Bug#898446: Please reconsider enabling the user namespaces by default
On Wed, 2020-04-15 at 08:32 +0100, Simon McVittie wrote: > On Wed, 15 Apr 2020 at 02:52:11 +0100, Ben Hutchings wrote: > > I think you've made a good case that user namespaces are likely to be a > > net positive for security on Debian desktop systems. > > > > This might not be true yet for servers that aren't container hosts. > > Perhaps Debian's kernel should continue to disable unprivileged creation > of user namespaces for now, but we should have a package that installs > a /etc/sysctl.d/*.conf fragment that will enable them, and packages > that benefit from them (bubblewrap, web browsers, sbuild) should have > a Depends or Recommends on that package instead of shipping a setuid-root > namespace-creation helper? [...] But if users install, say, Chrome or Docker from upstream, it won't know how to do this Debian magic. Also, I don't think we should keep patching in kernel.unprivileged_userns_clone forever, so the documented way to disable user namespaces should be setting user.max_user_namespaces to 0. But then there's no good way to have a drop-in file that changes back to the upstream default, because that's dependent on system memory size. So I think we should do something like this: * Document user.max_user_namespaces in procps's shipped /etc/sysctl.conf * Set kernel.unprivileged_userns_clone to 1 by default, and deprecate it (log a warning if it's changed) * Document the change in bullseye release notes Ben. -- Ben Hutchings Always try to do things in chronological order; it's less confusing that way. signature.asc Description: This is a digitally signed message part
Bug#956661: marked as done (/usr/sbin/update-initramfs: update-initramfs hangs forever when trying to update)
Your message dated Thu, 16 Apr 2020 02:14:16 +0100 with message-id and subject line Re: Bug#956661: PEBKAC has caused the Debian Bug report #956661, regarding /usr/sbin/update-initramfs: update-initramfs hangs forever when trying to update to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 956661: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956661 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: initramfs-tools Version: 0.136 Severity: grave File: /usr/sbin/update-initramfs Justification: renders package unusable Dear Maintainer, Not much to report. Update-initramfs hangs forever when trying to create a new file or update a current one. This happened after this afternoons update on Debian Sid. It's pretty much useless now. -- Package-specific info: -- initramfs sizes -rw-r--r-- 1 root root 54M Apr 8 09:23 /boot/initrd.img-5.4.0-4-amd64 -rw-r--r-- 1 root root 0 Apr 13 19:51 /boot/initrd.img-5.4.0-4-amd64.new -rw-r--r-- 2 root root 55M Apr 11 09:32 /boot/initrd.img-5.5.0-1-amd64 -rw-r--r-- 2 root root 55M Apr 11 09:32 /boot/initrd.img-5.5.0-1-amd64.dpkg-bak -rw-r--r-- 1 root root 0 Apr 13 19:40 /boot/initrd.img-5.5.0-1-amd64.new -- /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-5.5.0-1-amd64 root=UUID=9b4d766e-de76-49fc-9af2-c4fbf52b2c4a ro apparmor=0 -- /proc/filesystems ext3 ext2 ext4 fuseblk -- lsmod Module Size Used by rfkill 28672 2 binfmt_misc24576 1 intel_powerclamp 20480 0 coretemp 20480 0 snd_hda_codec_hdmi 73728 1 kvm_intel 311296 0 snd_hda_codec_realtek 126976 1 snd_hda_codec_generic94208 1 snd_hda_codec_realtek ledtrig_audio 16384 2 snd_hda_codec_generic,snd_hda_codec_realtek kvm 798720 1 kvm_intel snd_hda_intel 53248 2 irqbypass 16384 1 kvm joydev 28672 0 snd_intel_dspcfg 24576 1 snd_hda_intel snd_hda_codec 163840 4 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec_realtek pktcdvd49152 1 snd_hda_core 102400 5 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek snd_hwdep 16384 1 snd_hda_codec crct10dif_pclmul 16384 1 ghash_clmulni_intel16384 0 snd_pcm 131072 4 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,snd_hda_core snd_timer 40960 1 snd_pcm aesni_intel 368640 0 crypto_simd16384 1 aesni_intel snd 106496 12 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek,snd_timer,snd_pcm cryptd 24576 2 crypto_simd,ghash_clmulni_intel glue_helper16384 1 aesni_intel intel_cstate 16384 0 soundcore 16384 1 snd mei_wdt16384 0 intel_uncore 147456 0 mei_me 45056 1 iTCO_wdt 16384 0 mei 122880 3 mei_wdt,mei_me iTCO_vendor_support16384 1 iTCO_wdt watchdog 28672 2 iTCO_wdt,mei_wdt evdev 28672 7 serio_raw 20480 0 pcspkr 16384 0 acpi_cpufreq 28672 1 wmi_bmof 16384 0 vmwgfx364544 0 ttm 122880 1 vmwgfx fuse 139264 3 sg 36864 0 parport_pc 28672 0 ppdev 24576 0 lp 20480 0 sunrpc495616 1 parport61440 3 parport_pc,lp,ppdev ip_tables 32768 0 x_tables 53248 1 ip_tables autofs453248 2 ext4 765952 3 crc16 16384 1 ext4 mbcache16384 1 ext4 jbd2 135168 1 ext4 raid10 65536 0 raid456 176128 0 async_raid6_recov 24576 1 raid456 async_memcpy 20480 2 raid456,async_raid6_recov async_pq 20480 2 raid456,async_raid6_recov async_xor 20480 3 async_pq,raid456,async_raid6_recov async_tx 20480 5 async_pq,async_memcpy,async_xor,raid456,async_raid6_recov xor24576 1 async_xor raid6_pq 122880 3 async_pq,raid456,async_raid6_recov libcrc32c 16384 1 raid456 crc32c_generic 16384 0 raid1 49152 0 raid0 24576 0 multipath 20480 0 linear 20480 0 md_mod
Processed: forcibly merging 956703 956857
Processing commands for cont...@bugs.debian.org: > forcemerge 956703 956857 Bug #956703 [src:linux] linux-image-5.5: 5.5 kernel seems to break pulseaudio HDMI detection Bug #956857 [src:linux] linux-image-5.5.0-1-amd64: 5.5 kernel seems to break pulseaudio HDMI detection Merged 956703 956857 > thanks Stopping processing here. Please contact me if you need assistance. -- 956703: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956703 956857: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956857 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#956703: linux-image-5.5: 5.5 kernel seems to break pulseaudio HDMI detection
On Tue, Apr 14, 2020 at 02:06:30PM +0100, Simon John wrote: > Package: src:linux > Version: 5.5.13-2 > > Booting into 5.5 on Sid gives me no audio out via HDMI. > HDMI audio seems fixed for me with 5.5.17, recently uploaded to unstable. Is it better for you?
nfs-utils version
Hello guys, I see the latest version of nfs-utils source code (2.4.3) is so far away from debian packaged (1.3.4). What is the problem? who know why the package is not growing up to the latest version? Thanks Best Regards, peylight
Bug#956661: PEBKAC
Sorry for this misleading report. The problem lay elsewhere and had no direct relationship to initramfs-tools.
Bug#797080: linux: Bug possibly replicated on a Panasonic CF-19
