[Touch-packages] [Bug 2046624] Re: apparmor breaks surfshark vpn

> with the new apparmor Candidate: 4.0.0~alpha2-0ubuntu7 > DistroRelease: Ubuntu 24.04 This bug smells like a userns issue - programs using userns (often used for sandboxing) now _must have_ an AppArmor profile. Can you please save the following as /etc/apparmor.d/surfshark? (Adjust the path to

[Touch-packages] [Bug 2039294] Re: apparmor docker

Slightly related: > /usr/sbin/runc flags=(unconfined) { Shouldn't that nowadays be(come) profile runc /usr/sbin/runc flags=(unconfined) { Ideally please fix this now, so that the upstream docker profile can use peer=runc -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability

> # new python script to create vim profiles with > > python create-apparmor.vim.py For the records: create-apparmor.vim.py exists since years, and ... > # generates a new file called apparmor.vim.in ... it uses apparmor.vim.in as _input_ and generates the apparmor.vim file (syntax highlighting

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

Submitted as https://gitlab.com/apparmor/apparmor/-/merge_requests/937 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1993572 Title: samba profile: missing rule for

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

Typo? I'd expect 'Just "w" is enough' ;-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1993572 Title: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1991141] Re: "aa-disable" fails on autopkgtest.u.c (armhf)

aa-disable calls apparmor_parser, so this is most likely a problem between apparmor_parser and the kernel. I've updated the summary accordingly. ** Summary changed: - "aa-disable" fails on autopkgtest.u.c (armhf) + parser fails to unload profile via "aa-disable" on autopkgtest.u.c (armhf) -

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

Based on your DENIED message, I wonder if read (= directory listing) permissions are really needed, or if /var/cache/samba/printing/ w, # without r would be enough. Can you please test and report back? -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1641236] Re: Confined processes inside container cannot fully access host pty device passed in by lxc exec

A few comments and explanations: > As part of that it locks down /dev to read-only: > /dev/ r, > > However that also means /dev/pts is read-only, hence the error above denies > write access. The rule for /dev/ only allows reading the directory listing of /dev/. It doesn't say or allow anything

[Touch-packages] [Bug 1641236] Re: Confined processes inside container cannot fully access host pty device passed in by lxc exec

> apparmor_parser -R /etc/apparmor.d -R means to unload profiles, in this case all profiles in /etc/apparmor.d/. That's probably a bit ;-) too much... I'd guess you want to unload only the tcpdump profile, which would be done with apparmor_parser -R /etc/apparmor.d/usr.bin.tcpdump An

[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15

This was already fixed upstream with https://gitlab.com/apparmor/apparmor/-/merge_requests/848 (with a slightly different patch that works for all python versions). AppArmor >= 3.0.5 will include the fix. -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1861250] Re: Apparmor error failed to start profiles

Looks like the profile for cups-browsed has a syntax error. (Did you change something in the profile, or is it the original profile as shipped in the package?) Also, AFAIK this profile is shipped with the cups package, therefore I'm adding that package. ** Also affects: cups (Ubuntu)

[Touch-packages] [Bug 1948752] Re: apparmor is logging too many messages

The /usr/bin/redshift profile needs some additional dbus rules. ** Also affects: redshift Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1934005] Re: abstractions/X: Possible regression of X session functionality by removing 'w' from /tmp/.X11-unix/* line?

This was already fixed upstream, see https://gitlab.com/apparmor/apparmor/-/merge_requests/664 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1934005 Title:

[Touch-packages] [Bug 1777070] Re: firefox plugin libwidevinecdm.so crashes due to apparmor denial

> The second rule allows firefox to load and run code from that location. > But doesn't allow firefox to write to it. So if there is malware [...] That's correct for the added rule, but the profile also has owner @{HOME}/.{firefox,mozilla}/** rw, which means firefox _can_ write to that

[Touch-packages] [Bug 1899046] Re: /usr/bin/aa-notify:ModuleNotFoundError:/usr/bin/aa-notify@39

The error is: Traceback (most recent call last): File "/usr/bin/aa-notify", line 39, in import psutil ModuleNotFoundError: No module named 'psutil' Looks like a missing dependency on python3-psutil (or whatever the package is named) in the package that contains aa-notify. -- You

