[Desktop-packages] [Bug 1293525] Re: add apparmor profile for transmission-gtk

2014-10-09 Thread Jamie Strandboge 
This should be submitted to the apparmor mailing list for inclusion in
the apparmor-profiles repository. See
http://wiki.apparmor.net/index.php/Profiles#How_to_contribute_AppArmor_profiles
for details.


** Changed in: apparmor (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to transmission in Ubuntu.
https://bugs.launchpad.net/bugs/1293525

Title:
  add apparmor profile for transmission-gtk

Status in “apparmor” package in Ubuntu:
  Incomplete
Status in “transmission” package in Ubuntu:
  Confirmed

Bug description:
  There should be an apparmor profile for transmission-gtk.  Attached is
  a draft for discussion.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: apparmor-profiles 2.8.0-0ubuntu38
  ProcVersionSignature: Ubuntu 3.13.0-17.37-generic 3.13.6
  Uname: Linux 3.13.0-17-generic x86_64
  ApportVersion: 2.13.3-0ubuntu1
  Architecture: amd64
  CurrentDesktop: LXDE
  Date: Mon Mar 17 13:36:19 2014
  InstallationDate: Installed on 2014-03-07 (9 days ago)
  InstallationMedia: Lubuntu 14.04 "Trusty Tahr" - Alpha amd64+mac (20140307)
  PackageArchitecture: all
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-17-generic 
root=UUID=b44a2e83-f3f2-4e70-800d-04964b932c90 ro quiet splash
  SourcePackage: apparmor
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1293525/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1284507] Re: apparmor profile for libreoffice

2014-10-09 Thread Jamie Strandboge 
** Tags added: apparmor

** Tags added: policy

** No longer affects: apparmor (Ubuntu)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libreoffice in Ubuntu.
https://bugs.launchpad.net/bugs/1284507

Title:
  apparmor profile for libreoffice

Status in “libreoffice” package in Ubuntu:
  Triaged

Bug description:
  Support for apparmor profile for lo . Would be nice, if this was
  included under disabled until this receives wider testing.

  Why  -
  To limit the amount of damage from "virus" - 
  http://www.openoffice.org/press/statement-proof-of-concept-virus.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1284507/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions

2014-10-08 Thread Jamie Strandboge 
Closing trusty task

** Changed in: pulseaudio (Ubuntu Trusty)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1211380

Title:
  pulseaudio socket needs confined app restrictions

Status in PulseAudio sound server:
  New
Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Released
Status in “pulseaudio” package in Ubuntu:
  Confirmed
Status in “apparmor” source package in Saucy:
  Fix Released
Status in “apparmor-easyprof-ubuntu” source package in Saucy:
  Fix Released
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “apparmor” source package in Trusty:
  Fix Released
Status in “apparmor-easyprof-ubuntu” source package in Trusty:
  Fix Released
Status in “pulseaudio” source package in Trusty:
  Won't Fix

Bug description:
  Confined applications need access to the pulseaudio socket. Currently
  several sockets are available to apps, and some allow performing
  dangerous operations, such as loading a module from an arbitrary path.

  It also allows them to enumerate installed applications by listing
  clients.

  The Pulseaudio daemon should verify if an application is confined, and
  if so, restrict access to certain commands.

  If module loading cannot be disabled for confined applications,
  perhaps it could be modified to only load modules from trusted system
  locations.

To manage notifications about this bug go to:
https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1208988] Re: AppArmor no longer mediates access to path-based AF_UNIX socket files

2014-10-08 Thread Jamie Strandboge 
Marking the apparmor task as 'fixed' since this is available in the
upstream beta tarballs.

** Changed in: apparmor
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1208988

Title:
  AppArmor no longer mediates access to path-based AF_UNIX socket files

Status in AppArmor Linux application security framework:
  Fix Released
Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Released
Status in “firefox” package in Ubuntu:
  Fix Released
Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux-grouper” package in Ubuntu:
  Fix Released
Status in “linux-maguro” package in Ubuntu:
  Fix Released
Status in “linux-mako” package in Ubuntu:
  Fix Released
Status in “linux-manta” package in Ubuntu:
  Fix Released
Status in “apparmor” source package in Saucy:
  Fix Released
Status in “apparmor-easyprof-ubuntu” source package in Saucy:
  Fix Released
Status in “firefox” source package in Saucy:
  Fix Released