Followup-For: Bug #797080 Source: linux Dear Maintainer, Does this sound like the same bug? I also have a Panasonic Toughbook, and it too has a nonfunctioning interface /sys/class/backlight/panasonic Differences are I have a model CF-19 instead of a C2. My interface /sys/class/backlight/intel_backlight does work, and I am able to quite reliably reproduce the malfunction. Outwardly, my experience has been quite different, but digging deeper, I see similarities with the subject bug report. My backlight brightness hotkeys and the GUI backlight controls worked fine until I upgraded to Debian 10. The CF-19 has two sets of hotkeys. Regarding the GUI, I have been testing mostly with xfce and its power manager applet. Unfortunately, after upgrading to 10, neither the hotkeys nor GUI have any effect on backlight brightness. Digging deeper, there are two entries in /sys/class/backlight: "intel_backlight" and "panasonic". Unfortunately, "panasonic" is broken. Writing to /sys/class/backlight/panasonic/brightness has no effect on the backlight brightness. What I think is happening, "panasonic" has been broken for a long time. That was not obvious under Debian 9 because it uses "intel_backlight" And in my case, "intel_backlight" does work. I do not know why Debian 10 switched to "panasonic", but I am guessing it is trying to conform to the kernel documentation which says interfaces of "type" "platform" should be given higher precedence than ones of type "raw". I did find a workaround. In the bootloader, add the kernel parameter acpi_backlight=video With that, the backlight hotkeys and GUI work again. Digging deeper, there is a new entry in /sys/class/backlight "acpi_video0". The entry "panasonic" still doesn't work. What I think is happening, "acpi_video0" is type "firmware", which is even higher precedence than "platform". So, Debian 10 ignores "panasonic" and uses "acpi_video0" instead. -- System Information: Debian Release: 9.12 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-0.bpo.5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
linux_5.5.17-1_source.changes is NEW
binary:acpi-modules-5.5.0-2-686-di is NEW. binary:acpi-modules-5.5.0-2-686-pae-di is NEW. binary:acpi-modules-5.5.0-2-amd64-di is NEW. binary:affs-modules-5.5.0-2-4kc-malta-di is NEW. binary:affs-modules-5.5.0-2-5kc-malta-di is NEW. binary:affs-modules-5.5.0-2-loongson-3-di is NEW. binary:affs-modules-5.5.0-2-octeon-di is NEW. binary:ata-modules-5.5.0-2-4kc-malta-di is NEW. binary:ata-modules-5.5.0-2-5kc-malta-di is NEW. binary:ata-modules-5.5.0-2-686-di is NEW. binary:ata-modules-5.5.0-2-686-pae-di is NEW. binary:ata-modules-5.5.0-2-amd64-di is NEW. binary:ata-modules-5.5.0-2-arm64-di is NEW. binary:ata-modules-5.5.0-2-armmp-di is NEW. binary:ata-modules-5.5.0-2-loongson-3-di is NEW. binary:ata-modules-5.5.0-2-powerpc64le-di is NEW. binary:btrfs-modules-5.5.0-2-4kc-malta-di is NEW. binary:btrfs-modules-5.5.0-2-5kc-malta-di is NEW. binary:btrfs-modules-5.5.0-2-686-di is NEW. binary:btrfs-modules-5.5.0-2-686-pae-di is NEW. binary:btrfs-modules-5.5.0-2-amd64-di is NEW. binary:btrfs-modules-5.5.0-2-arm64-di is NEW. binary:btrfs-modules-5.5.0-2-armmp-di is NEW. binary:btrfs-modules-5.5.0-2-loongson-3-di is NEW. binary:btrfs-modules-5.5.0-2-marvell-di is NEW. binary:btrfs-modules-5.5.0-2-octeon-di is NEW. binary:btrfs-modules-5.5.0-2-powerpc64le-di is NEW. binary:btrfs-modules-5.5.0-2-s390x-di is NEW. binary:cdrom-core-modules-5.5.0-2-4kc-malta-di is NEW. binary:cdrom-core-modules-5.5.0-2-5kc-malta-di is NEW. binary:cdrom-core-modules-5.5.0-2-686-di is NEW. binary:cdrom-core-modules-5.5.0-2-686-pae-di is NEW. binary:cdrom-core-modules-5.5.0-2-amd64-di