This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.5~14.04.1 --------------- apparmor (2.10.95-0ubuntu2.5~14.04.1) trusty; urgency=medium
* Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04. - This allows for proper snap confinement on Ubuntu 14.04 when using the hardware enablement kernel (LP: #1641243) * Changes made on top of 2.10.95-0ubuntu2.5: - debian/apparmor.upstart: Remove the upstart job and continue using the init script in 14.04 - debian/apparmor.postinst, debian/apparmor-profiles.postinst, debian/apparmor-profiles.postrm, debian/rules: Revert to using invoke-rc.d to load the profiles, rather than reloading them directly, since 14.04 will continue using the init script rather than the upstart job. - debian/apparmor.init, debian/lib/apparmor/functions, debian/apparmor.postinst, debian/apparmor.postrm: Remove functionality dealing with AppArmor policy in system image based environments since this 14.04 package will not need to handle such environments. This removes the handle_system_policy_package_updates(), compare_previous_version(), compare_and_save_debsums() functions and their callers. - debian/apparmor.init: Continue using running-in-container since systemd-detect-virt doesn't exist on 14.04 - debian/lib/apparmor/functions, debian/apparmor.init: Remove the is_container_with_internal_policy() function and adjust its call sites in apparmor.init so that AppArmor policy is not loaded inside of 14.04 LXD containers (avoids bug #1641236) - debian/lib/apparmor/profile-load, debian/apparmor.install: Remove profile-load as upstart's apparmor-profile-load is used in 14.04 - debian/patches/libapparmor-mention-dbus-method-in-getcon-man.patch: Continue applying this patch since the dbus version in 14.04 isn't new enough to support fetching the AppArmor context from org.freedesktop.DBus.GetConnectionCredentials(). - debian/patches/libapparmor-force-libtoolize-replacement.patch: Force libtoolize to replace existing files to fix a libapparmor FTBFS issue on 14.04. - debian/control: Retain the original 14.04 Breaks and ignore the new Breaks from 2.10.95-0ubuntu2.5 since they were put in place as part of the enablement of UNIX domain socket mediation. They're not needed in this upload since UNIX domain socket mediation is disabled by default so updates to the profiles included in those packages are not needed. - Preserve the profiles and abstractions from 14.04's 2.8.95~2430-0ubuntu5.3 apparmor package by recreating them in the top-level profiles-14.04/ directory of the source. They'll be installed to debian/tmp/etc/apparmor.d/ during the build process and then to /etc/apparmor.d/ on package install so that there are no changes to the shipped profiles or abstractions. The abstractions from 2.10.95-0ubuntu2.5 will be installed into debian/tmp/snap/etc/apparmor.d/ during the build process and then into /etc/apparmor.d/snap/abstractions/ on package install for use with snap confinement. Snap confinement profiles, which includes AppArmor profiles loaded by snapd and profiles loaded by snaps that are allowed to manage AppArmor policy, will use the snap abstractions. All other AppArmor profiles will continue to use the 14.04 abstractions. - debian/rules: Adjust for new profiles-14.04/ directory - debian/apparmor-profiles.install: Adjust to install the profiles that were installed in the 2.8.95~2430-0ubuntu5.3 package - debian/apparmor.install: Install the abstractions from the 2.10.95-0ubuntu2.5 package into /etc/apparmor.d/snap/abstractions/ - debian/patches/14.04-profiles.patch: Preserve the 14.04 profiles and abstractions from the 2.8.95~2430-0ubuntu5.3 apparmor package. - debian/patches/conditionalize-post-release-features.patch: Disable new mediation features, implemented after the Ubuntu 14.04 release, unless the profile is for snap confinement. If the profile is for snap confinement, the abstractions from /etc/apparmor.d/snap/abstractions will be used and all of the mediation features will be enabled. - 14.04-add-chromium-browser.patch, 14.04-add-debian-integration-to-lighttpd.patch, 14.04-etc-writable.patch, 14.04-update-base-abstraction-for-signals-and-ptrace.patch, 14.04-dnsmasq-libvirtd-signal-ptrace.patch, 14.04-update-chromium-browser.patch, 14.04-php5-Zend_semaphore-lp1401084.patch, 14.04-dnsmasq-lxc_networking-lp1403468.patch, 14.04-profiles-texlive_font_generation-lp1010909.patch, 14.04-profiles-dovecot-updates-lp1296667.patch, 14.04-profiles-adjust_X_for_lightdm-lp1339727.patch: Import all of the patches, from 14.04's 2.8.95~2430-0ubuntu5.3 apparmor package, which patched profiles/ and adjust them to patch profiles-14.04/ instead. - debian/patches/revert-r2550-and-r2551.patch: Revert two upstream changes to mod_apparmor which could potentially regress existing users of mod_apparmor in 14.04. These upstream changes are not appropriate for an SRU. -- Tyler Hicks <tyhi...@canonical.com> Wed, 30 Nov 2016 16:36:02 +0000 ** Changed in: apparmor (Ubuntu Trusty) Status: Won't Fix => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1305108 Title: please provide upstart job for apparmor Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Trusty: Fix Released Status in apparmor source package in Utopic: Fix Released Bug description: AppArmor has a complicated multi-stage policy load process that has evolved over time. It consists of: - /etc/init/network-interface-security.conf to load the policy for dhclient - /etc/init/click-apparmor.conf to conditionally regenerate click policy then load it into the kernel - apparmor integration into upstart jobs - an rcS sysv init script In addition to being complicated, there are a several problems: - if a login session occurs before rcS is run, applications may start and run unconfined - if apparmor-profiles is installed, then daemons with profiles defined may start and run unconfined - an administer adding apparmor policy for daemons must also adjust the upstart job for the daemon Historically we did not use an upstart job because it would block boot and affect boot performance. Blocking boot on policy load is actually a feature because it ensures that the policy is in place before anything is started. The boot performance issue was solved long ago when we introduced binary cached profiles. In today's upstart world, rcS is intended to run prior login anyway, so converted the initscript to an upstart job should not affect boot performance. There have also been bugs in the multi-stage policy load that allowed policy load to happen too late with applications starting before policy load. The security and foundations teams feel there is a better way and that we can achieve everything with a single upstart task (see attached). In essence, the task does 'start on mounted MOUNTPOINT="/"'. Because it is a task, it will block until it completes. The script will do the various checks to make sure apparmor should load policy, conditionally regenerate click policy then load it into the kernel and load all system policy. If done correctly, this should allow us to remove the network-interface-security.conf job, the click-apparmor.conf job and the rcS initscript and will solve the issues with login sessions starting too soon, apparmor-profiles daemon policy and admin policy. Attached is lightly tested job file to achieve this (it needs a lot of testing-- see the description in the job file). To test: 1. save the job as /etc/init/apparmor.conf 2. disable the click-apparmor job with: sudo sh -c "echo manual > /etc/init/click-apparmor.override" 3. disable the network-interface-security job with: sudo sh -c "echo manual > /etc/init/network-interface-security.override" 4. add 'exit 0' to the top of /etc/init.d/apparmor This should actually slightly improve boot time since less shell code is being run with the simplified policy load. 14.10 will also support precompiling apparmor policy in kernel postinst and touch image generation to ensure that the cache is available on first boot to further improve (first) boot speeds. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1305108/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp