[Bug 2065685] Re: aa-logprof fails with 'runbindable' error

I'm afraid apparmor_parser is not fully aware of this restriction. # cat foo /usr/bin/foo { # mount options=(rw, runbindable) / -> /bar, # causes error mount options=(rw, runbindable) -> /bar, # accepted as valid (as expected) mount options=(rw, runbindable) /, #

[Bug 1641236] Re: Confined processes inside container cannot fully access host pty device passed in by lxc exec

> apparmor_parser -R /etc/apparmor.d -R means to unload profiles, in this case all profiles in /etc/apparmor.d/. That's probably a bit ;-) too much... I'd guess you want to unload only the tcpdump profile, which would be done with apparmor_parser -R /etc/apparmor.d/usr.bin.tcpdump An

[Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15

This was already fixed upstream with https://gitlab.com/apparmor/apparmor/-/merge_requests/848 (with a slightly different patch that works for all python versions). AppArmor >= 3.0.5 will include the fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1861250] Re: Apparmor error failed to start profiles

Looks like the profile for cups-browsed has a syntax error. (Did you change something in the profile, or is it the original profile as shipped in the package?) Also, AFAIK this profile is shipped with the cups package, therefore I'm adding that package. ** Also affects: cups (Ubuntu)

[Bug 1948752] Re: apparmor is logging too many messages

The /usr/bin/redshift profile needs some additional dbus rules. ** Also affects: redshift Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948752 Title:

[Bug 1934005] Re: abstractions/X: Possible regression of X session functionality by removing 'w' from /tmp/.X11-unix/* line?

This was already fixed upstream, see https://gitlab.com/apparmor/apparmor/-/merge_requests/664 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934005 Title: abstractions/X: Possible regression of X

[Bug 1777070] Re: firefox plugin libwidevinecdm.so crashes due to apparmor denial

> The second rule allows firefox to load and run code from that location. > But doesn't allow firefox to write to it. So if there is malware [...] That's correct for the added rule, but the profile also has owner @{HOME}/.{firefox,mozilla}/** rw, which means firefox _can_ write to that

[Bug 1899046] Re: /usr/bin/aa-notify:ModuleNotFoundError:/usr/bin/aa-notify@39

The error is: Traceback (most recent call last): File "/usr/bin/aa-notify", line 39, in import psutil ModuleNotFoundError: No module named 'psutil' Looks like a missing dependency on python3-psutil (or whatever the package is named) in the package that contains aa-notify. -- You

[Bug 1895967] Re: 3.0.0~beta1-0ubuntu1 in Groovy breaks Libvirt/Qemu/KVM

Wild _guess_/hint that could explain the behaviour you see: Do you have (snap?) profiles that have rules with "peer=libvirtd", and fail if libvirtd is running unconfined (which would need "peer=unconfined" in the other profile)? -- You received this bug notification because you are a member of

[Bug 1331856] Re: apparmor-utils don't work when defining a variable on

This bug is finally fixed with https://gitlab.com/apparmor/apparmor/-/merge_requests/544 AppArmor 3.0 will include the fixed tools. ** Changed in: apparmor Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed

[Bug 1861250] Re: Apparmor error failed to start profiles

Indeed, that's not really helpful :-( Another idea - does apparmor_parser -r /etc/apparmor.d/ print any output? (If yes, please paste or attach it.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 387657] Re: aa-logprof: doesn't handle large logs

In the meantime (actually nearly a year ago), log parsing was rewritten and now does de-duplication instantly. This should reduce memory usage a lot - my experience is that especially large lots have lots of duplication included. I also removed some intermediate steps in the chain from logfile to

[Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

For the records: Upstream commit a57f01d86bdb01647966f3eeff7a1cc3fc6abd76 (from 2019-02-10) added rules to allow this (with an additional type=stream restriction, which matches the log mentioned in this bugreport), and was also backported to the maintenance branches. Therefore I'll mark the

[Bug 1861250] Re: Apparmor error failed to start profiles

I'm afraid the logs you attached don't include anything about the reason why you get this failure. Can you please attach the output of systemctl status -n200 apparmor.service -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1824724] Re: aa-logprof: german translation: ERROR: PromptUser: Ungültiges Tastenkürzel für V: Änderungen ansehen