is NEW. binary:cdrom-core-modules-5.5.0-2-arm64-di is NEW. binary:cdrom-core-modules-5.5.0-2-armmp-di is NEW. binary:cdrom-core-modules-5.5.0-2-loongson-3-di is NEW. binary:cdrom-core-modules-5.5.0-2-marvell-di is NEW. binary:cdrom-core-modules-5.5.0-2-octeon-di is NEW. binary:cdrom-core-modules-5.5.0-2-powerpc64le-di is NEW. binary:cdrom-core-modules-5.5.0-2-s390x-di is NEW. binary:compress-modules-5.5.0-2-4kc-malta-di is NEW. binary:compress-modules-5.5.0-2-5kc-malta-di is NEW. binary:compress-modules-5.5.0-2-686-di is NEW. binary:compress-modules-5.5.0-2-686-pae-di is NEW. binary:compress-modules-5.5.0-2-amd64-di is NEW. binary:compress-modules-5.5.0-2-arm64-di is NEW. binary:compress-modules-5.5.0-2-armmp-di is NEW. binary:compress-modules-5.5.0-2-loongson-3-di is NEW. binary:compress-modules-5.5.0-2-marvell-di is NEW. binary:compress-modules-5.5.0-2-octeon-di is NEW. binary:compress-modules-5.5.0-2-powerpc64le-di is NEW. binary:compress-modules-5.5.0-2-s390x-di is NEW. binary:crc-modules-5.5.0-2-4kc-malta-di is NEW. binary:crc-modules-5.5.0-2-5kc-malta-di is NEW. binary:crc-modules-5.5.0-2-686-di is NEW. binary:crc-modules-5.5.0-2-686-pae-di is NEW. binary:crc-modules-5.5.0-2-amd64-di is NEW. binary:crc-modules-5.5.0-2-arm64-di is NEW. binary:crc-modules-5.5.0-2-armmp-di is NEW. binary:crc-modules-5.5.0-2-loongson-3-di is NEW. binary:crc-modules-5.5.0-2-marvell-di is NEW. binary:crc-modules-5.5.0-2-octeon-di is NEW. binary:crc-modules-5.5.0-2-powerpc64le-di is NEW. binary:crc-modules-5.5.0-2-s390x-di is NEW. binary:crypto-dm-modules-5.5.0-2-4kc-malta-di is NEW. binary:crypto-dm-modules-5.5.0-2-5kc-malta-di is NEW. binary:crypto-dm-modules-5.5.0-2-686-di is NEW. binary:crypto-dm-modules-5.5.0-2-686-pae-di is NEW. binary:crypto-dm-modules-5.5.0-2-amd64-di is NEW. binary:crypto-dm-modules-5.5.0-2-arm64-di is NEW. binary:crypto-dm-modules-5.5.0-2-armmp-di is NEW. binary:crypto-dm-modules-5.5.0-2-loongson-3-di is NEW. binary:crypto-dm-modules-5.5.0-2-marvell-di is NEW. binary:crypto-dm-modules-5.5.0-2-octeon-di is NEW. binary:crypto-dm-modules-5.5.0-2-powerpc64le-di is NEW. binary:crypto-dm-modules-5.5.0-2-s390x-di is NEW. binary:crypto-modules-5.5.0-2-4kc-malta-di is NEW. binary:crypto-modules-5.5.0-2-5kc-malta-di is NEW. binary:crypto-modules-5.5.0-2-686-di is NEW. binary:crypto-modules-5.5.0-2-686-pae-di is NEW. binary:crypto-modules-5.5.0-2-amd64-di is NEW. binary:crypto-modules-5.5.0-2-arm64-di is NEW. binary:crypto-modules-5.5.0-2-armmp-di is NEW. binary:crypto-modules-5.5.0-2-loongson-3-di is NEW. binary:crypto-modules-5.5.0-2-marvell-di is NEW. binary:crypto-modules-5.5.0-2-octeon-di is NEW. binary:crypto-modules-5.5.0-2-powerpc64le-di is NEW. binary:crypto-modules-5.5.0-2-s390x-di is NEW. binary:dasd-extra-modules-5.5.0-2-s390x-di is NEW. binary:dasd-modules-5.5.0-2-s390x-di is NEW. binary:efi-modules-5.5.0-2-686-di is NEW. binary:efi-modules-5.5.0-2-686-pae-di is NEW. binary:efi-modules-5.5.0-2-amd64-di is NEW. binary:efi-modules-5.5.0-2-arm64-di is NEW. binary:efi-modules-5.5.0-2-armmp-di is NEW. binary:event-modules-5.5.0-2-4kc-malta-di is NEW. binary:event-modules-5.5.0-2-5kc-malta-di is NEW. binary:event-modules-5.5.0-2-686-di is NEW. binary:event-modules-5.5.0-2-686-pae-di is NEW. binary:event-modules-5.5.0-2-amd64-di is NEW. binary:event-modules-5.5.0-2-arm64-di is NEW. binary:event-modules-5.5.0-2-armmp-di is NEW.
