SRU template applied because this'll need SRU'd as well, after this lands in Impish.
** Description changed: + [Impact] + Any application that requires access to X11 sockets for the Display may want to include abstractions/X in the AppArmor rules, which usually will include rules that we would want for access to the Display socket for X. + + However, an upstream regression was made by changes to the + abstractions/X to remove the 'w' and leave it read only. This doesn't + work - X11 needs readwrite on the sockets for it to properly interact + with X11. + + This is a fundamental regression that has been fixed upstream. + + + [Test Plan] + + Any application that needs X11 integration with apparmor rules should + `#include <abstractions/X>` + + This is the problem with https://bugs.launchpad.net/ubuntu/+source + /torbrowser-launcher/+bug/1933886 - while the fix for that would be to + add `#include <abstractions/X>` in the ruleset, it will not function + with the existing abstractions. This is our test case in Impish: + + - add `#include <abstractions/X>` into `/etc/apparmor.d/torbrowser.Browser.firefox` and the apparmor rule. + - `sudo systemctl restart apparmor.service` + - Attempt to run torbrowser with torbrowser-launcher, which should now properly work with the revisions. Without, torbrowser-launcher 'starts' Tor Browser but then it just segfaults and stops running. + + We don't have a full test case for Hirsute at this time. + + + [Where problems could occur] + + Based on my understanding of X11 and the upstream AppArmor bugs on this + (refer to comments), there is no breakage introduced by this, in fact + the breakage was already introduced upstream, so this simply fixes and + removes the breakage when an apparmor rule includes these X abstractions + and need to write to the socket but can't. + + Therefore, I don't believe there are any 'problems' that can occur with + this change. + + + [Original Description] + In Focal, abstractions/X has the following section in it: - # the unix socket to use to connect to the display - /tmp/.X11-unix/* rw, - unix (connect, receive, send) - type=stream - peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) - type=stream - peer=(addr="@/tmp/.ICE-unix/[0-9]*"), - + # the unix socket to use to connect to the display + /tmp/.X11-unix/* rw, + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.ICE-unix/[0-9]*"), However, in Impish, this seems to have changed: - # the unix socket to use to connect to the display - /tmp/.X11-unix/* r, - unix (connect, receive, send) - type=stream - peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) - type=stream - peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + # the unix socket to use to connect to the display + /tmp/.X11-unix/* r, + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.ICE-unix/[0-9]*"), This in turn breaks torbrowser-launcher's Firefox from launching, even if we include the X abstractions, because the display sockets in /tmp/.X11-unix/* (X0 for Display :0 for example) are not read/write. This looks like a MAJOR regression by removing the permissions. Or has Impish apparmor not been updated for any Ubuntu specific changes? ProblemType: Bug DistroRelease: Ubuntu 21.10 Package: apparmor 3.0.0-0ubuntu8 ProcVersionSignature: Ubuntu 5.11.0-20.21+21.10.1-generic 5.11.21 Uname: Linux 5.11.0-20-generic x86_64 ApportVersion: 2.20.11-0ubuntu67 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: LXQt Date: Tue Jun 29 14:39:00 2021 InstallationDate: Installed on 2021-06-29 (0 days ago) InstallationMedia: Lubuntu 21.10 "Impish Indri" - Alpha amd64 (20210628) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.11.0-20-generic root=UUID=d042602b-0900-4b2e-acb1-f67436e9805f ro quiet splash vt.handoff=7 SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934005 Title: abstractions/X: Possible regression of X session functionality by removing 'w' from /tmp/.X11-unix/* line? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1934005/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
