Bug#945909: marked as done (man-db: When outputting 'ps' output from man, apparmor logs an error)

Wed, 11 Dec 2019 16:39:18 -0800 

Your message dated Thu, 12 Dec 2019 00:34:13 +0000
with message-id <[email protected]>
and subject line Bug#945909: fixed in man-db 2.9.0-2
has caused the Debian Bug report #945909,
regarding man-db: When outputting 'ps' output from man, apparmor logs an error
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
945909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945909
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: man-db
Version: 2.8.5-2
Severity: normal
Tags: patch

Dear Maintainer,

When outputting 'ps' output from man, e.g., 'man -Tps bash', a log apparmor 
error is generated in reading /etc/papersize.  The log error line shown by 
dmesg is:

   [1033342.844116] audit: type=1400 audit(1575057625.770:30): 
apparmor="DENIED" operation="open" profile="man_groff" name="/etc/papersize" 
pid=19233 comm="troff" requested_mask="r" denied_mask="r" fsuid=0
   ouid=0

The fix is to add this line to /etc/apparmor.d/usr.bin.man:

        profile man_groff {
          ...
          /etc/papersize r,
        }

This avoids the error message and allows 'man' to read the file properly.

-- System Information:
Debian Release: 10.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages man-db depends on:
ii  bsdmainutils           11.1.2+b1
ii  debconf [debconf-2.0]  1.5.71
ii  dpkg                   1.19.7
ii  groff-base             1.22.4-3
ii  libc6                  2.28-10
ii  libgdbm6               1.18.1-4
ii  libpipeline1           1.5.1-2
ii  libseccomp2            2.3.3-4
ii  zlib1g                 1:1.2.11.dfsg-1

man-db recommends no packages.

Versions of packages man-db suggests:
ii  apparmor                   2.13.2-10
ii  firefox-esr [www-browser]  68.2.0esr-1~deb10u1
ii  groff                      1.22.4-3
ii  less                       487-0.1+b1
ii  lynx [www-browser]         2.8.9rel.1-3
ii  w3m [www-browser]          0.5.3-37

-- Configuration Files:
/etc/apparmor.d/usr.bin.man changed:
/usr/bin/man {
  #include <abstractions/base>
  # Use a special profile when man calls anything groff-related.  We only
  # include the programs that actually parse input data in a non-trivial
  # way, not wrappers such as groff and nroff, since the latter would need a
  # broader profile.
  /usr/bin/eqn rmCx -> &man_groff,
  /usr/bin/grap rmCx -> &man_groff,
  /usr/bin/pic rmCx -> &man_groff,
  /usr/bin/preconv rmCx -> &man_groff,
  /usr/bin/refer rmCx -> &man_groff,
  /usr/bin/tbl rmCx -> &man_groff,
  /usr/bin/troff rmCx -> &man_groff,
  /usr/bin/vgrind rmCx -> &man_groff,
  # Similarly, use a special profile when man calls decompressors and other
  # simple filters.
  /{,usr/}bin/bzip2 rmCx -> &man_filter,
  /{,usr/}bin/gzip rmCx -> &man_filter,
  /usr/bin/col rmCx -> &man_filter,
  /usr/bin/compress rmCx -> &man_filter,
  /usr/bin/iconv rmCx -> &man_filter,
  /usr/bin/lzip.lzip rmCx -> &man_filter,
  /usr/bin/tr rmCx -> &man_filter,
  /usr/bin/xz rmCx -> &man_filter,
  # Allow basically anything in terms of file system access, subject to DAC.
  # The purpose of this profile isn't to confine man itself (that might be
  # nice in the future, but is tricky since it's quite configurable), but to
  # confine the processes it calls that parse untrusted data.
  /** mrixwlk,
  unix,
  capability setuid,
  capability setgid,
  signal peer=@{profile_name},
  signal peer=/usr/bin/man//&man_groff,
  signal peer=/usr/bin/man//&man_filter,
  # Site-specific additions and overrides.  See local/README for details.
  #include <local/usr.bin.man>
}
profile man_groff {
  #include <abstractions/base>
  # Recent kernels revalidate open FDs, and there are often some still
  # open on TTYs.  This is temporary until man learns to close irrelevant
  # open FDs before execve.
  #include <abstractions/consoles>
  # man always runs its groff pipeline with the input file open on stdin,
  # so we can skip <abstractions/user-manpages>.
  /usr/bin/eqn rm,
  /usr/bin/grap rm,
  /usr/bin/pic rm,
  /usr/bin/preconv rm,
  /usr/bin/refer rm,
  /usr/bin/tbl rm,
  /usr/bin/troff rm,
  /usr/bin/vgrind rm,
  /etc/groff/** r,
  /usr/lib/groff/site-tmac/** r,
  /usr/share/groff/** r,
  signal peer=/usr/bin/man,
  # @{profile_name} doesn't seem to work here.
  signal peer=/usr/bin/man//&man_groff,
  #include <local/usr.bin.man_groff>
}
profile man_filter {
  #include <abstractions/base>
  # Recent kernels revalidate open FDs, and there are often some still
  # open on TTYs.  This is temporary until man learns to close irrelevant
  # open FDs before execve.
  #include <abstractions/consoles>
  /{,usr/}bin/bzip2 rm,
  /{,usr/}bin/gzip rm,
  /usr/bin/col rm,
  /usr/bin/compress rm,
  /usr/bin/iconv rm,
  /usr/bin/lzip.lzip rm,
  /usr/bin/tr rm,
  /usr/bin/xz rm,
  # Manual pages can be more or less anywhere, especially with "man -l", and
  # there's no harm in allowing wide read access here since the worst it can
  # do is feed data to the invoking man process.
  /** r,
  signal peer=/usr/bin/man,
  # @{profile_name} doesn't seem to work here.
  signal peer=/usr/bin/man//&man_filter,
}

/etc/manpath.config changed:
MANDATORY_MANPATH                       /usr/man
MANDATORY_MANPATH                       /usr/share/man
MANDATORY_MANPATH                       /usr/local/share/man
MANPATH_MAP     /bin                    /usr/share/man
MANPATH_MAP     /usr/bin                /usr/share/man
MANPATH_MAP     /sbin                   /usr/share/man
MANPATH_MAP     /usr/sbin               /usr/share/man
MANPATH_MAP     /usr/local/bin          /usr/local/man
MANPATH_MAP     /usr/local/bin          /usr/local/share/man
MANPATH_MAP     /usr/local/sbin         /usr/local/man
MANPATH_MAP     /usr/local/sbin         /usr/local/share/man
MANPATH_MAP     /usr/X11R6/bin          /usr/X11R6/man
MANPATH_MAP     /usr/bin/X11            /usr/X11R6/man
MANPATH_MAP     /usr/games              /usr/share/man
MANPATH_MAP     /opt/bin                /opt/man
MANPATH_MAP     /opt/sbin               /opt/man
MANPATH_MAP     /usr/local/pgsql/bin    /u/postgres/man
MANDB_MAP       /usr/man                /var/cache/man/fsstnd
MANDB_MAP       /usr/share/man          /var/cache/man
MANDB_MAP       /usr/local/man          /var/cache/man/oldlocal
MANDB_MAP       /usr/local/share/man    /var/cache/man/local
MANDB_MAP       /usr/X11R6/man          /var/cache/man/X11R6
MANDB_MAP       /opt/man                /var/cache/man/opt
SECTION         1 n l 8 3 2 3posix 3pm 3perl 3am 5 4 9 6 7


-- debconf information:
  man-db/auto-update: true
  man-db/install-setuid: false

--- End Message ---
--- Begin Message --- 
Source: man-db
Source-Version: 2.9.0-2

We believe that the bug you reported is fixed in the latest version of
man-db, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated man-db package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 12 Dec 2019 00:22:16 +0000
Source: man-db
Architecture: source
Version: 2.9.0-2
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 945909
Changes:
 man-db (2.9.0-2) unstable; urgency=medium
 .
   * AppArmor: Allow groff to read /etc/papersize (thanks, Bruce Momjian;
     closes: #945909).
Checksums-Sha1:
 8ac8daecd8bbe449745d0be76004adf16e304e05 2436 man-db_2.9.0-2.dsc
 219b0f5823f9e6c32387f6a4f5c4b452085e8477 72420 man-db_2.9.0-2.debian.tar.xz
Checksums-Sha256:
 3e36a44af2bb694410fb6e67273163b6aa05eab3a77c1dbc4d20612f06c7ec42 2436 
man-db_2.9.0-2.dsc
 877aec1cd5edbf22828ecab2a597eeb1e2ddd8dde95f0dbf0a6d283924c2a6b7 72420 
man-db_2.9.0-2.debian.tar.xz
Files:
 658a003fb607aec5fea5c8dc773e17eb 2436 doc important man-db_2.9.0-2.dsc
 7c11851ab83c04098776b4934fe6e409 72420 doc important 
man-db_2.9.0-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl3xiFsACgkQOTWH2X2G
UAvtrRAAmUdO0Aoibgdg6eqfZH/oezvq8Xn2OKGcvPQKEioRGLhaQpJRQ6+/GJnW
Pn+1G++C/JRGdvxmS0XY3Yexdqo50zH90k+RI0f82eM1c9DkC2TtMoWZo9h1p8Qn
by3i0imG8wdHWvUde9GPYJuZV4hu25OX7K1GYi9WRgiJrJkhfa5+j2w5wGwmXOBw
mNBDufwjH02ULookzUABsFUuq8XIatj0SqHe/AwfEwxrAyeaGt9w8DRAq0v9GP4g
OY16/I/bDYHhgZmt6BthAQQItWWQLgu+OOPPRySPuQ95ujlEH1Y1ATiYtDD9nDy5
xqx1WoA/6yP76d/ul/g064OA7xG4DHVNFKY3avk8osvV+UxtGAVx+HAwRuT6o73E
1n8c+Kr7zDXnjfSCTDFJqHlrNAq+lXLVKVW+4RnDzfUc2kVqGmJmCO06qYXOVtrN
SNa+Ovg6g+KRwDNNegWWF5Nsp5P+piZA2BCUfo0rVLVFsp1yIWi/7uSPhT0bSAWF
NFIfqXrCA30Cer/azcQeQJH7A1SdAx1LMrLewf2fyJOHKYynRa4diqsZtTsjevl9
d8Vdf8e3L27zzLEXvBNW0nX1DfxORPJ9SGWsdf+/ssrSb/sNJKZxXowe5tHRtvcq
ExcXsT8C+LiVugRQrPRLDiZMvbhlVajHilMeKwATR95o1xozgPY=
=geqg
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to