5.0.2+dfsg-0tails1 for Tails already. I've tested it on Debian sid and it works fine for me. > and then uploaded

Bug#880953: thunderbird: upon startup apparmor denies mmap of python3.6

Control: forwarded -1 https://gitlab.com/apparmor/apparmor-profiles/merge_requests/2 Hi Simon, can you please review my MR upstream? Cheers, -- intrigeri

Bug#880953: thunderbird: upon startup apparmor denies mmap of python3.6

security value comes later. If/when someone starts working on making the Thunderbird profile stricter & more useful, I'll encourage them to look at the big picture and check what attack vectors are worth addressing first. I doubt lsb_release will be on that list.) Cheers, -- intrigeri

Bug#838817: Cannot reproduce

0.2.8-4~ torbrowser-launcher I'll upload with this change right away. Cheers, -- intrigeri

Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP

or in the apparmor-profiles package. Cheers, -- intrigeri

Bug#855522: [Pkg-privacy-maintainers] Bug#855522: torbrowser-launcher: torbrowser won't start because of apparmor

uce this bug *without* any obsolete torbrowser.start-tor-browser conffile left behind, then I suspect you're experiencing a different bug than this one, and then please report it separately (with the corresponding denial logs). Thanks! Cheers, -- intrigeri

Bug#849727: [Pkg-privacy-maintainers] Bug#849727: Adopting seahorse-nautilus?

ance is more pleasant (having someone around to ask for advice/opinions in nice) and produces higher-quality packages. And Ulrike is committed to work on this package as well, at least until the end of 2018Q1, so you folks have a dedicated sponsor to upload your work already :) Cheers, -- intrigeri

Bug#880424: thunderbird: apparmor should allow the execution of the configured browser

rectory where each browser (e.g. google-chrome-beta) could drop its snippet. Given the above, this is likely the only solution that would be flexible enough for your needs, while being doable on the short term without major changes. I've started a discussion about this upstream: https://bugs.launchpad.net/apparmor/+bug/1730220 Cheers, -- intrigeri

Bug#880441: linux-image-4.13.0-1-amd64: silently enabled AppArmor breaks other programs

Ben Hutchings: > Yes, I now understand this. I'll add a Recommends: apparmor for the > next upload so this broken configuration is less likely to occur. Thanks! Cheers, -- intrigeri

Bug#879590: Making apparmor "Priority: standard"? [Was: Bug#879590: apparmor: Decide how we enable AppArmor by default]

Hi, intrigeri: > Cyril Brulebois: >> intrigeri <intrig...@debian.org> (2017-10-25): >>> I'm working on the last blockers towards starting the experiment I've >>> proposed on debian-devel@ 2.5 months ago, i.e. enabling AppArmor by >>> default for a wh

Bug#880425: thunderbird: logs spurious apparmor denial messages

Hi, Carsten Schoenert: > Am 05.11.2017 um 10:45 schrieb intrigeri: > meeh, go ahaed. > Looks fine from the technical side. As long as you put in tagging and > closing information so gbp can pick up the bug number later for > preparing changelog I'm more than happy. As I see act

Bug#880502: [pkg-apparmor] Bug#880502: lxc: cannot start container with kernel 4.13.10

e inspiration to whoever wants to fix this bug in LXC :) If these bugs are not tracked upstream yet: Felix, you seem to be the one of us with the best understanding of the problem and you know AppArmor pretty well, so perhaps you would be the best person to report them? Cheers, -- intrigeri

Bug#880502: [pkg-apparmor] Bug#880502: [pkg-lxc-devel] Bug#880502: lxc: cannot start container with kernel 4.13.10

not ready for prime time. Adding AppArmor confinement where we had none previously can come later. Cheers, -- intrigeri

Bug#880441: linux-image-4.13.0-1-amd64: silently enabled AppArmor breaks other programs

asons behind it clarified. What do you think? Cheers, -- intrigeri

Bug#879590: apparmor breaks all kinds of stuff

Hi, Meta: this bug report is about deciding how we enable AppArmor by default; if you want to follow-up on unrelated discussions or start new ones, please do so in better suited places :) Christoph Anton Mitterer: > On Wed, 2017-11-01 at 07:40 +0100, intrigeri wrote: >> Indeed, it w