Bug description:
  [Impact]

   * AppArmor removed unix domain socket mediation as part of the 2.4
  (karmic) rewrite to the security_path hooks so that it could be
  upstreamed into the main kernel. The result being apparmor no longer
  mediates access to AF_UNIX socket files. Or more specifically it does
  not mediation connections between sockets, creation of a socket within
  the filesystem is mediated

   * Confined applications can currently read from and write to any AF_UNIX
     socket files

   * Existing AppArmor profiles that contain file rules granting write access to
     AF_UNIX socket files are effectively being ignored

   * The move from the vfs hooks patches (old, out-of-tree) AppArmor and the 
security_path hooks
     apparmor incorporated into mainline in 2.6.36 were the cause of this 
regression.

     apparmor 2.4 (version in karmic) also removed other features are part of 
the rewrite to
     security_path hooks/upstreaming effort.

   * For Ubuntu, Karmic 9.10  and all newer, releases are affected.
     8.04 LTS used the vfs patches and was not affected.

  * Mediation of unix domain filesystem based sockets is needed for
  13.10 click apps confinement

  [Test Case]

   * Confining dbus-send and sending a message to the system bus is an easy
     manual testing method. Load a profile for dbus-send:

  $ cat << EOF | sudo apparmor_parser -r
  #include 

  /usr/bin/dbus-send {
    #include 
    /usr/bin/dbus-send r,
  #  /var/run/dbus/system_bus_socket rw,
  }
  EOF

   * Note that the system_bus_socket rule is commented out. Now, run dbus-send
     under strace and see if the connect() fails. Here's the unexpected output,
     taken from an Ubuntu Saucy system:

  $ strace -e connect -- \
   dbus-send --system --dest=org.freedesktop.DBus \
   /org/freedesktop/DBus org.freedesktop.DBus.ListNames
  connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 
33) = 0
  +++ exited with 0 +++

   * Here's the expected output, taken from an 8.04 LTS system:

  $ strace -e connect -- \
   dbus-send --system --dest=org.freedesktop.DBus \
   /org/freedesktop/DBus org.freedesktop.DBus.ListNames
  connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = 
-1 EACCES (Permission denied)
  Failed to open connection to system message bus: Failed to connect to socket 
/var/run/dbus/system_bus_socket: Permission denied

   * Or, you can apply the AppArmor regression test suite patch attached to this
     bug and run the automated tests:

  $ cd tests/regression/apparmor
  $ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
  $ sudo bash unix_fd_server.sh
  $ sudo bash unix_socket_file.sh

  [Regression Potential]

   * Profiles developed with affected kernels aren't likely to have the 
necessary
     rules because the proper LSM hook was not implemented in those kernels, so
     the policy writer didn't need to grant access to AF_UNIX socket files

   * The profiles shipped with AppArmor can, and will, be updated to grant 
access
     to AF_UNIX socket files, but local policy modifications cannot be addressed
     by upstream/distros. Once updated kernels begin enforcing mediation of
     AF_UNIX socket files, rules in local profiles may no longer be sufficient,
     resulting in new AppArmor denials for AF_UNIX socket files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1208988/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile

2014-10-06 Thread Jamie Strandboge 
Can you perform the above and confirm if it fixes it for you? Also, the 
cups-pdf policy has:
  #include 

and /etc/apparmor.d/abstractions/nameservice has:
  #include 

and /etc/apparmor.d/abstractions/winbind has:
  /var/{lib,run}/samba/winbindd_privileged/pipe rw,

did you set the path for to /run/samba/winbindd/pipe or are you using
Ubuntu defaults?

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1377239

Title:
  cups-pdf 2.6.1-9 not able to lookup domain user because apparmor
  profile

Status in “cups” package in Ubuntu:
  Incomplete

Bug description:
  I use cups-pdf for years now. But now it's no longer able to lookup
  users from domain.

  lookup user by getent passwd works fine.
  lookup user by wbinfo works fine.
  Login with domain user works fine.
  kinit username works, too.

  But cups-pdf with log level 7 tells: unknown user (admin)
  It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank.
  Just the output of the log file differs to: unknown user (MYDOMAIN\admin)

  
  After long time of searching around in all log files I tried to set apparmor 
profile use.sbin.cupsd to complain mode.

