This bug was fixed in the package apparmor - 4.0.0-beta3-0ubuntu2
---
apparmor (4.0.0-beta3-0ubuntu2) noble; urgency=medium
* d/apparmor.install
- install new profiles
- geary
- goldendict
- kchmviewer
- loupe
- notepadqq
- pageedit
-
FYI the fix and a related cleanup are merged into upstream apparmor and
I'd expect the next upload to Ubuntu to then fix this issue.
@Martin
Thanks for the extra info for completeness, I assume we might find even more if
we spend more time (but tat would provide no extra gain).
@John
Up to you
Yes, will do I added both reference you provided to the upstream merge
commit and all fixes/closes references will be going into the changelog.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056739
** Changed in: chrony (Ubuntu)
Status: New => Won't Fix
** Changed in: gnutls28 (Ubuntu)
Status: New => Won't Fix
** Changed in: libvirt (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
FYI - submitted as https://gitlab.com/apparmor/apparmor/-/merge_requests/1178
@John if merged, would you mind adding a bug-ref to the Ubuntu upload changelog
so this bug 2056739 closes?
Given that there seems to be some agreement to fix this in apparmor,
I'll set the other tasks to "Won't Fix"
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/apparmor/+git/apparmor/+merge/462142
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056739
Title:
apparmor="DENIED"
Hey,
I think everything in the gnutls/ directory should be allowed: there can
be profiles with arbitrary names (or at least alnum I guess) which
define priority/configuration strings that can be used by gnutls
applications. I'm not aware of anything else that typically goes there
but I haven't
Suggestion would be something like:
--- /etc/apparmor.d/abstractions/crypto.orig2024-03-11 11:05:24.027597234
+
+++ /etc/apparmor.d/abstractions/crypto 2024-03-11 11:06:12.035895701 +
@@ -24,4 +24,7 @@
/etc/crypto-policies/*/*.txt r,
/usr/share/crypto-policies/*/*.txt r,
+ #
There is precedence in /etc/apparmor.d/abstractions/base holding various rules
like these
$ grep etc_ro /etc/apparmor.d/abstractions/base
@{etc_ro}/locale/** r,
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
@{etc_ro}/bindresvport.blacklistr,
** Description changed:
+ Christian summarizes this after the great reports by Martin:
+
+ gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3
+ and added more later.
+
+ Due to that anything linked against gnutls while being apparmor isolated
+ now hits similar denials,
Hi Martin,
as always thanks for your post FF testing and reports.
Thank you for also filing bug 2056747 - it starts to show that this is a
generic thing which probably anything linked against gnutls and being
confined will hit.
reverse-depends --release=noble --build-depends libgnutls28-dev | wc
11 matches
Mail list logo