On 2020-06-02 8:50 p.m., Chris Halse Rogers wrote:
> You don't *have* to include the full output of the test cases when
> verifying a bug (although, depending on how much output there is, it can
> be nice).
OK, good, thanks for clarifying!
> I don't think it was clear that you *had* gone through
You don't *have* to include the full output of the test cases when
verifying a bug (although, depending on how much output there is, it can
be nice).
I don't think it was clear that you *had* gone through the full test-
case in your verification comment - I'm not entirely sure what gave that
impre
This bug was fixed in the package apparmor - 2.13.3-7ubuntu5.1
---
apparmor (2.13.3-7ubuntu5.1) focal-proposed; urgency=medium
* upstream-lp1872564.patch: adjust nameservice abstraction for nss-systemd
- LP: #1872564
-- Jamie Strandboge Tue, 19 May 2020 16:59:49 +
** Ch
@Brian, I did go through the full test case when marking it as verified
in comment #20.
Do I really need to repeat the full test case when verifying a bug?
$ lxc launch images:ubuntu/focal fb1
$ lxc exec fb1 -- apt update && lxc exec fb1 -- apt install apparmor -y
$ lxc exec fb1 -- apt install bi
** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/187256
I don't see the following step from the Test Case performed in comment
#20. Was it?
4) check kernel logs for DENIED
$ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F
'profile="/usr/sbin/named"'
or, depending on how logging is configured:
$ dmesg | grep 'apparmor="DENIED"' | grep -
On Monday, June 01 2020, Jamie Strandboge wrote:
> FYI, those re-runs passed and the package is green in
> https://people.canonical.com/~ubuntu-archive/pending-sru.html. When
> ubuntu-sru goes through the queue, this will be published.
Thanks for taking care of this one, Jamie!
--
Sergio
GPG ke
FYI, those re-runs passed and the package is green in
https://people.canonical.com/~ubuntu-archive/pending-sru.html. When
ubuntu-sru goes through the queue, this will be published.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed
The autopkgtest failures seem unrelated. I triggered reruns just now.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Title:
/proc/sys/kernel/random/boot_id rule m
@Marco, this issue is not yet fixed in Focal. Marking back to Fix
Committed.
** Changed in: apparmor (Ubuntu Focal)
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubun
** Changed in: apparmor (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Title:
/proc/sys/kernel/random/
** Merge proposal unlinked:
https://code.launchpad.net/~sergiodj/ubuntu/+source/apparmor/+git/apparmor/+merge/383796
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/18725
After pulling apparmor 2.13.3-7ubuntu5.1 from focal-proposed:
Get:18 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apparmor
amd64 2.13.3-7ubuntu5.1 [494 kB]
...
Unpacking apparmor (2.13.3-7ubuntu5.1) over (2.13.3-7ubuntu5) ...
Setting up libapparmor1:amd64 (2.13.3-7ubuntu5.1) ...
Set
Hello Simon, or anyone else affected,
Accepted apparmor into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apparmor/2.13.3-7ubuntu5.1 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https:
On Wednesday, May 20 2020, Simon Déziel wrote:
> To save you some work, I'll be happy to do the verification as soon as
> something lands in focal-proposed. Thanks
Thanks, Simon! Much appreciated.
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
--
You received this b
To save you some work, I'll be happy to do the verification as soon as
something lands in focal-proposed. Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Titl
On Tuesday, May 19 2020, Jamie Strandboge wrote:
> @Sergio - assuming you are ok with my patch, do you still plan to follow
> through on the SRU verification once it is accepted into focal-proposed?
Hi Jamie,
Yes, I can take care of the verification if no one else does it.