  That fixes my problem.
  But what I have to change in apparmor profile to switch back to enforce mode?

  I don't get any logging by complain, enforce or audit mode in /var/log/syslog.
  It looks like getpwnam or another method used in cups-pdf.c is restricted by 
apparmor in Ubuntu 14.04.1 LTS.

  
  I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile

2014-10-06 Thread Jamie Strandboge 
Christian, yes, add this to your profile (in the cups-pdf section):
/run/samba/winbindd/pipe rw,

then do this:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1377239

Title:
  cups-pdf 2.6.1-9 not able to lookup domain user because apparmor
  profile

Status in “cups” package in Ubuntu:
  Incomplete

Bug description:
  I use cups-pdf for years now. But now it's no longer able to lookup
  users from domain.

  lookup user by getent passwd works fine.
  lookup user by wbinfo works fine.
  Login with domain user works fine.
  kinit username works, too.

  But cups-pdf with log level 7 tells: unknown user (admin)
  It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank.
  Just the output of the log file differs to: unknown user (MYDOMAIN\admin)

  
  After long time of searching around in all log files I tried to set apparmor 
profile use.sbin.cupsd to complain mode.

  That fixes my problem.
  But what I have to change in apparmor profile to switch back to enforce mode?

  I don't get any logging by complain, enforce or audit mode in /var/log/syslog.
  It looks like getpwnam or another method used in cups-pdf.c is restricted by 
apparmor in Ubuntu 14.04.1 LTS.

  
  I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile

2014-10-03 Thread Jamie Strandboge 
Can you paste the output of:
$ grep DEN /var/log/syslog

at the time of the denial?

** Package changed: cups-pdf (Ubuntu) => cups (Ubuntu)

** Changed in: cups (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1377239

Title:
  cups-pdf 2.6.1-9 not able to lookup domain user because apparmor
  profile

Status in “cups” package in Ubuntu:
  Incomplete

Bug description:
  I use cups-pdf for years now. But now it's no longer able to lookup
  users from domain.

  lookup user by getent passwd works fine.
  lookup user by wbinfo works fine.
  Login with domain user works fine.
  kinit username works, too.

  But cups-pdf with log level 7 tells: unknown user (admin)
  It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank.
  Just the output of the log file differs to: unknown user (MYDOMAIN\admin)

  
  After long time of searching around in all log files I tried to set apparmor 
profile use.sbin.cupsd to complain mode.

  That fixes my problem.
  But what I have to change in apparmor profile to switch back to enforce mode?

  I don't get any logging by complain, enforce or audit mode in /var/log/syslog.
  It looks like getpwnam or another method used in cups-pdf.c is restricted by 
apparmor in Ubuntu 14.04.1 LTS.

  
  I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1376611] Re: AppArmor: cupsd not allowed to send signals to third_party

2014-10-02 Thread Jamie Strandboge 
Didier, sure. Actually, I already took a todo to do just this but wanted
to think about the fact that Debian doesn't support the signal rule and
how to best handle it before submitting.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1376611

Title:
  AppArmor: cupsd not allowed to send signals to third_party

Status in “cups” package in Ubuntu:
  In Progress

Bug description:
  The cups 1.7.5-3 AppArmor profile has this rule which seems to be ineffective:
signal (receive, send) peer=third_party,

  I get this denial log entry when (re)installing cups:
  audit: type=1400 audit(1412239287.417:110): apparmor="DENIED" 
operation="signal" profile="/usr/sbin/cupsd" pid=28964 comm="cupsd" 
requested_mask="send" denied_mask="send" signal=term 
peer="/usr/sbin/cupsd//third_party"

  Changing it to the absolute profile name seems to work:
signal (receive, send) peer=/usr/sbin/cupsd//third_party,

  I guess apparmor_parser can't distinguish between a profile named
  third_party and a subprofile named third_party.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1376611/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1358340] Re: [Indicators] Complete greeter profiles

2014-10-02 Thread Jamie Strandboge 
That sounds quite reasonable. Thanks for the update.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gsettings-ubuntu-touch-schemas in
Ubuntu.
https://bugs.launchpad.net/bugs/1358340

