.14's are mount and signal mediation.
> Do we need to "sprint" for 4.14-possibly-introducing issues?
I'm not sure how urgently we should handle #880078 and (transitively)
#877581. I'd welcome your input about it on #880078, where I've
started discussing the pros & cons.
Cheers,
--
intrigeri
Control: tag -1 + fixed-upstream
intrigeri:
> So we're now only waiting for the tails-installer fixes to be released
> upstream
Done in 5.0.2, that's been packaged as 5.0.2+dfsg-0tails1 for Tails already.
I've tested it on Debian sid and it works fine for me.
> and then uploaded
Control: forwarded -1
https://gitlab.com/apparmor/apparmor-profiles/merge_requests/2
Hi Simon,
can you please review my MR upstream?
Cheers,
--
intrigeri
security value
comes later. If/when someone starts working on making the Thunderbird
profile stricter & more useful, I'll encourage them to look at the big
picture and check what attack vectors are worth addressing first.
I doubt lsb_release will be on that list.)
Cheers,
--
intrigeri
0.2.8-4~
torbrowser-launcher
I'll upload with this change right away.
Cheers,
--
intrigeri
or in the
apparmor-profiles package.
Cheers,
--
intrigeri
uce this bug *without* any obsolete
torbrowser.start-tor-browser conffile left behind, then I suspect
you're experiencing a different bug than this one, and then please
report it separately (with the corresponding denial logs).
Thanks!
Cheers,
--
intrigeri
ance is more pleasant (having someone around to
ask for advice/opinions in nice) and produces higher-quality packages.
And Ulrike is committed to work on this package as well, at least
until the end of 2018Q1, so you folks have a dedicated sponsor to
upload your work already :)
Cheers,
--
intrigeri
rectory where each
browser (e.g. google-chrome-beta) could drop its snippet.
Given the above, this is likely the only solution that would be
flexible enough for your needs, while being doable on the short term
without major changes.
I've started a discussion about this upstream:
https://bugs.launchpad.net/apparmor/+bug/1730220
Cheers,
--
intrigeri
Ben Hutchings:
> Yes, I now understand this. I'll add a Recommends: apparmor for the
> next upload so this broken configuration is less likely to occur.
Thanks!
Cheers,
--
intrigeri
Hi,
intrigeri:
> Cyril Brulebois:
>> intrigeri <intrig...@debian.org> (2017-10-25):
>>> I'm working on the last blockers towards starting the experiment I've
>>> proposed on debian-devel@ 2.5 months ago, i.e. enabling AppArmor by
>>> default for a wh
Hi,
Carsten Schoenert:
> Am 05.11.2017 um 10:45 schrieb intrigeri:
> meeh, go ahaed.
> Looks fine from the technical side. As long as you put in tagging and
> closing information so gbp can pick up the bug number later for
> preparing changelog I'm more than happy. As I see act
e inspiration to whoever wants to fix this bug in
LXC :)
If these bugs are not tracked upstream yet: Felix, you seem to be the
one of us with the best understanding of the problem and you know
AppArmor pretty well, so perhaps you would be the best person to
report them?
Cheers,
--
intrigeri
not ready for prime time.
Adding AppArmor confinement where we had none previously can
come later.
Cheers,
--
intrigeri
asons behind it clarified. What do
you think?
Cheers,
--
intrigeri
Hi,
Meta: this bug report is about deciding how we enable AppArmor by
default; if you want to follow-up on unrelated discussions or start
new ones, please do so in better suited places :)
Christoph Anton Mitterer:
> On Wed, 2017-11-01 at 07:40 +0100, intrigeri wrote:
>> Indeed, it w
ound.
Thanks! Reproduced, modulo I had to add a bunch of rules to the gpg
child profile before I even got to this point.
Submitted a MR upstream. Simon, could you please review it? (And while
you're at it, you might want to test other kinds of key imports, e.g
private keys.)
Cheers,
--
intrigeri
r Totem recently (#879900).