Bug#880715: thunderbird: fails to lock gpg keyring for key import under apparmor

ound. Thanks! Reproduced, modulo I had to add a bunch of rules to the gpg child profile before I even got to this point. Submitted a MR upstream. Simon, could you please review it? (And while you're at it, you might want to test other kinds of key imports, e.g private keys.) Cheers, -- intrigeri

Bug#880532: thunderbird: tries to exec nvidia-modprobe which is denied by apparmor

r Totem recently (#879900). If more of these pop up we should consider including the nvidia abstraction in some other abstraction that's itself commonly included in affected GUI apps. Cheers, -- intrigeri

Bug#880425: thunderbird: logs spurious apparmor denial messages

Control: tag -1 + pending intrigeri: > Carsten, the updated profile lives there since upstream has moved > from bzr@Launchpad to Git@GitLab: > https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.bin.thunderbird Actually I now have write access to Vcs-Git so I'v

Bug#880425: thunderbird: logs spurious apparmor denial messages

ged upstream. Carsten, the updated profile lives there since upstream has moved from bzr@Launchpad to Git@GitLab: https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.bin.thunderbird Cheers, -- intrigeri

Bug#880490: tor: Does not start when the AppArmor LSM is enabled but the apparmor package is not installed

. Cheers, -- intrigeri

Bug#880490: tor: Does not start when the AppArmor LSM is enabled but the apparmor package is not installed

Viktor Jägersküpper: > I confirm that with this change tor starts normally without apparmor > installed. Thanks a lot for testing & reporting back!

Bug#878040: tails-installer: Creates non-bootable USB sticks on current testing/sid

8 Both were merged, part of new upstream releases, and have landed in sid. So we're now only waiting for the tails-installer fixes to be released upstream and then uploaded to Debian. Cheers, -- intrigeri

Bug#880425: thunderbird: logs spurious apparmor denial messages

correctly by Enigmail. But I suppose some kind of rule >> is missing to make the log lines go away? Indeed. > I'd be tempted to add a deny rule to silence it. Opinions? Yes, please :) You might need to add more than just the omni.ja rule, like I had to do for torbrowser-launcher: https://github.com/intrigeri/torbrowser-launcher/commit/d043788f590e8ff2da585e3512a0e596e7460ff8 Cheers!

Bug#880424: thunderbird: apparmor should allow the execution of the configured browser

t;thunderbird" requested_mask="x" > denied_mask="x" fsuid=1000 ouid=0 > (From an infinote:// URL in an email.) I think this is (technically, not in terms of UX) closer to #855346 which is fixed in the Vcs-Git already: https://anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/tree/debian/apparmor/usr.bin.thunderbird Cheers, -- intrigeri

Bug#880490: tor: Does not start when the AppArmor LSM is enabled but the apparmor package is not installed

d breaking the startup of the unit in case of such problems with the AppArmor profile. Weasel, what do you think? Cheers, -- intrigeri

Bug#879590: apparmor breaks all kinds of stuff

intrigeri: > Christoph Anton Mitterer: >> All kinds of programs seem to fail now... e.g. tor won't start anymore, >> aptitude cannot download changelogs. > Ouch! Sorry about that. May you please report dedicated bugs about > these, attaching the AppArmor log denials? W

Bug#879590: apparmor breaks all kinds of stuff

d thus there would have been little chance they ever get solved. Cheers, -- intrigeri

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

ity *for now*: I want to focus my AppArmor time on the "enabling AppArmor by default in Buster" experiment. Thanks for flagging this bug as affecting 1.11! Cheers, -- intrigeri

Bug#871537: cups-daemon: Fails to delete a printer via http://localhost:631 (AppArmor-related?)

Hi Michael, do you need more time to test the proposed fix, or should we find someone else to do it? Cheers, -- intrigeri

Bug#880381: apparmor profile breaks xul-ext-exteditor

Control: tag -1 + moreinfo Hi, Carsten Schoenert: > Hello intrigeri, hello Simon, > On Tue, Oct 31, 2017 at 02:49:27AM +0100, W. Martin Borgert wrote: >> Package: thunderbird >> Version: 1:52.4.0-1 >> >> It seems, that apparmor prevents using an exter

Bug#880387: aufs-dkms: the module is not built for Linux 4.14

impractical or not feasible) so that we're ready when 4.14 reaches sid? Cheers, -- intrigeri

Bug#879590: apparmor: Decide how we enable AppArmor by default

Hi, intrigeri: > Ben Hutchings: >> On Mon, 2017-10-23 at 10:06 +0200, intrig...@debian.org wrote: >>> A. Make AppArmor the default LSM in the kernel >> [...] >>> B. Configure bootloaders to enable AppArmor by default >>> >>>On https:

Bug#871441: [pkg-apparmor] Bug#871441: apparmor: Including tunables/sys to tunables/global?