Processing of linux_5.5.17-1_source.changes
linux_5.5.17-1_source.changes uploaded successfully to localhost along with the files: linux_5.5.17-1.dsc linux_5.5.17.orig.tar.xz linux_5.5.17-1.debian.tar.xz linux_5.5.17-1_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
Bug#943687: HP USB Laser Mouse 1000 DPI
Dear Maintainer, in addition to that, I want to tell which mouse I am exactly using. It is this model from HP: https://store.hp.com/us/en/pdp/hp-usb-1000dpi-laser-mouse After boot and the mouse connected to an USB hub it is also not connected and one has to replug the mouse into the USB port of the USB hub to make it working. I am using Debian/testing. The problem arouses even with the new Linux kernel version 5.5 from Debian/testing. Thank you very much in advance. Sincerely, Adrian -- With many greetings from Leipzig, Germany. Adrian Immanuel Kieß Gothaer Straße 34 D-04155 Leipzig Administrator & programmer Unix ∧ Perl ∧ Java ∧ LaTeX — < adr...@kiess.onl > --SYSTEM-- echo "Your fortune cookie: " && /usr/games/fortune -c -s > (zippy) % There's a little picture of ED MCMAHON doing BAD THINGS to JOAN > RIVERS in a $200,000 MALIBU BEACH HOUSE!! echo "g6 uptime: " && /usr/bin/uptime > 14:52:52 up 9:59, 1 user, load average: 2,31, 2,20, 1,91
Bug#956802: linux-image-5.5.0-1-amd64: System fails to suspend due to a problem with the e1000e driver
Package: src:linux Version: 5.5.13-2 Severity: normal I have a Thinkpad X1 Yoga 4th gen and it fails to suspend. In dmesg, I can see some messages that look like the problem is related to the e1000e driver. My laptop doesn't have a physical Ethernet port, but it can be added using an adaptor or a docking station. At the time when I tried that, no Ethernet adaptor was present. Removing the kernel module with "rmmod e1000e" solves the issue, the laptop suspends perfectly fine, but of course no wired networking is available. The system worked fine with the latest 5.4 kernel from Debian, so I assume the problem must have been introduced with the 5.4 to 5.5 upgrade. -- Package-specific info: ** Version: Linux version 5.5.0-1-amd64 (debian-kernel@lists.debian.org) (gcc version 9.3.0 (Debian 9.3.0-8)) #1 SMP Debian 5.5.13-2 (2020-03-30) ** Command line: BOOT_IMAGE=/vmlinuz-5.5.0-1-amd64 root=/dev/mapper/yogi-root ro quiet snd_hda_intel.dmic_detect=0 ** Tainted: W (512) * kernel issued warning ** Kernel log: [245510.575811] usb 5-2.1.1.4: SerialNumber: [245510.616462] usb 5-2.1.3: new low-speed USB device number 8 using xhci_hcd [245510.730708] input: Lenovo ThinkPad Thunderbolt 3 Dock USB Audio as /devices/pci:00/:00:1d.4/:05:00.0/:06:01.0/:08:00.0/:09:02.0/:0a:00.0/usb5/5-2/5-2.1/5-2.1.1/5-2.1.1.4/5-2.1.1.4:1.3/0003:17EF:3083.0018/input/input67 [245510.780188] usb 5-2.1.3: New USB device found, idVendor=046a, idProduct=0023, bcdDevice= 2.20 [245510.780194] usb 5-2.1.3: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [245510.792766] hid-generic 0003:17EF:3083.0018: input,hidraw3: USB HID v1.11 Device [Lenovo ThinkPad Thunderbolt 3 Dock USB Audio] on usb-:0a:00.0-2.1.1.4/input3 [245510.799680] input: HID 046a:0023 as /devices/pci:00/:00:1d.4/:05:00.0/:06:01.0/:08:00.0/:09:02.0/:0a:00.0/usb5/5-2/5-2.1/5-2.1.3/5-2.1.3:1.0/0003:046A:0023.0019/input/input68 [245510.849102] usb 6-2.1.2: reset SuperSpeedPlus Gen 2 USB device number 5 using xhci_hcd [245510.857320] cherry 0003:046A:0023.0019: input,hidraw4: USB HID v1.11 Keyboard [HID 046a:0023] on usb-:0a:00.0-2.1.3/input0 [245510.865632] input: HID 046a:0023 as /devices/pci:00/:00:1d.4/:05:00.0/:06:01.0/:08:00.0/:09:02.0/:0a:00.0/usb5/5-2/5-2.1/5-2.1.3/5-2.1.3:1.1/0003:046A:0023.001A/input/input69 [245510.874054] r8152 6-2.1.2:1.0 (unnamed net_device) (uninitialized): Invalid header when reading pass-thru MAC addr [245510.874136] r8152 6-2.1.2:1.0: firmware: failed to load rtl_nic/rtl8153b-2.fw (-2) [245510.874144] r8152 6-2.1.2:1.0: Direct firmware load for rtl_nic/rtl8153b-2.fw failed with error -2 [245510.874149] r8152 6-2.1.2:1.0: unable to load firmware patch rtl_nic/rtl8153b-2.fw (-2) [245510.919509] r8152 6-2.1.2:1.0 eth0: v1.11.11 [245510.928796] cherry 0003:046A:0023.001A: input,hidraw5: USB HID v1.11 Device [HID 046a:0023] on usb-:0a:00.0-2.1.3/input1 [245510.990713] r8152 6-2.1.2:1.0 enx3ce1a14ecc73: renamed from eth0 [245511.060503] usb 5-2.1.4: new full-speed USB device number 9 using xhci_hcd [245511.212673] usb 5-2.1.4: New USB device found, idVendor=046d, idProduct=c07e, bcdDevice=90.03 [245511.212680] usb 5-2.1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [245511.212684] usb 5-2.1.4: Product: Gaming Mouse G402 [245511.212688] usb 5-2.1.4: Manufacturer: Logitech [245511.212690] usb 5-2.1.4: SerialNumber: 6D77589C5255 [245511.223820] input: Logitech Gaming Mouse G402 as /devices/pci:00/:00:1d.4/:05:00.0/:06:01.0/:08:00.0/:09:02.0/:0a:00.0/usb5/5-2/5-2.1/5-2.1.4/5-2.1.4:1.0/0003:046D:C07E.001B/input/input70 [245511.224476] hid-generic 0003:046D:C07E.001B: input,hidraw6: USB HID v1.11 Mouse [Logitech Gaming Mouse G402] on usb-:0a:00.0-2.1.4/input0 [245511.227020] input: Logitech Gaming Mouse G402 Keyboard as /devices/pci:00/:00:1d.4/:05:00.0/:06:01.0/:08:00.0/:09:02.0/:0a:00.0/usb5/5-2/5-2.1/5-2.1.4/5-2.1.4:1.1/0003:046D:C07E.001C/input/input71 [245511.285057] input: Logitech Gaming Mouse G402 Consumer Control as /devices/pci:00/:00:1d.4/:05:00.0/:06:01.0/:08:00.0/:09:02.0/:0a:00.0/usb5/5-2/5-2.1/5-2.1.4/5-2.1.4:1.1/0003:046D:C07E.001C/input/input72 [245511.285459] input: Logitech Gaming Mouse G402 System Control as /devices/pci:00/:00:1d.4/:05:00.0/:06:01.0/:08:00.0/:09:02.0/:0a:00.0/usb5/5-2/5-2.1/5-2.1.4/5-2.1.4:1.1/0003:046D:C07E.001C/input/input73 [245511.286010] hid-generic 0003:046D:C07E.001C: input,hiddev0,hidraw7: USB HID v1.11 Keyboard [Logitech Gaming Mouse G402] on usb-:0a:00.0-2.1.4/input1 [245511.600921] iwlwifi :00:14.3: Applying debug destination EXTERNAL_DRAM [245511.708601] usb 5-2.1.1.4: 1:1: cannot get freq at ep 0x81 [245511.719778] iwlwifi :00:14.3: Applying debug destination EXTERNAL_DRAM [245511.783610] iwlwifi :00:14.3: FW already
Bug#956752: linux-image-rt-amd64: No access to EFI variables possible with rt kernels
Package: linux-image-rt-amd64 Version: 4.19+105+deb10u3 Severity: important Dear Maintainer, Using the rt kernel packages (4.19.0-8-rt-amd64 or 5.4.0-0.bpo.4-rt-amd64) no access to the EFI variables under /sys/firmware/efi/efivars is possible. With the non-rt kernels, all is fine as shown below: root@debian:~# uname -a Linux debian 4.19.0-8-rt-amd64 #1 SMP PREEMPT RT Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux root@debian:~# ls -lR /sys/firmware/efi/ /sys/firmware/efi/: total 0 -r--r--r-- 1 root root 4096 Apr 15 07:09 config_table dr-xr-xr-x 2 root root0 Apr 15 07:09 efivars -r--r--r-- 1 root root 4096 Apr 15 07:09 fw_platform_size -r--r--r-- 1 root root 4096 Apr 15 07:09 fw_vendor -r--r--r-- 1 root root 4096 Apr 15 07:09 runtime -r 1 root root 4096 Apr 15 07:09 systab /sys/firmware/efi/efivars: total 0 root@debian:~# uname -a Linux debian 5.4.0-0.bpo.4-rt-amd64 #1 SMP PREEMPT_RT Debian 5.4.19-1~bpo10+1 (2020-03-09) x86_64 GNU/Linux root@debian:~# ls -lR /sys/firmware/efi/ /sys/firmware/efi/: total 0 -r--r--r-- 1 root root 4096 Apr 15 07:11 config_table dr-xr-xr-x 2 root root0 Apr 15 07:10 efivars -r--r--r-- 1 root root 4096 Apr 15 07:11 fw_platform_size -r--r--r-- 1 root root 4096 Apr 15 07:11 fw_vendor -r--r--r-- 1 root root 4096 Apr 15 07:11 runtime -r 1 root root 4096 Apr 15 07:11 systab /sys/firmware/efi/efivars: total 0 root@debian:~# uname -a Linux debian 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux root@debian:~# ls -lR /sys/firmware/efi/ /sys/firmware/efi/: total 0 -r--r--r-- 1 root root 4096 Apr 15 07:06 config_table drwxr-xr-x 2 root root0 Apr 15 07:06 efivars -r--r--r-- 1 root root 4096 Apr 15 07:06 fw_platform_size -r--r--r-- 1 root root 4096 Apr 15 07:06 fw_vendor -r--r--r-- 1 root root 4096 Apr 15 07:06 runtime drwxr-xr-x 7 root root0 Apr 15 07:06 runtime-map -r 1 root root 4096 Apr 15 07:06 systab