Hello, Am Freitag, 21. Juli 2023, 15:05:52 CEST schrieb Stefano Rivera: > > severity 932501 serious > > I'm wondering if this bug should really be serious. Squid's apparmor > config is shipped disabled, so one has to manually enable it to > trigger this bug. > > I would have gone for normal/important. > > I don't know what the correct solution to this bug is. Presumably one > has to get the squid profile to include the abstraction that > squid-deb-proxy provides. I don't know how this is usually done in a > Debian package. Maybe one of the apparmor team can comment.
The interesting part is that the abstraction is shipped in squid-deb- proxy, while the squid profile comes from another package (I didn't check which one). I guess the best you can have is to add include if exists <abstractions/squid-deb-proxy> in the squid profile so that it will include the abstraction if it exists, and doesn't complain if it doesn't. Note that the AppArmor profile cache is only timestamp-based [1], so if you install squid-deb-proxy (and had the squid AppArmor profile loaded before), it might happen that the cache file is never than the squid-deb- proxy abstraction, with the result that the cache doesn't get updated. (Workaround: delete the cache file, then reload the profile.) The alternative is to add the rules needed for squid-deb-proxy directly to the squid profile. This adds some "superfluous" rules for people who don't use squid-deb-proxy, but on the positive side it avoids the cache issue. BTW: https://packages.debian.org/sid/all/squid-deb-proxy/filelist says the abstraction is packaged as /etc/apparmor.d/abstractions/squid-deb-proxy/squid-deb-proxy which looks slightly wrong ;-) It should just be /etc/apparmor.d/abstractions/squid-deb-proxy (assuming no other files get deployed to /etc/apparmor.d/abstractions/squid-deb-proxy/ ) Bonus points if you add include if exists <abstractions/squid-deb-proxy.d> to the abstraction ;-) For the records: include if exists needs AppArmor >= 3.0 userspace. Regards, Christian Boltz [1] Using a better cache validation method like checking the checksum of the text profile is on the TODO list upstream, but not implemented yet. -- [SuSE vs. SUSE] As a friend of mine elsewhere remarked, the picky spelling capitalization scheme reinforces the idea that Linux is case-sensitive, so these are "sensitive" issues and certainly worth discussing (for us, at least)! :) [Shriramana Sharma in opensuse]
signature.asc
Description: This is a digitally signed message part.