[Touch-packages] [Bug 1895967] Re: 3.0.0~beta1-0ubuntu1 in Groovy breaks Libvirt/Qemu/KVM

Wild _guess_/hint that could explain the behaviour you see: Do you have (snap?) profiles that have rules with "peer=libvirtd", and fail if libvirtd is running unconfined (which would need "peer=unconfined" in the other profile)? -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1331856] Re: apparmor-utils don't work when defining a variable on

This bug is finally fixed with https://gitlab.com/apparmor/apparmor/-/merge_requests/544 AppArmor 3.0 will include the fixed tools. ** Changed in: apparmor Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages,

[Touch-packages] [Bug 1861250] Re: Apparmor error failed to start profiles

Indeed, that's not really helpful :-( Another idea - does apparmor_parser -r /etc/apparmor.d/ print any output? (If yes, please paste or attach it.) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 387657] Re: aa-logprof: doesn't handle large logs

In the meantime (actually nearly a year ago), log parsing was rewritten and now does de-duplication instantly. This should reduce memory usage a lot - my experience is that especially large lots have lots of duplication included. I also removed some intermediate steps in the chain from logfile to

[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

For the records: Upstream commit a57f01d86bdb01647966f3eeff7a1cc3fc6abd76 (from 2019-02-10) added rules to allow this (with an additional type=stream restriction, which matches the log mentioned in this bugreport), and was also backported to the maintenance branches. Therefore I'll mark the

[Touch-packages] [Bug 1861250] Re: Apparmor error failed to start profiles

I'm afraid the logs you attached don't include anything about the reason why you get this failure. Can you please attach the output of systemctl status -n200 apparmor.service -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to

[Touch-packages] [Bug 1824724] Re: aa-logprof: german translation: ERROR: PromptUser: Ungültiges Tastenkürzel für V: Änderungen ansehen

> id appears to be the only one to pick different letters. For the records: changing the hotkeys is allowed, but you have to make sure that you don't cause hotkey conflicts. To be sure, run the updated translation through the AppArmor utils tests - or ask me to run these tests ;-) > and if it's

[Touch-packages] [Bug 1825331] Re: apparmor chromium profile blocks yubikeys

KernLog.txt contains several ALLOWED lines for chromium, and also DENIED lines for firefox (unrelated to this bugreport, but nevertheless we should probably check them. You mentioned that you got some EPERM in strace - can you please tell us which files were affeted? Wild guess: maybe those

[Touch-packages] [Bug 1819741] Re: aa-genprof fails on disabled profile

This is already fixed upstream (in AppArmor 2.12.2 and 2.13.2), especially commit f997977e6. However, the Ubuntu package doesn't have that fix yet, therefore I add "apparmor (Ubuntu)" to the "affects" list. Backporting the mentioned commit probably isn't too easy (it's quite big and IIRC has

[Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

> unix (connect, send, receive) peer = (addr = "@ 2F746D702F65736574732E736F636B00 *") Did you really use exactly this line (with "@_space_2F...B00_space_*")? If so, please try again without the spaces. -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1785391] Re: aa-genprof fails in an lxd instance

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1785391 Title: aa-genprof fails in an lxd instance

[Touch-packages] [Bug 1784499] Re: AppArmor treats regular NFS file access as network op

** Also affects: apparmor Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file

[Touch-packages] [Bug 1805178] Re: Apparmor should include letsencrypt directory for Slapd

The ssl_certs and ssl_keys abstractions just got the paths for letsencrypt added: https://gitlab.com/apparmor/apparmor/merge_requests/283 (also backported to the 2.10..2.13 branches) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is

[Touch-packages] [Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

Also backported to the 2.12 and 2.13 branch, will be in 2.12.2 and 2.13.2. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1528139 Title:

[Touch-packages] [Bug 1785391] Re: aa-genprof fails in an lxd instance

** Changed in: apparmor Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1785391 Title: aa-genprof fails in an lxd instance Status