Vincent Blut: > Thanks a lot for handling this! No problem. Note that I have no plans to work on this personally. But perhaps you might want to give it a try?

Bug#871441: apparmor: Including tunables/sys to tunables/global?

Control: forwarded -1 https://bugs.launchpad.net/apparmor/+bug/1728551 Hi, John Johansen: > On 09/20/2017 07:32 AM, intrigeri wrote: >> I see that tunables/sys was introduced in 2012 by John (Cc'ed) as part >> of a commit that adds "abstractions to support the apparmor a

Bug#838817: Cannot reproduce

intrigeri: > I *thought* I had fixed this bug already: > torbrowser-launcher (0.2.5-1) unstable; urgency=medium > […] > * Remove obsolete conffile /etc/apparmor.d/torbrowser.start-tor-browser > thanks to Paul Wise. (Closes: #805706) > … but apparently I failed to get th

Bug#879830: [Pkg-privacy-maintainers] Bug#879830: Bug#879830: torbrowser-launcher: AppArmor profiles break torbrowser-launcher when running Linux 4.14

Roger Shimizu: > On Thu, Oct 26, 2017 at 8:44 PM, wrote: >> Do you folks think you could upload this within 1-2 weeks, before >> Linux 4.14 reaches sid? Otherwise, let me know and I'll upload myself. > You know torbrowser + apparmor better than most of us, so I think you >

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Control: tag -1 - moreinfo Control: tag -1 + upstream Control: forwarded -1 https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332963 Control: tag -1 + pending Jason Wittlin-Cohen: > Adding #include to /etc/apparmor.d/local/usr.bin.totem > fixed the is

Bug#880078: apparmor: Bump pinned feature set to Linux 4.14's

Package: apparmor Version: 2.11.1-2 Severity: normal Feature set pinning was broken since Linux 4.14-rc2 but it'll be repaired in 4.14-rc7. Once our policy is ready enough for Linux 4.14 (#877581) and that kernel is in sid, we can bump the pinned feature set to Linux 4.14's. This will probably

Bug#876333: thunderbird: AppArmor profile allows mmap executables from user writable directories

Control: tag -1 + fixed-upstream Thanks to Vincas this was fixed upstream at the same time as #855346: https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.10/usr.bin.thunderbird Carsten, could you please pull this updated profile? Cheers, -- intrigeri

Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced

Control: tag -1 + fixed-upstream Thanks to Vincas this was fixed upstream: https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.10/usr.bin.thunderbird Carsten, could you please pull this updated profile? Cheers, -- intrigeri

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Control: retitle -1 Totem segfaults with NVIDIA proprietary drivers when AppArmor profile is enforced Control: tag -1 + moreinfo Hi Jason! Jason Wittlin-Cohen: > Totem suffers a segmentation fault upon startup when its respective apparmor > profile is set to enforce mode. It starts fine when

Bug#773346: reportbug should provide information about active LSM

intrigeri: > I'm attaching the equivalent for AppArmor. Here's a cleaned up v2 (my initial patch had leftovers from a previous version that included the output of aa-enabled; now that I've stopped doing it I could simplify the code a bit). Thanks a lot to Christian Boltz for catch

Bug#773346: reportbug should provide information about active LSM

r enabled; 2. with no LSM enabled; and it works as expected. I trust you've tested it on a system with SELinux enabled so I didn't check this. I'm attaching the equivalent for AppArmor. This patch is meant to be applied on top of Laurent's. Cheers, -- intrigeri >From d40f198f40ec665e6233982d73a81c2fc3ac

Bug#879590: Making apparmor "Priority: standard"? [Was: Bug#879590: apparmor: Decide how we enable AppArmor by default]

Hi KiBi! Cyril Brulebois: > intrigeri <intrig...@debian.org> (2017-10-25): >> I'm working on the last blockers towards starting the experiment I've >> proposed on debian-devel@ 2.5 months ago, i.e. enabling AppArmor by >> default for a while in testing/sid. &

