[Bug 1887577] Re: DEP8: Invalid capability setuid
This bug was fixed in the package apparmor - 3.0.0~beta1-0ubuntu6 --- apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium * Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not 3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the wrong directory in is_container_with_internal_policy(), which causes policy to always fail to load in containers. Thanks to Christian Ehrhardt for the analysis. (LP: #1895967) apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium [ John Johansen ] * d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch: fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the parser to emit rules needed for change_hat in the hat profiles but broke the rule being emitted for the parent profile, this fixes it for both so that it is emitted for any profile that is a hat or that contains a hat. * d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile abstraction so that it allows access to the apparmor attribute paths under LSM stacking. apparmor (3.0.0~beta1-0ubuntu2) groovy; urgency=medium [ John Johansen ] * d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch: fix parser not adding a rule to profiles if they are a hat or contain hats granting write access to the kernel interfaces. apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium [ John Johansen ] * New upstream release (LP: #1895060, LP: #1887577, LP: #1880841) * Drop all patches backported from upstream: applied in 3.0 * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide example and base abi to pin pre 3.0 policy * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning of pre AppArmor 3.x policy * drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer needed with upstream 'include if exists' [ Steve Beattie ] * d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important now that groovy has a 5.8 kernel. * d/apparmor-profiles.install: + adjust for renamed postfix profiles + add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles + remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in apparmor-profiles) * d/apparmor.install: include abi/ directory and tunables/etc. * d/apparmor.manpages: add apparmor_xattrs.7 manpage * d/control: + apparmor-utils: no more shipped perl tools, drop perl dependency + apparmor-notify: aa-notify was converted to python3 from perl; adjust -notify dependencies to compensate * d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch: fix sed expression in settest() [ Emilia Torino ] * Removing Ubuntu specific chromium-browser profile. This is safe to do since groovy's chromium-browser deb installs the snap. If apparmor3 is backported to 18.04 or earlier, the profile will need to be taken into consideration - d/profiles/chromium-browser: remove chromium-browser profile - d/apparmor-profiles.postinst: remove postinst script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.postrm: remove postrm script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.install: remove ubuntu-specific chromium-browser abstraction and profile - d/apparmor-profiles.lintian-overrides: remove chromium-browser profile lintian overrides - d/p/ubuntu/add-chromium-browser.patch: remove patch which added chrome-browser [ Alex Murray ] * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: refresh this patch with the official upstream version * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: refresh this patch to match the above * d/p/parser-add-abi-warning-flags.patch: enable parser warnings to be silenced or to be treated as errors [ Jamie Strandboge ] * d/p/adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus 1.5.22. This can be dropped with AppArmor 3.0 final. * d/p/parser-add-abi-warning-flags.patch: refresh to avoid lintian warnings * d/p/ubuntu/lp1891338.patch: adjust ubuntu-integration to use abstractions/exo-open (LP: #1891338) * d/p/ubuntu/lp1889699.patch: adjust to support brave in ubuntu abstractions. Patch thanks to François Marier (LP: #1889699) * d/p/ubuntu/lp1881357.patch: adjust for new ICEauthority path in /run (LP: #1881357) -- Jamie Strandboge Tue, 22 Sep 2020 15:10:33 + ** Changed in: apparmor (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- u
[Bug 1887577] Re: DEP8: Invalid capability setuid
Removed the update_excuse and update_excuses tags based on Steve and Alex's comments. ** Tags removed: update-excuse update-excuses -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887577] Re: DEP8: Invalid capability setuid
This is now passing: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac /autopkgtest- groovy/groovy/amd64/a/apparmor/20200921_175620_e825f@/log.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887577] Re: DEP8: Invalid capability setuid
The fix for this is included in the apparmor 3.0.0~beta1-0ubuntu5 upload into groovy-proposed, which is waiting to migrate to groovy. ** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887577] Re: DEP8: Invalid capability setuid
This will be fixed in the next apparmor upload. ** Changed in: apparmor (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887577] Re: DEP8: Invalid capability setuid
This is due to a change in behavior in make 4.3. It was addressed in the upstream merge request https://gitlab.com/apparmor/apparmor/-/merge_requests/461 and was cherrypicked into the apparmor 2.13 branch via merge request https://gitlab.com/apparmor/apparmor/-/merge_requests/465. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887577] Re: DEP8: Invalid capability setuid
Hm, not sure, it works for me on a focal host: $ cat Makefile # emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2" CAPABILITIES=$(shell echo "\#include " | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort) all: @echo $(CAPABILITIES) $ make CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_BLOCK_SUSPEND CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYSLOG CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM Interesting, on groovy it doesn't: $ make $ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887577] Re: DEP8: Invalid capability setuid
I think the problem might be an unnecessary backslash in common/Make.rules: CAPABILITIES=$(shell echo "\#include " | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort) I wrote a dummy makefile to test this and $(CAPABILITIES) was empty. Changing to this: CAPABILITIES=$(shell echo "#include " | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort) gives what I think is the expected output. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887577] Re: DEP8: Invalid capability setuid
** Tags added: update-excuses ** Tags added: update-excuse -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs