Hello, Am Freitag, 21. Juli 2023, 15:05:52 CEST schrieb Stefano Rivera: > > severity 932501 serious > > I'm wondering if this bug should really be serious. Squid's apparmor > config is shipped disabled, so one has to manually enable it to > trigger this bug. > > I would have gone for normal/important. > > I don't know what the correct solution to this bug is. Presumably one > has to get the squid profile to include the abstraction that > squid-deb-proxy provides. I don't know how this is usually done in a > Debian package. Maybe one of the apparmor team can comment.
The interesting part is that the abstraction is shipped in squid-deb-
proxy, while the squid profile comes from another package (I didn't check
which one).
I guess the best you can have is to add
include if exists <abstractions/squid-deb-proxy>
in the squid profile so that it will include the abstraction if it
exists, and doesn't complain if it doesn't.
Note that the AppArmor profile cache is only timestamp-based [1], so if
you install squid-deb-proxy (and had the squid AppArmor profile loaded
before), it might happen that the cache file is never than the squid-deb-
proxy abstraction, with the result that the cache doesn't get updated.
(Workaround: delete the cache file, then reload the profile.)
The alternative is to add the rules needed for squid-deb-proxy directly
to the squid profile. This adds some "superfluous" rules for people who
don't use squid-deb-proxy, but on the positive side it avoids the cache
issue.
BTW: https://packages.debian.org/sid/all/squid-deb-proxy/filelist says
the abstraction is packaged as
/etc/apparmor.d/abstractions/squid-deb-proxy/squid-deb-proxy
which looks slightly wrong ;-) It should just be
/etc/apparmor.d/abstractions/squid-deb-proxy
(assuming no other files get deployed to
/etc/apparmor.d/abstractions/squid-deb-proxy/ )
Bonus points if you add
include if exists <abstractions/squid-deb-proxy.d>
to the abstraction ;-)
For the records: include if exists needs AppArmor >= 3.0 userspace.
Regards,
Christian Boltz
[1] Using a better cache validation method like checking the checksum of
the text profile is on the TODO list upstream, but not implemented
yet.
--
[SuSE vs. SUSE] As a friend of mine elsewhere remarked, the picky
spelling capitalization scheme reinforces the idea that Linux is
case-sensitive, so these are "sensitive" issues and certainly worth
discussing (for us, at least)! :) [Shriramana Sharma in opensuse]
signature.asc
Description: This is a digitally signed message part.