Bug#879590: apparmor: Decide how we enable AppArmor by default

intrigeri: > But I'm not sure what's the best way to pull the apparmor package: > 1. on testing/sid upgrades, during the Buster dev cycle: this would >greatly increase the value of the "enable AppArmor by default for >a while" experiment; > 2. during Stretch to Bu

Bug#877581: Ensure our AppArmor policy does not break stuff with Linux 4.14

intrigeri: > Here's a more up-to-date dump. Good news: most of these changes were needed only due to a bug in apparmor_parser, that's been fixed in AppArmor 2.11.1. Vincas has built a complete list of packages that ship AppArmor policy (thanks!). I've triaged it a bit, tested those that see

Bug#879830: torbrowser-launcher: AppArmor profiles break torbrowser-launcher when running Linux 4.14

folks think you could upload this within 1-2 weeks, before Linux 4.14 reaches sid? Otherwise, let me know and I'll upload myself. Cheers, -- intrigeri

Bug#879772: libvirt-daemon-system: Broken with AppArmor on Linux 4.14-rc5

Hi, please instead import the updated patch I've just sent upstream: https://www.redhat.com/archives/libvir-list/2017-October/msg01181.html Thanks! Cheers, -- intrigeri

Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced

Vincas Dargis: > On 2017.10.25 10:26, intrigeri wrote: >> Indeed, it might be that the specific rules about evince & totem >> you're quoting from my patch above are not needed. It would be nice if >> we could drop them (and the maintenance cost of hard-coding a list of >

Bug#879776: torbrowser-launcher: usr.bin.torbrowser-launcher AppArmor profile makes logs extremely noisy on Linux 4.14

. I did this in Vcs-Git (debian-sid branch), not built nor tested though. Do you folks think you could upload this within 1-2 weeks, before Linux 4.14 reaches sid? Otherwise, let me know and I'll upload myself. Cheers, -- intrigeri

Bug#838817: Cannot reproduce

: #805706) … but apparently I failed to get the rm_conffile line right. Cheers! -- intrigeri

Bug#879590: Making apparmor "Priority: standard"? [Was: Bug#879590: apparmor: Decide how we enable AppArmor by default]

. (1) once the other blockers have been resolved. Cheers, -- intrigeri

Bug#879772: libvirt-daemon-system: Broken with AppArmor on Linux 4.14-rc5

g is fixed) Cheers, -- intrigeri >From d4fe9f6729565205b90df8a5165da284f6a852f8 Mon Sep 17 00:00:00 2001 From: intrigeri <intrigeri+libv...@boum.org> Date: Wed, 25 Oct 2017 16:05:00 + Subject: [PATCH] AppArmor-add-rules-needed-with-additional-mediation-featu.patch: new patch, add

Bug#879590: apparmor: Decide how we enable AppArmor by default

Hi, intrigeri: > Next step: figure out how to actually pull AppArmor utilities & policy > by default (enabling the LSM is not very useful if we don't install > those too). For new installations, making the apparmor package "Priority: standard" seems to be the way

Bug#874100: thunderbird: Let's clarify what's the upstream for our AppArmor profile

intrigeri: > Let's wait for Ulrike's input before closing this bug though. Ulrike told me privately that she's happy I took over the lead on this front, and I know she's pretty busy elsewhere at the moment, so let's not block on this. The only blocker left before we can close this bug is gett

Bug#874100: thunderbird: Let's clarify what's the upstream for our AppArmor profile

tware they confine. Guido has mentioned some reasons on the AppArmor thread on -devel@, and it plays better with backports, security uploads and such (otherwise we need to update whatever other package ships the policy in lockstep). > Otherwise we can stay on the status > quo and intrigeri

Bug#876333: thunderbird: AppArmor profile allows mmap executables from user writable directories

p files with >> executable flags, I believe it should be reported as a bug upstream. > I just removed those 2 lines and ran some tests (calendar, enigmail, > etc) and saw no denials. Do you plan to fix this as part of your MR upstream for #855346? Cheers, -- intrigeri

Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced

only would be a huge improvement already. I suggest you focus on getting this done first, and later we can test (or call for testing!) on other DEs. There's no way we can test all relevant configurations, so we'll need to rely on user testing to some degree anyway. Cheers, -- intrigeri

Bug#877255: [pkg-apparmor] Bug#877255: apparmor-profiles-extra: usr.bin.totem profile produces aa-logprof error: permission contains unknown character(s) Pux