> id appears to be the only one to pick different letters. For the records: changing the hotkeys is allowed, but you have to make sure that you don't cause hotkey conflicts. To be sure, run the updated translation through the AppArmor utils tests - or ask me to run these tests ;-) > and if it's

[Bug 1825331] Re: apparmor chromium profile blocks yubikeys

KernLog.txt contains several ALLOWED lines for chromium, and also DENIED lines for firefox (unrelated to this bugreport, but nevertheless we should probably check them. You mentioned that you got some EPERM in strace - can you please tell us which files were affeted? Wild guess: maybe those

[Bug 1819741] Re: aa-genprof fails on disabled profile

This is already fixed upstream (in AppArmor 2.12.2 and 2.13.2), especially commit f997977e6. However, the Ubuntu package doesn't have that fix yet, therefore I add "apparmor (Ubuntu)" to the "affects" list. Backporting the mentioned commit probably isn't too easy (it's quite big and IIRC has

[Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

> unix (connect, send, receive) peer = (addr = "@ 2F746D702F65736574732E736F636B00 *") Did you really use exactly this line (with "@_space_2F...B00_space_*")? If so, please try again without the spaces. -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1785391] Re: aa-genprof fails in an lxd instance

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785391 Title: aa-genprof fails in an lxd instance To manage notifications about

[Bug 1784499] Re: AppArmor treats regular NFS file access as network op

** Also affects: apparmor Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage

[Bug 1805178] Re: Apparmor should include letsencrypt directory for Slapd

The ssl_certs and ssl_keys abstractions just got the paths for letsencrypt added: https://gitlab.com/apparmor/apparmor/merge_requests/283 (also backported to the 2.10..2.13 branches) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to

[Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

Also backported to the 2.12 and 2.13 branch, will be in 2.12.2 and 2.13.2. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1528139 Title: serialize_profile_from_old_profile() crash if file contains

[Bug 1719354] Re: apparmor blocking smbd which is in complain mode

The net_admin denial is probably caused by a bug in systemd, see https://bugzilla.opensuse.org/show_bug.cgi?id=991901 and https://github.com/systemd/systemd/pull/10085 I'd recommend not to allow that capability in the nmbd profile, and instead apply the patch to systemd. Write permissions to

[Bug 1785391] Re: aa-genprof fails in an lxd instance

** Changed in: apparmor Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785391 Title: aa-genprof fails in an lxd instance To manage notifications about this

[Bug 1785391] Re: aa-genprof fails in an lxd instance

Fix commited to 2.10 branch..master For the aa-logprof issue you mentioned, please answer my question in a new bugreport ;-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785391 Title: aa-genprof

[Bug 1785391] Re: aa-genprof fails in an lxd instance

https://gitlab.com/apparmor/apparmor/merge_requests/157 For aa-logprof - a) what exactly is the problem and b) please answer in a separate bugreport ;-) ** Changed in: apparmor Status: New => Triaged ** Changed in: apparmor Assignee: (unassigned) => Christian Boltz (cboltz) -

[Bug 1784023] Re: Update profiles for usrmerge

> ./abstractions/lightdm: /bin/ rmix, rmix permissions for a directory? That looks wrong to me, r permissions should be enough. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784023 Title: Update

[Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

Done - https://gitlab.com/apparmor/apparmor/merge_requests/131 will be part of AppArmor 3.0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1528139 Title: serialize_profile_from_old_profile() crash

[Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

For the records - I'm just working on a different implementation of "(V)iew Changes", which will also replace the workaround with a real fix :-) This will probably be in AppArmor 3.0, and will appear as merge request on gitlab this weekend. -- You received this bug notification because you are

[Bug 1756800] Re: Failed to start AppArmor initialization with status=123/n/a

Looks like you have a syntax error in /etc/apparmor.d/tunables/multiarch around line 13. Can you please attach this file? Also, did you modify it manually? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1719354] Re: apparmor blocking smbd which is in complain mode

> sudo mv /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/usr.sbin.smbd_OLD Please move that *_OLD file outside of /etc/apparmor.d/ - otherwise it will still be loaded on a "last one wins" base. Obviously you'll need to reload the profiles once more afterwards to ensure the "right" profile is

[Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1717714 Title: @{pid} variable broken on systems with pid_max more than 6 digits

[Bug 1730536] Re: "Unable to open external link" in Evince when google-chrome-unstable is the default browser

Fixed in AppArmor 2.12 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1730536 Title: "Unable to open external link" in Evince

[Bug 1590561] Re: webbrowser-app crashes on startup on fresh zesty Unity8: No suitable EGL configs found

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1590561 Title: webbrowser-app crashes on startup on fresh zesty Unity8: No

[Bug 1668892] Re: CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668892 Title: CVE-2017-6507: apparmor service restarts and package upgrades

[Bug 1759346] Re: ix scrubs environment when it shouldn't when going through aa-exec

Just wondering - if this bug survived so long without being noticed, isn't it a sign that in most cases scrubbing doesn't hurt or is even a good idea? Should we introduce Ix to officially have a way to inherit with scrubbing? -- You received this bug notification because you are a member of

[Bug 1758449] Re: skype snap does not work when home directory is not located in /home

Just as a quick info - to get things working with non-default home directory locations, edit /etc/apparmor.d/tunables/home (or add a file to /etc/apparmor.d/tunables/home.d/) and add your custom path ("/data/home/") to the @{HOMEDIRS} variable. I'm not sure why read access to /data/ was requested

[Bug 1752365] Re: Cannot Add Request Hat or Use Default Hat in aa-logprof and mod_apparmor

For the records: this is already fixed upstream (checked in master and the latest 2.11 branch), so Ubuntu "just" needs to pick up the fix. commit e2039f021e42793e07c1838499eae9c22e1ea8f2 Author: Christian Boltz <appar...@cboltz.de> Date: Mon Aug 15 22:02:55 2016

[Bug 1658943] Re: aa-notify blocks desktop with garbage notifications

Reopening for upstream AppArmor - unfortunately nobody worked on this yet :-( ** Changed in: apparmor Status: Invalid => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658943 Title:

[Bug 1751005] Re: libreoffice cannot open a document not within $HOME

It looks like the "xlsm" extension is not included in the profile (checked with upstream LibreOffice 6.0.1.1). [Unless someone fixes this quickly and says so, this is probably worth a separate bugreport.] To find out if the encrypted partition is a problem, try to open a file with a more common

[Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

> Not quite sure now if apparmor upstream is found in launchpad[1] or gitlab[2]. The code moved from bzr to gitlab recently. Bug tracking and translations are still handled on launchpad. > I would go with that versionning approach instead: > > apparmor | 2.11.0-2ubuntu17.1 | artful > apparmor |

[Bug 1399027] Re: logparser doesn't understand /var/log/messages format

> c0n7r4 (c0n7r4) wrote: > apparmor="AUDIT" AUDIT events happen if your profile has a rule like audit /tmp/tempfile/ r, and the program is then really doing something that needs this rule (like getting a directory listing for /tmp/tempfile/). "audit" means that the action is allowed (but

[Bug 1734038] Re: Potential regression found with apparmor test on Xenial/Zesty

> There is also a python parser (in aa.py) which only seems to understand the > 'include ' > syntax and it is this which throws errors when running the utility commands. Exactly, that's the cause of this bug. I'll change the title to make it obvious. Interestingly, it has been this way for

[Bug 1665535] Re: WebRTC webcam support broken in firefox due to apparmor

The milestone is not 100% correct - the fix is included in 2.11.95 aka 2.12 beta1. ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

** Also affects: apparmor/2.11 Importance: Undecided Status: New ** Changed in: apparmor/2.11 Status: New => Fix Committed ** Changed in: apparmor/2.11 Milestone: None => 2.11.2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

> ... apparmor="DENIED" operation="create" ... family="unix" sock_type="stream" With the pinned-down feature set, you probably "lost" support for unix rules. In theory, apparmor_parser will downgrade those rules to "network unix," - but in practise a bug in apparmor_parser prevented it.This bug

[Bug 1669254] Re: 16.04 apparmor, aa-logprof and log files

** Tags added: aa-tools -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1669254 Title: 16.04 apparmor, aa-logprof and log files To manage notifications about this bug go to:

[Bug 1719579] Re: [Ubuntu 16.04.2] [libvirt] virsh restore fails from state file saved in /var/tmp folder using virsh save

You'll need to allow /etc/gss/mech.d/ r, and after that, I wouldn't be surprised if you get denials for files inside this directory ;-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719579

[Bug 1719354] Re: apparmor blocking smbd which is in complain mode

aa-notify doesn't have an option to silence specific events - hey, it's job is to annoy^Wnotify you, so what do you expect? ;-) To silence the notifications, you'll have to update the profile. The easiest solution is probably to download the latest smbd profile from

[Bug 1719935] Re: It would be great to get a stacktrace on apparmor "events" - maybe add a tracepoint

** Also affects: apparmor Importance: Undecided Status: New ** Tags added: aa-feature -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719935 Title: It would be great to get a stacktrace

[Bug 1719354] Re: apparmor blocking smbd which is in complain mode

This is fixed in AppArmor bzr since revno: 3437.1.4 timestamp: Wed 2016-04-13 09:24:46 -0400 usr.sbin.smbd: new lock dir used by recent versions (4.3.8) so you'll "just" need to backport the smbd profile to 16.04. -- You received this bug notification because you are a member of Ubuntu Bugs,

[Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits

** Also affects: apparmor Importance: Undecided Status: New ** Tags added: aa-policy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1717714 Title: @{pid} variable broken on systems with

[Bug 1715097] Re: postfixadmin should work with MariaDB, cause it is a drop-in replacement

AFAIK this is fixed in the upstream debian/control (at least on github, didn't check the release tarball), so syncing with that might be a better option. If you think the upstream debian/control needs changes, please send a pull request on github. -- You received this bug notification because

[Bug 1478659] Re: aa-genprof start but doesn't allow any action

I'm afraid the given information isn't enough to reproduce and debug this problem :-( If you hit this again, please reopen and provide some more details. ** Changed in: apparmor Status: New => Invalid ** Changed in: apparmor (Ubuntu) Status: New => Invalid -- You received this

[Bug 1503762] Re: Provide systemd service

Just a quick update about the situation on openSUSE - in the meantime, we got rid of the initscript and switched to a small wrapper script - see apparmor.systemd and apparmor.service on https://build.opensuse.org/package/show/security:apparmor/apparmor That's obviously not the final solution, but

[Bug 1703520] Re: DNS resolving doesn't work in complain mode with dnsmasq and apparmor

For the records: revno: 3437 fixes bug: https://launchpad.net/bugs/1569316 committer: Tyler Hicks branch nick: apparmor timestamp: Tue 2016-04-12 16:36:43 -0500 message: profiles: Add attach_disconnected flag to dnsmasq profile https://launchpad.net/bugs/1569316

[Bug 1658239] Re: base abstraction missing glibc /proc/$pid/ things

no worries, I changed it back ;-) ** Changed in: apparmor/master Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658239 Title: base abstraction missing

[Bug 1665535] Re: WebRTC webcam support broken in firefox due to apparmor

Merged into AppArmor bzr. ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => Fix Committed ** Changed in: apparmor Milestone: None => 2.12 -- You received this bug notification because you are a member of Ubuntu Bugs, which

[Bug 1700232] Re: aa-logprof ignores dbus access

I added dbus support to aa-logprof in AppArmor 2.11, and I'd guess *) 16.04 has an older version. *) I use openSUSE ;-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700232 Title: aa-logprof

[Bug 1689585] Re: ntp doesn't unload its apparmor profile on purge

> Sorry, I meant it's the service's job to properly/forcefully stop a > daemon. I agree that killing processes in postrm is dangerous. I agree that kill -9 isn't the way to go (it was meant as a rhetoric question), but there are still valid reasons why a daemon doesn't get stopped in postrm: -

[Bug 1689585] Re: ntp doesn't unload its apparmor profile on purge

You are technically correct that the still-loaded profile doesn't match a clean uninstall. However, I have a different opinion on this and thing keeping the profile loaded is the better choice. Unloading a profile means removing the confinement from running processes. So if a process is still