[Touch-packages] [Bug 1785391] Re: aa-genprof fails in an lxd instance

Fix commited to 2.10 branch..master For the aa-logprof issue you mentioned, please answer my question in a new bugreport ;-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1785391] Re: aa-genprof fails in an lxd instance

https://gitlab.com/apparmor/apparmor/merge_requests/157 For aa-logprof - a) what exactly is the problem and b) please answer in a separate bugreport ;-) ** Changed in: apparmor Status: New => Triaged ** Changed in: apparmor Assignee: (unassigned) => Christian Boltz (cboltz) -

[Touch-packages] [Bug 1784023] Re: Update profiles for usrmerge

> ./abstractions/lightdm: /bin/ rmix, rmix permissions for a directory? That looks wrong to me, r permissions should be enough. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu.

[Touch-packages] [Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

Done - https://gitlab.com/apparmor/apparmor/merge_requests/131 will be part of AppArmor 3.0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1528139 Title:

[Touch-packages] [Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

For the records - I'm just working on a different implementation of "(V)iew Changes", which will also replace the workaround with a real fix :-) This will probably be in AppArmor 3.0, and will appear as merge request on gitlab this weekend. -- You received this bug notification because you are

[Touch-packages] [Bug 1756800] Re: Failed to start AppArmor initialization with status=123/n/a

Looks like you have a syntax error in /etc/apparmor.d/tunables/multiarch around line 13. Can you please attach this file? Also, did you modify it manually? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1717714 Title: @{pid} variable broken on systems with

[Touch-packages] [Bug 1730536] Re: "Unable to open external link" in Evince when google-chrome-unstable is the default browser

Fixed in AppArmor 2.12 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1730536 Title: "Unable to

[Touch-packages] [Bug 1590561] Re: webbrowser-app crashes on startup on fresh zesty Unity8: No suitable EGL configs found

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1590561 Title: webbrowser-app crashes on startup on

[Touch-packages] [Bug 1668892] Re: CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1668892 Title: CVE-2017-6507: apparmor service

[Touch-packages] [Bug 1759346] Re: ix scrubs environment when it shouldn't when going through aa-exec

Just wondering - if this bug survived so long without being noticed, isn't it a sign that in most cases scrubbing doesn't hurt or is even a good idea? Should we introduce Ix to officially have a way to inherit with scrubbing? -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1758449] Re: skype snap does not work when home directory is not located in /home

Just as a quick info - to get things working with non-default home directory locations, edit /etc/apparmor.d/tunables/home (or add a file to /etc/apparmor.d/tunables/home.d/) and add your custom path ("/data/home/") to the @{HOMEDIRS} variable. I'm not sure why read access to /data/ was requested

[Touch-packages] [Bug 1752365] Re: Cannot Add Request Hat or Use Default Hat in aa-logprof and mod_apparmor

For the records: this is already fixed upstream (checked in master and the latest 2.11 branch), so Ubuntu "just" needs to pick up the fix. commit e2039f021e42793e07c1838499eae9c22e1ea8f2 Author: Christian Boltz <appar...@cboltz.de> Date: Mon Aug 15 22:02:55 2016

[Touch-packages] [Bug 1658943] Re: aa-notify blocks desktop with garbage notifications

Reopening for upstream AppArmor - unfortunately nobody worked on this yet :-( ** Changed in: apparmor Status: Invalid => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

> Not quite sure now if apparmor upstream is found in launchpad[1] or gitlab[2]. The code moved from bzr to gitlab recently. Bug tracking and translations are still handled on launchpad. > I would go with that versionning approach instead: > > apparmor | 2.11.0-2ubuntu17.1 | artful > apparmor |

[Touch-packages] [Bug 1399027] Re: logparser doesn't understand /var/log/messages format

> c0n7r4 (c0n7r4) wrote: > apparmor="AUDIT" AUDIT events happen if your profile has a rule like audit /tmp/tempfile/ r, and the program is then really doing something that needs this rule (like getting a directory listing for /tmp/tempfile/). "audit" means that the action is allowed (but

[Touch-packages] [Bug 1734038] Re: Potential regression found with apparmor test on Xenial/Zesty

> There is also a python parser (in aa.py) which only seems to understand the > 'include ' > syntax and it is this which throws errors when running the utility commands. Exactly, that's the cause of this bug. I'll change the title to make it obvious. Interestingly, it has been this way for