If more of these pop up we should consider including the nvidia
abstraction in some other abstraction that's itself commonly included
in affected GUI apps.
Cheers,
--
intrigeri
Control: tag -1 + pending
intrigeri:
> Carsten, the updated profile lives there since upstream has moved
> from bzr@Launchpad to Git@GitLab:
> https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.bin.thunderbird
Actually I now have write access to Vcs-Git so I'v
ged upstream.
Carsten, the updated profile lives there since upstream has moved
from bzr@Launchpad to Git@GitLab:
https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.bin.thunderbird
Cheers,
--
intrigeri
.
Cheers,
--
intrigeri
Viktor Jägersküpper:
> I confirm that with this change tor starts normally without apparmor
> installed.
Thanks a lot for testing & reporting back!
8
Both were merged, part of new upstream releases, and have landed
in sid.
So we're now only waiting for the tails-installer fixes to be released
upstream and then uploaded to Debian.
Cheers,
--
intrigeri
correctly by Enigmail. But I suppose some kind of rule
>> is missing to make the log lines go away?
Indeed.
> I'd be tempted to add a deny rule to silence it. Opinions?
Yes, please :)
You might need to add more than just the omni.ja rule, like I had to
do for torbrowser-launcher:
https://github.com/intrigeri/torbrowser-launcher/commit/d043788f590e8ff2da585e3512a0e596e7460ff8
Cheers!
t;thunderbird" requested_mask="x"
> denied_mask="x" fsuid=1000 ouid=0
> (From an infinote:// URL in an email.)
I think this is (technically, not in terms of UX) closer to #855346
which is fixed in the Vcs-Git already:
https://anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/tree/debian/apparmor/usr.bin.thunderbird
Cheers,
--
intrigeri
d breaking the startup of the unit in case of such
problems with the AppArmor profile. Weasel, what do you think?
Cheers,
--
intrigeri
intrigeri:
> Christoph Anton Mitterer:
>> All kinds of programs seem to fail now... e.g. tor won't start anymore,
>> aptitude cannot download changelogs.
> Ouch! Sorry about that. May you please report dedicated bugs about
> these, attaching the AppArmor log denials?
W
d thus
there would have been little chance they ever get solved.
Cheers,
--
intrigeri
ity *for now*: I want to
focus my AppArmor time on the "enabling AppArmor by default in
Buster" experiment.
Thanks for flagging this bug as affecting 1.11!
Cheers,
--
intrigeri
Hi Michael,
do you need more time to test the proposed fix, or should we find
someone else to do it?
Cheers,
--
intrigeri
Control: tag -1 + moreinfo
Hi,
Carsten Schoenert:
> Hello intrigeri, hello Simon,
> On Tue, Oct 31, 2017 at 02:49:27AM +0100, W. Martin Borgert wrote:
>> Package: thunderbird
>> Version: 1:52.4.0-1
>>
>> It seems, that apparmor prevents using an exter
impractical or not feasible) so that we're
ready when 4.14 reaches sid?
Cheers,
--
intrigeri
Hi,
intrigeri:
> Ben Hutchings:
>> On Mon, 2017-10-23 at 10:06 +0200, intrig...@debian.org wrote:
>>> A. Make AppArmor the default LSM in the kernel
>> [...]
>>> B. Configure bootloaders to enable AppArmor by default
>>>
>>>On https:
Vincent Blut:
> Thanks a lot for handling this!
No problem. Note that I have no plans to work on this personally.
But perhaps you might want to give it a try?
Control: forwarded -1 https://bugs.launchpad.net/apparmor/+bug/1728551
Hi,
John Johansen:
> On 09/20/2017 07:32 AM, intrigeri wrote:
>> I see that tunables/sys was introduced in 2012 by John (Cc'ed) as part
>> of a commit that adds "abstractions to support the apparmor a
intrigeri:
> I *thought* I had fixed this bug already:
> torbrowser-launcher (0.2.5-1) unstable; urgency=medium
> […]
> * Remove obsolete conffile /etc/apparmor.d/torbrowser.start-tor-browser
> thanks to Paul Wise. (Closes: #805706)
> … but apparently I failed to get th
Roger Shimizu:
> On Thu, Oct 26, 2017 at 8:44 PM, wrote:
>> Do you folks think you could upload this within 1-2 weeks, before
>> Linux 4.14 reaches sid? Otherwise, let me know and I'll upload myself.