Thanks,
--
Sergio
G
@Sergio - assuming you are ok with my patch, do you still plan to follow
through on the SRU verification once it is accepted into focal-proposed?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs
On Tuesday, May 19 2020, Jamie Strandboge wrote:
> @Sergio, I didn't see that you uploaded anything to the queue so to
> expedite the SRU since there are a number of duplicates, I created a
> smaller backport of the fix and uploaded it to focal-proposed just now:
> http://launchpadlibrarian.net/48
@Sergio, I didn't see that you uploaded anything to the queue so to
expedite the SRU since there are a number of duplicates, I created a
smaller backport of the fix and uploaded it to focal-proposed just now:
http://launchpadlibrarian.net/480473812/apparmor_2.13.3-7ubuntu5_2.13.3-7ubuntu5.1.diff.gz
This bug was fixed in the package apparmor - 2.13.3-7ubuntu6
---
apparmor (2.13.3-7ubuntu6) groovy; urgency=medium
* Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564)
- d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the
definition for the "@{r
** Description changed:
[Impact]
On a default Focal install, systemd is used when looking up passwd and
group information:
# grep systemd /etc/nsswitch.conf
passwd: files systemd
group: files systemd
Daemons confined by Apparmor that also query those "databa
Thanks for being on top of this, Sergio. I'm surprised that a LP search
for "boot_id" in this project did not turn up this existing bug report.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.l
** Description changed:
- # Description
+ [Impact]
On a default Focal install, systemd is used when looking up passwd and
group information:
- # grep systemd /etc/nsswitch.conf
+ # grep systemd /etc/nsswitch.conf
passwd: files systemd
group: files systemd
Daemo
** Changed in: apparmor (Ubuntu Focal)
Assignee: (unassigned) => Sergio Durigan Junior (sergiodj)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Title:
/proc
** Merge proposal linked:
https://code.launchpad.net/~sergiodj/ubuntu/+source/apparmor/+git/apparmor/+merge/383796
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apparmor (Ubuntu Focal)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.lau
** Also affects: apparmor (Ubuntu Focal)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Title:
/proc/sys/kernel/random
** Merge proposal linked:
https://code.launchpad.net/~sergiodj/ubuntu/+source/apparmor/+git/apparmor/+merge/383686
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
I'm building a PPA with the backported fix here:
https://launchpad.net/~sergiodj/+archive/ubuntu/apparmor-bug1872564
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Sergio Durigan Junior (sergiodj)
--
You received this bug notification because you are a member of Ubuntu
Touch se
The missing rule for boot_id was added to Apparmor 2.13
(https://gitlab.com/apparmor/apparmor/-/blob/apparmor-2.13/profiles/apparmor.d/abstractions/nameservice#L35)
and was later refined in the master branch. As such, marking as fix
committed.
** Changed in: apparmor (Ubuntu)
Status: New =
squid in focal is indeed another package that triggers that denial but
it is non fatal there as mentioned by Andreas.
@ahasenack, with 4.11, squid's systemd unit moved from Type=forking to
Type=notify and with the error you showed, I would expect you to see a
denial trying to write to /run/systemd
That was squid 4.11, for groovy, btw. squid as shipped in focal is
working fine.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Title:
/proc/sys/kernel/random/boo
Squid is failing to start due to this apparmor deny:
[ 7271.822230] audit: type=1400 audit(1588602033.905:516): apparmor="DENIED"
operation="open"
namespace="root//lxd-autopkgtest-lxd-sljvrl_"
profile="/usr/sbin/squid" name="/proc/sys/kernel/random/boot_id" pid=289530
comm="squid" requested_mas
`snap info lxd` says:
installed: 4.0.1 (14890) 72MB -
And indeed, there is a tmpfs mounted there:
root@bind:~# mount | grep boot
none on /proc/sys/kernel/random/boot_id type tmpfs
(ro,nosuid,nodev,noexec,relatime,size=492k,mode=755,uid=1524288,gid=1524288)
That said, I
Which lxd are you using? Because more recent ones, should be creating a
per-container boot_id.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Title:
/proc/sys/ker
Scratch that. Using 'owner' on a root-owned but world readable file is
probably ill-advised in an abstraction. It seems plausible for an
application to do NSS lookup for user/group while running as non-root.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded pac
On all my machines and using various daemons, the denial messages always
have fsuid==ouid. As such, I believe it would be OK to use the 'owner'
specifier like this:
owner @{PROC}/sys/kernel/random/boot_id r,
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
38 matches
Mail list logo