[Touch-packages] [Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

** Also affects: apparmor/2.11 Importance: Undecided Status: New ** Changed in: apparmor/2.11 Status: New => Fix Committed ** Changed in: apparmor/2.11 Milestone: None => 2.11.2 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages,

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

> ... apparmor="DENIED" operation="create" ... family="unix" sock_type="stream" With the pinned-down feature set, you probably "lost" support for unix rules. In theory, apparmor_parser will downgrade those rules to "network unix," - but in practise a bug in apparmor_parser prevented it.This bug

[Touch-packages] [Bug 1669254] Re: 16.04 apparmor, aa-logprof and log files

** Tags added: aa-tools -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1669254 Title: 16.04 apparmor, aa-logprof and log files Status in AppArmor: New Status in

[Touch-packages] [Bug 1719579] Re: [Ubuntu 16.04.2] [libvirt] virsh restore fails from state file saved in /var/tmp folder using virsh save

You'll need to allow /etc/gss/mech.d/ r, and after that, I wouldn't be surprised if you get denials for files inside this directory ;-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1719935] Re: It would be great to get a stacktrace on apparmor "events" - maybe add a tracepoint

** Also affects: apparmor Importance: Undecided Status: New ** Tags added: aa-feature -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1719935 Title: It would

[Touch-packages] [Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

** Also affects: apparmor Importance: Undecided Status: New ** Tags added: aa-policy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1717714 Title: @{pid}

[Touch-packages] [Bug 1478659] Re: aa-genprof start but doesn't allow any action

I'm afraid the given information isn't enough to reproduce and debug this problem :-( If you hit this again, please reopen and provide some more details. ** Changed in: apparmor Status: New => Invalid ** Changed in: apparmor (Ubuntu) Status: New => Invalid -- You received this

[Touch-packages] [Bug 1503762] Re: Provide systemd service

Just a quick update about the situation on openSUSE - in the meantime, we got rid of the initscript and switched to a small wrapper script - see apparmor.systemd and apparmor.service on https://build.opensuse.org/package/show/security:apparmor/apparmor That's obviously not the final solution, but

[Touch-packages] [Bug 1703520] Re: DNS resolving doesn't work in complain mode with dnsmasq and apparmor

For the records: revno: 3437 fixes bug: https://launchpad.net/bugs/1569316 committer: Tyler Hicks branch nick: apparmor timestamp: Tue 2016-04-12 16:36:43 -0500 message: profiles: Add attach_disconnected flag to dnsmasq profile https://launchpad.net/bugs/1569316

[Touch-packages] [Bug 1658239] Re: base abstraction missing glibc /proc/$pid/ things

no worries, I changed it back ;-) ** Changed in: apparmor/master Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1658239

[Touch-packages] [Bug 1700232] Re: aa-logprof ignores dbus access

I added dbus support to aa-logprof in AppArmor 2.11, and I'd guess *) 16.04 has an older version. *) I use openSUSE ;-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1689585] Re: ntp doesn't unload its apparmor profile on purge

> Sorry, I meant it's the service's job to properly/forcefully stop a > daemon. I agree that killing processes in postrm is dangerous. I agree that kill -9 isn't the way to go (it was meant as a rhetoric question), but there are still valid reasons why a daemon doesn't get stopped in postrm: -

[Touch-packages] [Bug 1689585] Re: ntp doesn't unload its apparmor profile on purge

You are technically correct that the still-loaded profile doesn't match a clean uninstall. However, I have a different opinion on this and thing keeping the profile loaded is the better choice. Unloading a profile means removing the confinement from running processes. So if a process is still

[Touch-packages] [Bug 482080] Re: Dovecot's apparmor profile breaks dovecot-antispam

I'd even recommend to restrict it a bit more: owner /tmp/antispam-mail*/ rw, owner /tmp/antispam-mail*/* rwkl, sendmail might be a candidate for a child profile. Such a (maybe too generous) profile already exists in the dovecot-lda profile, so cleaning it up and removing permissions that are

[Touch-packages] [Bug 1682055] Re: dh_apparmor does not remove profiles(s) when purging package

I don't care too much about dh_apparmor (EWRONGDISTRO ;-) - but still: Are you sure that unloading profiles when uninstalling a package is a good idea? The binary installed by this package could still be running, and unloading the profile (= unconfining the binary) might be a security risk. (I

[Touch-packages] [Bug 1650827] Re: "Failed name lookup - disconnected path"

Thanks for the report! I commited the updated profile to bzr trunk r3651, 2.10 branch r3391 and 2.9 branch r3056. If you want to update your profile locally, the needed changes are: -/usr/lib/dovecot/dovecot-lda { +/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) { +

[Touch-packages] [Bug 1679856] Re: ldd should be replaced in the utilities

** Tags added: aa-tools -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1679856 Title: ldd should be replaced in the utilities Status in AppArmor: New Status in

[Touch-packages] [Bug 1677997] Re: aa-enforce gives syntax error on snapd config

This was fixed in upstream bzr r3490 (2016-07-20), but only in trunk. Looks like nobody backported it to the 2.10 branch or the Ubuntu packages. See also bug 1584069 (which is referred in the r3490 commit message) - interestingly, there's a comment saying "This bug was fixed in Ubuntu 16.04 with

[Touch-packages] [Bug 1668892] Re: CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles

** Also affects: apparmor/2.10 Importance: Undecided Status: New ** Also affects: apparmor/2.11 Importance: Undecided Status: New ** Changed in: apparmor/2.10 Milestone: None => 2.11.1 ** Changed in: apparmor/2.10 Status: New => Fix Committed ** Changed in:

[Touch-packages] [Bug 1658239] Re: base abstraction missing glibc /proc/$pid/ things

** Changed in: apparmor/2.10 Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1658239 Title: base abstraction missing glibc

[Touch-packages] [Bug 1669254] Re: 16.04 apparmor, aa-logprof and log files

openSUSE still has /var/log/messages - at least if you install one of the "normal" syslog deamons (syslogd, syslog-ng or rsyslog) instead of relying on journald ;-) OTOH, openSUSE never had /var/log/syslog -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1628286] Re: [utils] DBus rules enforce stricter ordering of dbus attributes

Feel free to send out what you have now (with a "just FYI, WIP" note) - maybe I can help in some details. For "my" invalid rule: Well, I managed to pick an example that is "more invalid" than yours ;-) What I wanted to know is - if there's another parameter between two bus=... parameters, will

[Touch-packages] [Bug 1628286] Re: [utils] DBus rules enforce stricter ordering of dbus attributes

> It is too bad that all of the > profiles have to be fully parsed just to use basic utilities that don't > necessarily care about the rules inside of a profile. The main problem is that we allow "random" filenames for the profiles, so we need to check all files for the to-be-changed profile -

[Touch-packages] [Bug 1512131] Re: Apparmor complains about multiple /run/dovecot file access

Commited to AppArmor bzr - trunk r3627, 2.10 branch r3383 and 2.9 branch r3048. Fixing the Ubuntu packages is not my job ;-) ** Also affects: apparmor/2.9 Importance: Undecided Status: New ** Also affects: apparmor/2.10 Importance: Undecided Status: New ** Changed in:

[Touch-packages] [Bug 1628286] Re: [utils] DBus rules enforce stricter ordering of dbus attributes

Well, up to 2.10 dbus rule handling in the tools was simply matching for "dbus.*," and writing the line back to the profile without any changes. I'm not sure if I'd call full support for dbus rules (including handling of log events) a regression ;-) but I understand that it's annoying. Writing a

[Touch-packages] [Bug 1658943] Re: aa-notify blocks desktop with garbage notifications

Agreed, aa-notify needs some love. Nevertheless, please open separate bugreports for firefox and chromium to get their profiles fixed ;-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1658943] Re: aa-notify blocks desktop with garbage notifications

** Also affects: apparmor Importance: Undecided Status: New ** Tags added: aa-tools -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1658943 Title: aa-notify

[Touch-packages] [Bug 1658238] Re: apache2 abstraction incomplete

** Changed in: apparmor/master Milestone: None => 2.11.1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1658238 Title: apache2 abstraction incomplete Status in