> You know torbrowser + apparmor better than most of us, so I think you
>
Control: tag -1 - moreinfo
Control: tag -1 + upstream
Control: forwarded -1
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332963
Control: tag -1 + pending
Jason Wittlin-Cohen:
> Adding #include to /etc/apparmor.d/local/usr.bin.totem
> fixed the is
Package: apparmor
Version: 2.11.1-2
Severity: normal
Feature set pinning was broken since Linux 4.14-rc2 but it'll be
repaired in 4.14-rc7. Once our policy is ready enough for Linux 4.14
(#877581) and that kernel is in sid, we can bump the pinned feature
set to Linux 4.14's.
This will probably
Control: tag -1 + fixed-upstream
Thanks to Vincas this was fixed upstream at the same time as #855346:
https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.10/usr.bin.thunderbird
Carsten, could you please pull this updated profile?
Cheers,
--
intrigeri
Control: tag -1 + fixed-upstream
Thanks to Vincas this was fixed upstream:
https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.10/usr.bin.thunderbird
Carsten, could you please pull this updated profile?
Cheers,
--
intrigeri
Control: retitle -1 Totem segfaults with NVIDIA proprietary drivers when
AppArmor profile is enforced
Control: tag -1 + moreinfo
Hi Jason!
Jason Wittlin-Cohen:
> Totem suffers a segmentation fault upon startup when its respective apparmor
> profile is set to enforce mode. It starts fine when
intrigeri:
> I'm attaching the equivalent for AppArmor.
Here's a cleaned up v2 (my initial patch had leftovers from a previous
version that included the output of aa-enabled; now that I've stopped
doing it I could simplify the code a bit).
Thanks a lot to Christian Boltz for catch
r enabled; 2. with no LSM enabled; and
it works as expected. I trust you've tested it on a system with
SELinux enabled so I didn't check this.
I'm attaching the equivalent for AppArmor. This patch is meant to be
applied on top of Laurent's.
Cheers,
--
intrigeri
>From d40f198f40ec665e6233982d73a81c2fc3ac
Hi KiBi!
Cyril Brulebois:
> intrigeri <intrig...@debian.org> (2017-10-25):
>> I'm working on the last blockers towards starting the experiment I've
>> proposed on debian-devel@ 2.5 months ago, i.e. enabling AppArmor by
>> default for a while in testing/sid.
&
intrigeri:
> But I'm not sure what's the best way to pull the apparmor package:
> 1. on testing/sid upgrades, during the Buster dev cycle: this would
>greatly increase the value of the "enable AppArmor by default for
>a while" experiment;
> 2. during Stretch to Bu
intrigeri:
> Here's a more up-to-date dump.
Good news: most of these changes were needed only due to a bug in
apparmor_parser, that's been fixed in AppArmor 2.11.1.
Vincas has built a complete list of packages that ship AppArmor policy
(thanks!). I've triaged it a bit, tested those that see
folks think you could upload this within 1-2 weeks, before
Linux 4.14 reaches sid? Otherwise, let me know and I'll upload myself.
Cheers,
--
intrigeri
Hi,
please instead import the updated patch I've just sent upstream:
https://www.redhat.com/archives/libvir-list/2017-October/msg01181.html
Thanks!
Cheers,
--
intrigeri
Vincas Dargis:
> On 2017.10.25 10:26, intrigeri wrote:
>> Indeed, it might be that the specific rules about evince & totem
>> you're quoting from my patch above are not needed. It would be nice if
>> we could drop them (and the maintenance cost of hard-coding a list of
>
.
I did this in Vcs-Git (debian-sid branch), not built nor
tested though.
Do you folks think you could upload this within 1-2 weeks, before
Linux 4.14 reaches sid? Otherwise, let me know and I'll upload myself.
Cheers,
--
intrigeri
: #805706)
… but apparently I failed to get the rm_conffile line right.
Cheers!
--
intrigeri
. (1) once the other blockers have been resolved.
Cheers,
--
intrigeri
g is fixed)
Cheers,
--
intrigeri
>From d4fe9f6729565205b90df8a5165da284f6a852f8 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri+libv...@boum.org>
Date: Wed, 25 Oct 2017 16:05:00 +
Subject: [PATCH]
AppArmor-add-rules-needed-with-additional-mediation-featu.patch: new patch,
add
Hi,
intrigeri:
> Next step: figure out how to actually pull AppArmor utilities & policy
> by default (enabling the LSM is not very useful if we don't install
> those too).
For new installations, making the apparmor package "Priority:
standard" seems to be the way
intrigeri:
> Let's wait for Ulrike's input before closing this bug though.
Ulrike told me privately that she's happy I took over the lead on this
front, and I know she's pretty busy elsewhere at the moment, so let's
not block on this.
The only blocker left before we can close this bug is gett
tware they confine. Guido has mentioned
some reasons on the AppArmor thread on -devel@, and it plays better
with backports, security uploads and such (otherwise we need to
update whatever other package ships the policy in lockstep).
> Otherwise we can stay on the status
> quo and intrigeri
p files with
>> executable flags, I believe it should be reported as a bug upstream.
> I just removed those 2 lines and ran some tests (calendar, enigmail,
> etc) and saw no denials.
Do you plan to fix this as part of your MR upstream for #855346?
Cheers,
--
intrigeri
only would be a huge improvement
already. I suggest you focus on getting this done first, and later we
can test (or call for testing!) on other DEs. There's no way we can
test all relevant configurations, so we'll need to rely on user
testing to some degree anyway.
Cheers,
--
intrigeri
Control: tag -1 + pending
Vincas Dargis:
> Attached patch from upstream MR [0]
Thanks, applied to Vcs-Git. I've got another queued fix or two that
I want to apply before I upload (most likely today or tomorrow:
that's not high priority but still, let's try to keep our backlog
small by tackling
Stefan Koch:
> * Package name: usbauth-notifier
> * URL : https://github.com/kochstefan/usbauth-all/usbauth-notifier
FWIW I get an error 404 there.
> A notifier for the usbauth firewall against BadUSB attacks. The user
> could manually allow or deny USB devices.
I'm curious:
Control: severity -1 normal
1. AppArmor is not enabled by default in Stretch
2. Currently stretch-backports has Linux 4.12 that's compatible with
the policy shipped in Stretch, without need for any pinning
⇒ lowering priority. It'll become more important once Linux 4.13+
lands in
When testing stuff on 4.14, make sure you:
- use apparmor 2.11.1
- disable features-files= in /etc/apparmor/parser.conf (otherwise not
only you'll be stuck to 4.13's feature set and unable to do useful
work here, but worse you'll hit a kernel bug wrt. feature set
pinning & network
Vincas Dargis:
> On 2017.10.12 07:37, intrigeri wrote:
>> I suspect more is coming. Ubuntu / OpenSUSE probably already have
>> some of this stuff.
> Could you clarify, why Ubuntu should have issues, if they had
> network mediation before?
You're right, Ubuntu s
Hi,
intrigeri:
> I've upgraded my system to 4.14 and had to adjust no less than 7 profiles
> *after* applying Christian's patch to abstractions/nameservice.
> They're spread over multiple source packages but I figured it would be
> nice to at least share my tweaks (attached) so any
n 10/23/2017 10:30 AM, intrigeri wrote:
>>> I'll need to test what happens when upgrading the feature set file +
>>> Linux in lockstep, when the new feature set includes features brought
>>> by the Linux upgrade and not supported by the running kernel.
>>> This wil
messages
(Unable to replace "sanitized_helper". Profile doesn't conform to
protocol); but the upgrade succeeds on the dpkg level as the policy
reload is not fatal in apparmor.postinst.
I think these tests validate the general idea.
Cheers,
--
intrigeri
ly pull AppArmor utilities & policy
by default (enabling the LSM is not very useful if we don't install
those too). I think I can propose something about it this week.
Cheers,
--
intrigeri
Hi,
(John, there's a question for you below and I'll like you to
double-check my testing procedure :)
intrigeri:
>> 1. in testing/sid, ship a conffile (in a package built from
>>src:apparmor) that pins the most recent feature set fully supported
>>by our policy, i.e. Li
). Thanks for the heads up!
> Note that the patch discussed in this bugreport adds a few other rules -
> those will still be needed.
Indeed. I want to work on this later this week.
Cheers,
--
intrigeri
w
much work would be required to achieve the same result with the
other major bootloaders Debian supports.
C. Anything else?
My personal preference is A > B.1. Ben & others, what do you think?
[selinux-activate]
https://sources.debian.net/src/selinux-basics/0.5.6/selinux-activate/
Cheers,
--
intrigeri
or allow it (possibly prefixed
with "owner" to avoid increasing the attack surface too much)? Once we
reach a conclusion here I'm happy to send a patch upstream.
Cheers,
--
intrigeri
intrig...@debian.org:
> Package: apparmor
> Version: 2.11.0-11
> Severity: important
> My plan is:
> 1. in testing/sid, ship a conffile (in a package built from
>src:apparmor) that pins the most recent feature set fully supported
>by our policy, i.e. Linux 4.12's or 4.13's (depending on
the AppArmor
policy shipped in Stretch works well with.
Cheers,
--
intrigeri
bug
report
I'll file another bug report about doing something similar to address
the Stretch + Linux from backports use case.
Cheers,
--
intrigeri
Control: forwarded -1 https://bugs.launchpad.net/shutter/+bug/1006290
Control: tag -1 + upstream
Hi,
Dominique Dumont (2017-08-15):
> On Thu, 03 Aug 2017 08:42:15 -0400 intrigeri <intrig...@debian.org> wrote:
>> What would be an acceptable timeline for you to check before we
Control: retitle -1 apparmor: Ensure our AppArmor policy does not break stuff
with Linux 4.14
Control: tag -1 - patch
Control: tag -1 - pending
I've upgraded my system to 4.14 and had to adjust no less than 7 profiles
*after* applying Christian's patch to abstractions/nameservice.
They're
ive that don't include the nameservice abstraction
(there are some on my system) and thus won't be fixed by this patch
*if* they happen to need similar "unix" permissions.
Cheers,
--
intrigeri
see "$package
package provides", which sounds weird to my ear.
2. Apparently you had missed apparmor-utils.
Cheers,
--
intrigeri
Hi,
Vincas Dargis:
> On 2017.09.30 08:27, intrigeri wrote:
>> Interestingly
>> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
>> says that Pux is supported since 2.5, so I wonder who's correct.
Thanks to everyone who helped clarifying this ma
og missed
the required "Closes: #nn".
Thanks!
Cheers,
--
intrigeri
have been submitted to the corresponding projects already:
- https://github.com/storaged-project/udisks/pull/416
- https://github.com/storaged-project/libblockdev/pull/288
The corresponding Tails upstream bug is:
https://labs.riseup.net/code/issues/14809
Stretch is not affected.
Cheers,
--
intrigeri
in/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages elpa-org depends on:
ii elpa-htmlize1.51-1
ii emacsen-common 2.0.8
Versions of packages elpa-org recommends:
ii emacs 47.0
Versions of packages elpa-org suggests:
pn ditaa
ii org-mode-doc 9.1.2-1
ii texlive-fonts-recommended 2017.20171004-1
ii texlive-latex-extra2017.20171004-1
-- no debconf information
--
intrigeri
olen from Ubuntu) fixes it:
--- a/apparmor.d/usr.sbin.libvirtd
+++ b/apparmor.d/usr.sbin.libvirtd
@@ -37,6 +37,9 @@
network packet dgram,
network packet raw,
+ # Grant bare ptrace
+ ptrace,
+
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
Cheers,
--
intrigeri
severity to RC.