drwxr-xr-x 83 root root0 Apr 15 07:06 vars /sys/firmware/efi/efivars: total 0 -rw-r--r-- 1 root root 12 Apr 15 07:06 AcpiGlobalVariable-af9ffd67-ec10-488a-9dfc-6cbf5ee22c2e -rw-r--r-- 1 root root5 Apr 15 07:06 AoacWakeStatus-23771b23-e15a-4805-920a-4f1e84b54abc -rw-r--r-- 1 root root 72 Apr 15 07:06 BmEssentialVariableNames-0b7646a4-6b44-4332-8588-c8998117f2ef -rw-r--r-- 1 root root 46 Apr 15 07:06 Boot-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 54 Apr 15 07:06 Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 70 Apr 15 07:06 Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 68 Apr 15 07:06 Boot0003-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 66 Apr 15 07:06 Boot0004-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 68 Apr 15 07:06 Boot0005-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 70 Apr 15 07:06 Boot0006-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 66 Apr 15 07:06 Boot0007-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 71 Apr 15 07:06 Boot0008-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 71 Apr 15 07:06 Boot0009-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 71 Apr 15 07:06 Boot000A-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 71 Apr 15 07:06 Boot000B-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 71 Apr 15 07:06 Boot000C-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 71 Apr 15 07:06 Boot000D-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 73 Apr 15 07:06 Boot000E-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 64 Apr 15 07:06 Boot000F-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 68 Apr 15 07:06 Boot0010-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 72 Apr 15 07:06 Boot0011-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 74 Apr 15 07:06 Boot0012-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 68 Apr 15 07:06 Boot0013-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 134 Apr 15 07:06 Boot0014-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root6 Apr 15 07:06 BootCurrent-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root8 Apr 15 07:06 BootOptionSupport-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 32 Apr 15 07:06 BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 30 Apr 15 07:06 BootOrderDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 294 Apr 15 07:06 ConIn-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 50 Apr 15 07:06 ConInDev-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 34 Apr 15 07:06 ConOut-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root 34 Apr 15 07:06 ConOutDev-8be4df61-93ca-11d2-aa0d-00e098032b8c -rw-r--r-- 1 root root5 Apr 15 07:06 CpuCmpSmt-f31bce44-4db9-40fc-93ab-4de140657b91 -rw-r--r-- 1 root root5
Bug#898446: Please reconsider enabling the user namespaces by default
On Wed, 15 Apr 2020 at 02:52:11 +0100, Ben Hutchings wrote: > I think you've made a good case that user namespaces are likely to be a > net positive for security on Debian desktop systems. > > This might not be true yet for servers that aren't container hosts. Perhaps Debian's kernel should continue to disable unprivileged creation of user namespaces for now, but we should have a package that installs a /etc/sysctl.d/*.conf fragment that will enable them, and packages that benefit from them (bubblewrap, web browsers, sbuild) should have a Depends or Recommends on that package instead of shipping a setuid-root namespace-creation helper? During the transition from "usually disabled" to "usually enabled", such a package would also provide a useful way to document that the dependent package won't work (optimally, or at all) without that feature. I would prefer not to ship that file from src:bubblewrap, since bubblewrap isn't the only user of that feature. Perhaps src:linux would be a better home for it? And then it could go away (or be replaced by a Provides from the kernel image) if/when a future kernel supports unprivileged creation of user namespaces unconditionally. smcv