Title:
  [Indicators] Complete greeter profiles

Status in The Date and Time Indicator:
  Invalid
Status in The Messaging Menu:
  In Progress
Status in Sound Menu:
  In Progress
Status in Transfer Indicator:
  In Progress
Status in Ubuntu UX bugs:
  Fix Committed
Status in The Unity 8 shell:
  Fix Released
Status in “gsettings-ubuntu-touch-schemas” package in Ubuntu:
  Fix Released
Status in “indicator-datetime” package in Ubuntu:
  Invalid
Status in “indicator-messages” package in Ubuntu:
  In Progress
Status in “indicator-sound” package in Ubuntu:
  In Progress
Status in “indicator-transfer” package in Ubuntu:
  In Progress
Status in “ubuntu-system-settings” package in Ubuntu:
  Fix Released
Status in “unity8” package in Ubuntu:
  Fix Released
Status in “unity8” package in Ubuntu RTM:
  Fix Released

Bug description:
  A recent change in the interest of security removed access to the
  indicators when the phone is locked and the greeter is showing.

  This was an accentual change based on a misunderstanding

  There had been a plan to support media playback control via the sound
  indicator. Without this the user must unlock the phone in order to
  simply pause the music or change songs, etc.

  
  Desired resolution:

  - Revert the change that caused this issue

  - Add a switch to System Settings to enable security conscious user to
  switch off Launcher and Greeter access while the phone is locked.
  This setting should *always* be off by default.
  

To manage notifications about this bug go to:
https://bugs.launchpad.net/indicator-datetime/+bug/1358340/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1373070] Re: full fix for disconnected path (paths)

2014-10-02 Thread Jamie Strandboge 
** Changed in: cups (Ubuntu)
   Status: New => In Progress

** Changed in: cups (Ubuntu)
   Importance: Undecided => High

** Changed in: cups (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1373070

Title:
  full fix for disconnected path (paths)

Status in “cups” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  Triaged

Bug description:
  With the apparmor 3 RC1 upload, there is an incomplete bug fix for
  disconnected paths. This bug is to track that work.

  This denial may be related:
  Sep 23 10:10:50 localhost kernel: [40262.517799] audit: type=1400 
audit(1411485050.722:2862): apparmor="DENIED" operation="sendmsg" info="Failed 
name lookup - disconnected path" error=-13 profile="/usr/sbin/rsyslogd" 
name="dev/log" pid=7011 comm="logger" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0

  This is related to bug 1375410

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1373070/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1373070] Re: full fix for disconnected path (paths)

2014-10-02 Thread Jamie Strandboge 
I'm going to need to add attach_disconnected to the cups profile as a
temporary workaround. When this bug is fixed, we need to undo that.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1373070

Title:
  full fix for disconnected path (paths)

Status in “cups” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  Triaged

Bug description:
  With the apparmor 3 RC1 upload, there is an incomplete bug fix for
  disconnected paths. This bug is to track that work.

  This denial may be related:
  Sep 23 10:10:50 localhost kernel: [40262.517799] audit: type=1400 
audit(1411485050.722:2862): apparmor="DENIED" operation="sendmsg" info="Failed 
name lookup - disconnected path" error=-13 profile="/usr/sbin/rsyslogd" 
name="dev/log" pid=7011 comm="logger" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0

  This is related to bug 1375410

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1373070/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1367609] Re: AppArmor: Prevents connection to system dbus (disconnected path)

2014-10-02 Thread Jamie Strandboge 
*** This bug is a duplicate of bug 1373070 ***
https://bugs.launchpad.net/bugs/1373070

** This bug has been marked a duplicate of bug 1373070
   full fix for disconnected path (paths)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1367609

Title:
  AppArmor: Prevents connection to system dbus (disconnected path)

Status in “cups” package in Ubuntu:
  New

Bug description:
  AppArmor seems to prevent cupsd from connecting to the system dbus:

  Sep 10 09:06:00 callisto kernel: audit: type=1400 audit(1410332760.203:112): 
apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected 
path" error=-13 profile="/usr/sbin/cupsd" name="run/dbus/system_bus_socket" 
pid=3608 comm="cupsd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
  Sep 10 09:06:31 callisto cupsd[3608]: process 3608: arguments to 
dbus_connection_unref() were incorrect, assertion "connection != NULL" failed 
in file ../../dbus/dbus-connection.c line 2794.
  Sep 10 09:06:31 callisto cupsd[3608]: This is normally a bug in some 
application using the D-Bus library.