I wanted to propose a Git branch ready to merge, but the latest tag
pushed to Vcs-Git is debian/4.11+20170703-1 (and the master branch
matches), which makes it harder to help than I would like.
Cheers,
--
intrigeri
Vincas Dargis:
> After your call [0] write here to help.
Thanks! :)
> What can I aquatically do? Install experimental kernel on VM and check if
> profiles there and here does not produces denies?
Yes. Likely they will.
And then you might want to fork the Vcs-Bzr, read README.source,
report to
Package: apparmor
Version: 2.11.0-11
Severity: important
This bug is meant to track
https://lists.alioth.debian.org/pipermail/pkg-apparmor-team/2017-October/001755.html
We should apply this patch as a temporary workaround before Linux 4.14
reaches Debian (ideally, before it reaches
Hi,
Guido Günther:
> On Fri, Sep 29, 2017 at 04:09:02PM -0400, Daniel Richard G. wrote:
>> #include
> This file is currently not included in Debian's apparmor
> package. @intrigeri, can this be added?
Before r1608 (in Vcs-Bzr) we shipped that file in
/usr/share/apparmor-profil
nds on:
ii python 2.7.14-1
ii python3 3.5.3-3
ii python3-feedparser 5.1.3-3
ii python3-html2text 2016.9.19-1
Versions of packages rss2email recommends:
ii python3-bs4 4.6.0-1
Versions of packages rss2email suggests:
pn esmtp
-- no debconf information
--
intrigeri
FTR I don't use AppArmor for Apache personally so there's very little
chance I work on this any time soon. Patches are welcome.
> This would make sure we handle things like #872266 too once fixed.
Now you make me curious: I don't understand how this is related.
Cheers,
--
intrigeri
upstream accordingly:
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/331058
… and then propose a branch forked off current Vcs-Git on the Debian side?
Cheers,
--
intrigeri
thread.
Fine with me, that sounds reasonable :)
Cheers,
--
intrigeri
-1 :)
Would you be open to applying that change in Stretch via stable p-u?
Cheers,
--
intrigeri
_strsplit
assertion failure, so probably unrelated). So I bet that the reason
why the tests fail on our buildds is caused by a more restrictive
environment than what this test suite expects.
Cheers,
--
intrigeri
Chris Lamb:
>> But I guess that this bug won't come back now that you've cleared
>> .local/share/torbrowser
> Mmm. I'm therefore going to close this bug; doesn't seem very useful keeping
> it open now.
Well, I see no indication that makes me confident it won't happen to
anyone else. I'll let
Control: user pkg-apparmor-t...@lists.alioth.debian.org
Contol: usertag -1 + help-needed
Hi Chris!
Chris Lamb:
> Ah, this is due to apparmor:
> Sep 22 18:41:57 keyboardcat.chris-lamb.co.uk kernel: audit: type=1400
> audit(1506102117.020:467): apparmor="DENIED" operation="chmod"
>
s already provided the log about the AppArmor policy bug
that presumably causes the problem :)
Cheers,
--
intrigeri
Hi!
Simon Deziel:
> On 2017-09-20 11:26 AM, intrigeri wrote:
>>> My only concern is what to do when those new rules are stalled
>>> waiting on review? Could they be integrated to the Debian version while
>>> waiting for the official merge? If yes, I think that
Carsten Schoenert:
> On Sun, Sep 03, 2017 at 10:36:23AM +0200, intrigeri wrote:
>> By the way, IIRC Carsten told me that I could push such fixed directly
>> to the Vcs-Git. I've just tried to push my branch there, and was told:
[...]
> seems you have no access rights thou
the other two ACKs it, we ask the
src:icedove maintainers to take it. I.e. we piggy pack on the existing
upstream review process and tools and save some paperwork.
Deal?
Cheers,
--
intrigeri
901 - 1000 of 3753 matches
Mail list logo