Control: tag -1 + pending Vincas Dargis: > Attached patch from upstream MR [0] Thanks, applied to Vcs-Git. I've got another queued fix or two that I want to apply before I upload (most likely today or tomorrow: that's not high priority but still, let's try to keep our backlog small by tackling

Bug#879716: ITP: usbauth-notifier -- Notifier for USB Firewall to use with desktop environments

Stefan Koch: > * Package name: usbauth-notifier > * URL : https://github.com/kochstefan/usbauth-all/usbauth-notifier FWIW I get an error 404 there. > A notifier for the usbauth firewall against BadUSB attacks. The user > could manually allow or deny USB devices. I'm curious:

Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's

Control: severity -1 normal 1. AppArmor is not enabled by default in Stretch 2. Currently stretch-backports has Linux 4.12 that's compatible with the policy shipped in Stretch, without need for any pinning ⇒ lowering priority. It'll become more important once Linux 4.13+ lands in

Bug#877581: [pkg-apparmor] Bug#877581: Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

When testing stuff on 4.14, make sure you: - use apparmor 2.11.1 - disable features-files= in /etc/apparmor/parser.conf (otherwise not only you'll be stuck to 4.13's feature set and unable to do useful work here, but worse you'll hit a kernel bug wrt. feature set pinning & network

Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

Vincas Dargis: > On 2017.10.12 07:37, intrigeri wrote: >> I suspect more is coming. Ubuntu / OpenSUSE probably already have >> some of this stuff. > Could you clarify, why Ubuntu should have issues, if they had > network mediation before? You're right, Ubuntu s

Bug#877581: Ensure our AppArmor policy does not break stuff with Linux 4.14

Hi, intrigeri: > I've upgraded my system to 4.14 and had to adjust no less than 7 profiles > *after* applying Christian's patch to abstractions/nameservice. > They're spread over multiple source packages but I figured it would be > nice to at least share my tweaks (attached) so any

Bug#879584: apparmor: Pin the AppArmor feature set to Linux 4.12's or 4.13's until our policy has been updated for Linux 4.14

n 10/23/2017 10:30 AM, intrigeri wrote: >>> I'll need to test what happens when upgrading the feature set file + >>> Linux in lockstep, when the new feature set includes features brought >>> by the Linux upgrade and not supported by the running kernel. >>> This wil

Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's

messages (Unable to replace "sanitized_helper". Profile doesn't conform to protocol); but the upgrade succeeds on the dpkg level as the policy reload is not fatal in apparmor.postinst. I think these tests validate the general idea. Cheers, -- intrigeri

Bug#879590: apparmor: Decide how we enable AppArmor by default

ly pull AppArmor utilities & policy by default (enabling the LSM is not very useful if we don't install those too). I think I can propose something about it this week. Cheers, -- intrigeri

Bug#879584: apparmor: Pin the AppArmor feature set to Linux 4.12's or 4.13's until our policy has been updated for Linux 4.14

Hi, (John, there's a question for you below and I'll like you to double-check my testing procedure :) intrigeri: >> 1. in testing/sid, ship a conffile (in a package built from >>src:apparmor) that pins the most recent feature set fully supported >>by our policy, i.e. Li

Bug#877581: [pkg-apparmor] Bug#877581: Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

). Thanks for the heads up! > Note that the patch discussed in this bugreport adds a few other rules - > those will still be needed. Indeed. I want to work on this later this week. Cheers, -- intrigeri

Bug#879590: apparmor: Decide how we enable AppArmor by default

w much work would be required to achieve the same result with the other major bootloaders Debian supports. C. Anything else? My personal preference is A > B.1. Ben & others, what do you think? [selinux-activate] https://sources.debian.net/src/selinux-basics/0.5.6/selinux-activate/ Cheers, -- intrigeri

Bug#878203: [pkg-apparmor] Bug#878203: Bug#878203: AA breaks libvirt when running with kernel 4.13

or allow it (possibly prefixed with "owner" to avoid increasing the attack surface too much)? Once we reach a conclusion here I'm happy to send a patch upstream. Cheers, -- intrigeri

Bug#879584: apparmor: Pin the AppArmor feature set to Linux 4.12's or 4.13's until our policy has been updated for Linux 4.14

intrig...@debian.org: > Package: apparmor > Version: 2.11.0-11 > Severity: important > My plan is: > 1. in testing/sid, ship a conffile (in a package built from >src:apparmor) that pins the most recent feature set fully supported >by our policy, i.e. Linux 4.12's or 4.13's (depending on

Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's

the AppArmor policy shipped in Stretch works well with. Cheers, -- intrigeri

Bug#879584: apparmor: Pin the AppArmor feature set to Linux 4.12's or 4.13's until our policy has been updated for Linux 4.14

bug report I'll file another bug report about doing something similar to address the Stretch + Linux from backports use case. Cheers, -- intrigeri

Bug#870418: shutter: Depends on obsolete libgnome2-vfs-perl that will go away during the Buster cycle

Control: forwarded -1 https://bugs.launchpad.net/shutter/+bug/1006290 Control: tag -1 + upstream Hi, Dominique Dumont (2017-08-15): > On Thu, 03 Aug 2017 08:42:15 -0400 intrigeri <intrig...@debian.org> wrote: >> What would be an acceptable timeline for you to check before we

Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

Control: retitle -1 apparmor: Ensure our AppArmor policy does not break stuff with Linux 4.14 Control: tag -1 - patch Control: tag -1 - pending I've upgraded my system to 4.14 and had to adjust no less than 7 profiles *after* applying Christian's patch to abstractions/nameservice. They're

Bug#877581: Patch

ive that don't include the nameservice abstraction (there are some on my system) and thus won't be fixed by this patch *if* they happen to need similar "unix" permissions. Cheers, -- intrigeri

Bug#795431: Fix for #795431 v2

see "$package package provides", which sounds weird to my ear. 2. Apparently you had missed apparmor-utils. Cheers, -- intrigeri

Bug#877255: apparmor-profiles-extra: usr.bin.totem profile produces aa-logprof error: permission contains unknown character(s) Pux

Hi, Vincas Dargis: > On 2017.09.30 08:27, intrigeri wrote: >> Interestingly >> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules >> says that Pux is supported since 2.5, so I wonder who's correct. Thanks to everyone who helped clarifying this ma

Bug#873628: systemd: Apparent regression on #825394, logind.conf accepts upstream default of KillUserProcesses=yes

og missed the required "Closes: #nn". Thanks! Cheers, -- intrigeri

Bug#878040: tails-installer: Creates non-bootable USB sticks on current testing/sid

have been submitted to the corresponding projects already: - https://github.com/storaged-project/udisks/pull/416 - https://github.com/storaged-project/libblockdev/pull/288 The corresponding Tails upstream bug is: https://labs.riseup.net/code/issues/14809 Stretch is not affected. Cheers, -- intrigeri

Bug#877965: elpa-org: Fails to configure upon upgrade from 9.0.9+dfsg-4 to 9.1.2+dfsg-1

in/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages elpa-org depends on: ii elpa-htmlize1.51-1 ii emacsen-common 2.0.8 Versions of packages elpa-org recommends: ii emacs 47.0 Versions of packages elpa-org suggests: pn ditaa ii org-mode-doc 9.1.2-1 ii texlive-fonts-recommended 2017.20171004-1 ii texlive-latex-extra2017.20171004-1 -- no debconf information -- intrigeri

Bug#877926: libvirt-daemon-system: Can't start VMs with AppArmor enabled and Linux 4.13+

olen from Ubuntu) fixes it: --- a/apparmor.d/usr.sbin.libvirtd +++ b/apparmor.d/usr.sbin.libvirtd @@ -37,6 +37,9 @@ network packet dgram, network packet raw, + # Grant bare ptrace + ptrace, + # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. / r, Cheers, -- intrigeri

Bug#875620: aufs-dkms: Please enable compilation with kernel 4.13

severity to RC. I wanted to propose a Git branch ready to merge, but the latest tag pushed to Vcs-Git is debian/4.11+20170703-1 (and the master branch matches), which makes it harder to help than I would like. Cheers, -- intrigeri

Bug#877581: About help

Vincas Dargis: > After your call [0] write here to help. Thanks! :) > What can I aquatically do? Install experimental kernel on VM and check if > profiles there and here does not produces denies? Yes. Likely they will. And then you might want to fork the Vcs-Bzr, read README.source, report to

Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

Package: apparmor Version: 2.11.0-11 Severity: important This bug is meant to track https://lists.alioth.debian.org/pipermail/pkg-apparmor-team/2017-October/001755.html We should apply this patch as a temporary workaround before Linux 4.14 reaches Debian (ideally, before it reaches