[Touch-packages] [Bug 1658239] Re: base abstraction missing glibc /proc/$pid/ things

** Changed in: apparmor/master Milestone: None => 2.11.1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1658239 Title: base abstraction missing glibc /proc/$pid/

[Touch-packages] [Bug 1658236] Re: php abstraction not updated for php7

Note that upstream AppArmor renamed abstractions/php5 to abstractions/php and added some more paths so that it also works with PHP 7 on openSUSE. abstractions/php5 is still provided as compability wrapper. It would probably make sense to take the upstream files instead of your patch. -- You

[Touch-packages] [Bug 1484178] Re: Policy cache file mtimes are not being set correctly

This was already fixed in AppArmor 2.10.1 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1484178

[Touch-packages] [Bug 1534405] Re: Regression in parser compiling/loading a directory

** Changed in: apparmor/master Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1534405 Title: Regression in parser

[Touch-packages] [Bug 1528230] Re: [ADT test failure] linux: ubuntu_qrt_apparmor.test-apparmor.py -- ONEXEC - check current 'unconfined' != expected

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1528230 Title: [ADT test failure] linux:

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd

[Touch-packages] [Bug 1628745] Re: Change in kernel exec transition behavior causes regression tests to fail

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1628745 Title: Change in kernel exec transition

[Touch-packages] [Bug 1582374] Re: Log contains unknown mode senw

** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1540562] Re: aa-genprof crashes in logparser NoneType has no "replace"

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1540562 Title: aa-genprof crashes in logparser

[Touch-packages] [Bug 1566944] Re: dnsmasq profile prevents LXD container to launch

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1566944 Title: dnsmasq profile prevents LXD container

[Touch-packages] [Bug 1569316] Re: Log flooded with run/dbus/system_bus_socket wr denied

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1569316 Title: Log flooded with

[Touch-packages] [Bug 1546455] Re: Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog

Fixed in AppArmor 2.11, 2.10.2 and 2.9.4 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1546455

[Touch-packages] [Bug 1577051] Re: aa-logprof fails with unknown mode "reweive"

** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1507469] Re: Evince's Apparmour profile prevents opening docs from other apps under Wayland

** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1604872] Re: Apps can't connect to the user's session bus, even though it exists

Fixed in AppArmor 2.11 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1604872 Title: Apps can't

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced

[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot

** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released ** Changed in: apparmor/2.9 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch

[Touch-packages] [Bug 1480492] Re: aa-status in apparmor-2.10 depends on python3-apparmor

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1480492 Title: aa-status in apparmor-2.10 depends on

[Touch-packages] [Bug 1584069] Re: change_profile rules need a modifier to allow non-secureexec transitions

Fixed in AppArmor 2.11. ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1584069 Title:

[Touch-packages] [Bug 1588069] Re: parser doesn't catch conflicting change_profile exec modes (safe/unsafe)

Fixed in AppArmor 2.11 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1588069 Title: parser doesn't

[Touch-packages] [Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1528139 Title: serialize_profile_from_old_profile()

[Touch-packages] [Bug 1507469] Re: Evince's Apparmour profile prevents opening docs from other apps under Wayland

** Changed in: apparmor/2.10 Milestone: None => 2.10.2 ** Changed in: apparmor/2.10 Status: New => Fix Committed ** Changed in: apparmor Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is

[Touch-packages] [Bug 1507469] Re: Evince's Apparmour profile prevents opening docs from other apps under Wayland

** Also affects: apparmor/2.10 Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1507469 Title: Evince's Apparmour profile

[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot

Milestone: None => 2.9.4 ** Changed in: apparmor/2.10 Assignee: (unassigned) => Christian Boltz (cboltz) ** Changed in: apparmor/2.9 Assignee: (unassigned) => Christian Boltz (cboltz) -- You received this bug notification because you are a member of Ubuntu Touch seeded packa

[Touch-packages] [Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot

dovecot/log" You'll need to add flags=(attach_disconnected) to the dovecot/log profile. Patch sent to upstream mailinglist for review. ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Assignee: (unassigned) => Christian Boltz

  1   2   3   >