[Bug 482080] Re: Dovecot's apparmor profile breaks dovecot-antispam

I'd even recommend to restrict it a bit more: owner /tmp/antispam-mail*/ rw, owner /tmp/antispam-mail*/* rwkl, sendmail might be a candidate for a child profile. Such a (maybe too generous) profile already exists in the dovecot-lda profile, so cleaning it up and removing permissions that are

[Bug 1682055] Re: dh_apparmor does not remove profiles(s) when purging package

I don't care too much about dh_apparmor (EWRONGDISTRO ;-) - but still: Are you sure that unloading profiles when uninstalling a package is a good idea? The binary installed by this package could still be running, and unloading the profile (= unconfining the binary) might be a security risk. (I

[Bug 1650827] Re: "Failed name lookup - disconnected path"

Thanks for the report! I commited the updated profile to bzr trunk r3651, 2.10 branch r3391 and 2.9 branch r3056. If you want to update your profile locally, the needed changes are: -/usr/lib/dovecot/dovecot-lda { +/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) { +

[Bug 1679856] Re: ldd should be replaced in the utilities

** Tags added: aa-tools -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1679856 Title: ldd should be replaced in the utilities To manage notifications about this bug go to:

[Bug 1677997] Re: aa-enforce gives syntax error on snapd config

This was fixed in upstream bzr r3490 (2016-07-20), but only in trunk. Looks like nobody backported it to the 2.10 branch or the Ubuntu packages. See also bug 1584069 (which is referred in the r3490 commit message) - interestingly, there's a comment saying "This bug was fixed in Ubuntu 16.04 with

[Bug 1668892] Re: CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles

** Also affects: apparmor/2.10 Importance: Undecided Status: New ** Also affects: apparmor/2.11 Importance: Undecided Status: New ** Changed in: apparmor/2.10 Milestone: None => 2.11.1 ** Changed in: apparmor/2.10 Status: New => Fix Committed ** Changed in:

[Bug 1658239] Re: base abstraction missing glibc /proc/$pid/ things

** Changed in: apparmor/2.10 Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658239 Title: base abstraction missing glibc /proc/$pid/ things To manage

[Bug 1669254] Re: 16.04 apparmor, aa-logprof and log files

openSUSE still has /var/log/messages - at least if you install one of the "normal" syslog deamons (syslogd, syslog-ng or rsyslog) instead of relying on journald ;-) OTOH, openSUSE never had /var/log/syslog -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1628286] Re: [utils] DBus rules enforce stricter ordering of dbus attributes

Feel free to send out what you have now (with a "just FYI, WIP" note) - maybe I can help in some details. For "my" invalid rule: Well, I managed to pick an example that is "more invalid" than yours ;-) What I wanted to know is - if there's another parameter between two bus=... parameters, will

[Bug 1628286] Re: [utils] DBus rules enforce stricter ordering of dbus attributes

> It is too bad that all of the > profiles have to be fully parsed just to use basic utilities that don't > necessarily care about the rules inside of a profile. The main problem is that we allow "random" filenames for the profiles, so we need to check all files for the to-be-changed profile -

[Bug 1512131] Re: Apparmor complains about multiple /run/dovecot file access

Commited to AppArmor bzr - trunk r3627, 2.10 branch r3383 and 2.9 branch r3048. Fixing the Ubuntu packages is not my job ;-) ** Also affects: apparmor/2.9 Importance: Undecided Status: New ** Also affects: apparmor/2.10 Importance: Undecided Status: New ** Changed in:

[Bug 1628286] Re: [utils] DBus rules enforce stricter ordering of dbus attributes

Well, up to 2.10 dbus rule handling in the tools was simply matching for "dbus.*," and writing the line back to the profile without any changes. I'm not sure if I'd call full support for dbus rules (including handling of log events) a regression ;-) but I understand that it's annoying. Writing a

[Bug 1658943] Re: aa-notify blocks desktop with garbage notifications

** Also affects: apparmor Importance: Undecided Status: New ** Tags added: aa-tools -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658943 Title: aa-notify blocks desktop with garbage

[Bug 1658943] Re: aa-notify blocks desktop with garbage notifications

Agreed, aa-notify needs some love. Nevertheless, please open separate bugreports for firefox and chromium to get their profiles fixed ;-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658943 Title:

[Bug 1658239] Re: base abstraction missing glibc /proc/$pid/ things

** Changed in: apparmor/master Milestone: None => 2.11.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658239 Title: base abstraction missing glibc /proc/$pid/ things To manage notifications

[Bug 1658238] Re: apache2 abstraction incomplete

** Changed in: apparmor/master Milestone: None => 2.11.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658238 Title: apache2 abstraction incomplete To manage notifications about this bug go

[Bug 1658236] Re: php abstraction not updated for php7

Note that upstream AppArmor renamed abstractions/php5 to abstractions/php and added some more paths so that it also works with PHP 7 on openSUSE. abstractions/php5 is still provided as compability wrapper. It would probably make sense to take the upstream files instead of your patch. -- You

[Bug 1484178] Re: Policy cache file mtimes are not being set correctly

This was already fixed in AppArmor 2.10.1 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1484178 Title: Policy cache file mtimes

[Bug 1525119] Re: Cannot permit some operations for sssd

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd To manage notifications

[Bug 1528230] Re: [ADT test failure] linux: ubuntu_qrt_apparmor.test-apparmor.py -- ONEXEC - check current 'unconfined' != expected

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1528230 Title: [ADT test failure] linux: ubuntu_qrt_apparmor.test-apparmor.py --

[Bug 1522938] Re: unix rules not written to profile

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1522938 Title: unix rules not written to profile To manage notifications about

[Bug 1534405] Re: Regression in parser compiling/loading a directory

** Changed in: apparmor/master Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1534405 Title: Regression in parser compiling/loading a directory To

[Bug 1628745] Re: Change in kernel exec transition behavior causes regression tests to fail

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628745 Title: Change in kernel exec transition behavior causes regression tests

[Bug 1652131] Re: Putting Apparmor profile usr.lib.dovecot.auth into enforce mode blocks access to /var/spool/private/auth for Dovecot

** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released ** Changed in: apparmor/2.9 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs,

[Bug 1540562] Re: aa-genprof crashes in logparser NoneType has no "replace"

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1540562 Title: aa-genprof crashes in logparser NoneType has no "replace" To

[Bug 1507469] Re: Evince's Apparmour profile prevents opening docs from other apps under Wayland

** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507469

[Bug 1546455] Re: Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog

Fixed in AppArmor 2.11, 2.10.2 and 2.9.4 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1546455 Title: Many instances of

[Bug 1569316] Re: Log flooded with run/dbus/system_bus_socket wr denied

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1569316 Title: Log flooded with run/dbus/system_bus_socket wr denied To manage

[Bug 1582374] Re: Log contains unknown mode senw

** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582374

[Bug 1577051] Re: aa-logprof fails with unknown mode "reweive"

** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577051

[Bug 1566944] Re: dnsmasq profile prevents LXD container to launch

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566944 Title: dnsmasq profile prevents LXD container to launch To manage

[Bug 1604872] Re: Apps can't connect to the user's session bus, even though it exists

Fixed in AppArmor 2.11 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1604872 Title: Apps can't connect to the user's session

[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage

[Bug 1480492] Re: aa-status in apparmor-2.10 depends on python3-apparmor

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1480492 Title: aa-status in apparmor-2.10 depends on python3-apparmor To manage

[Bug 1588069] Re: parser doesn't catch conflicting change_profile exec modes (safe/unsafe)

Fixed in AppArmor 2.11 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1588069 Title: parser doesn't catch conflicting

[Bug 1528139] Re: serialize_profile_from_old_profile() crash if file contains multiple profiles

** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1528139 Title: serialize_profile_from_old_profile() crash if file contains

[Bug 1584069] Re: change_profile rules need a modifier to allow non-secureexec transitions

Fixed in AppArmor 2.11. ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1584069 Title: change_profile rules need a modifier to

[Bug 1507469] Re: Evince's Apparmour profile prevents opening docs from other apps under Wayland

** Also affects: apparmor/2.10 Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507469 Title: Evince's Apparmour profile prevents opening docs from other

[Bug 1507469] Re: Evince's Apparmour profile prevents opening docs from other apps under Wayland

** Changed in: apparmor/2.10 Milestone: None => 2.10.2 ** Changed in: apparmor/2.10 Status: New => Fix Committed ** Changed in: apparmor Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

  1   2   3   >