Bug#742829: closed by intrigeri <intrig...@debian.org> (Bug#742829: fixed in apparmor 2.10.95-8)

Hi, Guido Günther: > On Fri, Sep 29, 2017 at 04:09:02PM -0400, Daniel Richard G. wrote: >> #include > This file is currently not included in Debian's apparmor > package. @intrigeri, can this be added? Before r1608 (in Vcs-Bzr) we shipped that file in /usr/share/apparmor-profil

Bug#877325: rss2email: ImportError: No module named rss2email.main

nds on: ii python 2.7.14-1 ii python3 3.5.3-3 ii python3-feedparser 5.1.3-3 ii python3-html2text 2016.9.19-1 Versions of packages rss2email recommends: ii python3-bs4 4.6.0-1 Versions of packages rss2email suggests: pn esmtp -- no debconf information -- intrigeri

Bug#876647: dh-apparmor: Please support /etc/apparmor.d/apache

FTR I don't use AppArmor for Apache personally so there's very little chance I work on this any time soon. Patches are welcome. > This would make sure we handle things like #872266 too once fixed. Now you make me curious: I don't understand how this is related. Cheers, -- intrigeri

Bug#877255: apparmor-profiles-extra: usr.bin.totem profile produces aa-logprof error: permission contains unknown character(s) Pux

upstream accordingly: https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/331058 … and then propose a branch forked off current Vcs-Git on the Debian side? Cheers, -- intrigeri

Bug#742829: closed by intrigeri <intrig...@debian.org> (Bug#742829: fixed in apparmor 2.10.95-8)

thread. Fine with me, that sounds reasonable :) Cheers, -- intrigeri

Bug#851694: qemu: Formatting USB disks to EXT4 with nec-xhci USB controller fails with Buffer I/O fails

-1 :) Would you be open to applying that change in Stretch via stable p-u? Cheers, -- intrigeri

Bug#874077: clutter-1.0: build tests fail on Debian but pass on Ubuntu

_strsplit assertion failure, so probably unrelated). So I bet that the reason why the tests fail on our buildds is caused by a more restrictive environment than what this test suite expects. Cheers, -- intrigeri

Bug#876484: torbrowser-launcher: stuck in "Tor exited during startup" loop with AppArmor

Chris Lamb: >> But I guess that this bug won't come back now that you've cleared >> .local/share/torbrowser > Mmm. I'm therefore going to close this bug; doesn't seem very useful keeping > it open now. Well, I see no indication that makes me confident it won't happen to anyone else. I'll let

Bug#876484: torbrowser-launcher: stuck in "Tor exited during startup" loop with AppArmor

Control: user pkg-apparmor-t...@lists.alioth.debian.org Contol: usertag -1 + help-needed Hi Chris! Chris Lamb: > Ah, this is due to apparmor: > Sep 22 18:41:57 keyboardcat.chris-lamb.co.uk kernel: audit: type=1400 > audit(1506102117.020:467): apparmor="DENIED" operation="chmod" >

Bug#876484: [Pkg-privacy-maintainers] Bug#876484: torbrowser-launcher: stuck in "Tor exited during startup" loop with AppArmor

s already provided the log about the AppArmor policy bug that presumably causes the problem :) Cheers, -- intrigeri

Bug#874100: thunderbird: Let's clarify what's the upstream for our AppArmor profile

Hi! Simon Deziel: > On 2017-09-20 11:26 AM, intrigeri wrote: >>> My only concern is what to do when those new rules are stalled >>> waiting on review? Could they be integrated to the Debian version while >>> waiting for the official merge? If yes, I think that

Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced

Carsten Schoenert: > On Sun, Sep 03, 2017 at 10:36:23AM +0200, intrigeri wrote: >> By the way, IIRC Carsten told me that I could push such fixed directly >> to the Vcs-Git. I've just tried to push my branch there, and was told: [...] > seems you have no access rights thou

Bug#874100: thunderbird: Let's clarify what's the upstream for our AppArmor profile

the other two ACKs it, we ask the src:icedove maintainers to take it. I.e. we piggy pack on the existing upstream review process and tools and save some paperwork. Deal? Cheers, -- intrigeri

<    5   6   7   8   9   10   11   12   13   14   >