  I got these errors since upgrading to utopic (Aug 22).
  Might be worth noting that I'm using systemd as init.

  Adding flags=(attach_disconnected) to the /usr/sbin/cupsd profile
  seems to fix this problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1367609/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1373070] Re: full fix for disconnected path (paths)

2014-10-02 Thread Jamie Strandboge 
Here is another:
Sep 10 09:06:00 callisto kernel: audit: type=1400 audit(1410332760.203:112): 
apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected 
path" error=-13 profile="/usr/sbin/cupsd" name="run/dbus/system_bus_socket" 
pid=3608 comm="cupsd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

** Also affects: cups (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1373070

Title:
  full fix for disconnected path (paths)

Status in “cups” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  Triaged

Bug description:
  With the apparmor 3 RC1 upload, there is an incomplete bug fix for
  disconnected paths. This bug is to track that work.

  This denial may be related:
  Sep 23 10:10:50 localhost kernel: [40262.517799] audit: type=1400 
audit(1411485050.722:2862): apparmor="DENIED" operation="sendmsg" info="Failed 
name lookup - disconnected path" error=-13 profile="/usr/sbin/rsyslogd" 
name="dev/log" pid=7011 comm="logger" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0

  This is related to bug 1375410

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1373070/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1376611] Re: AppArmor: cupsd not allowed to send signals to third_party

2014-10-02 Thread Jamie Strandboge 
Thanks for the report. I'll get this fixed soon.

** Changed in: cups (Ubuntu)
   Status: New => In Progress

** Changed in: cups (Ubuntu)
   Importance: Undecided => High

** Changed in: cups (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1376611

Title:
  AppArmor: cupsd not allowed to send signals to third_party

Status in “cups” package in Ubuntu:
  In Progress

Bug description:
  The cups 1.7.5-3 AppArmor profile has this rule which seems to be ineffective:
signal (receive, send) peer=third_party,

  I get this denial log entry when (re)installing cups:
  audit: type=1400 audit(1412239287.417:110): apparmor="DENIED" 
operation="signal" profile="/usr/sbin/cupsd" pid=28964 comm="cupsd" 
requested_mask="send" denied_mask="send" signal=term 
peer="/usr/sbin/cupsd//third_party"

  Changing it to the absolute profile name seems to work:
signal (receive, send) peer=/usr/sbin/cupsd//third_party,

  I guess apparmor_parser can't distinguish between a profile named
  third_party and a subprofile named third_party.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1376611/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1376411] Re: Firefox profile resulting in ptrace read denials

2014-10-01 Thread Jamie Strandboge 
** Tags added: apparmor

** Package changed: apparmor (Ubuntu) => firefox (Ubuntu)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1376411

Title:
  Firefox profile resulting in ptrace read denials

Status in “firefox” package in Ubuntu:
  New

Bug description:
  The firefox profile on utopic is resulting in denials like

  [  351.414861] audit: type=1400 audit(1412190024.478:83):
  apparmor="DENIED" operation="ptrace" profile="firefox" pid=4505
  comm="firefox" requested_mask="read" denied_mask="read" peer="/usr/bin
  /mediascanner-service-2.0"

  [  351.414875] audit: type=1400 audit(1412190024.478:86):
  apparmor="DENIED" operation="ptrace" profile="firefox" pid=4505
  comm="firefox" requested_mask="read" denied_mask="read"
  peer="unconfined"

  
  This is most likely due to firefox scanning for information via /proc//

  which will result in a ptrace read permission request in the kernel

  atm I have locally added the rule*
  deny ptrace read peer=[^f][^i][^r][^e][^f][^o][^x],

  *my local firefox profile is patched to be named
  profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} {

  instead of the default of using the attachment path as a name

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1376411/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1358340] Re: [Indicators] Complete greeter profiles

2014-09-30 Thread Jamie Strandboge 
"So I'm interpreting this as "Messages on Welcome Screen" is related to
the data being shown on the welcome screen. Where the messages and
notification settings is a Unity setting which just blocks the whole
panel."

I'm confused by this comment. The information presented in the
inforgraphics/welcome screen is considerably different than those in the
indicators as mentioned here: https://lists.launchpad.net/ubuntu-
phone/msg09966.html.

I'm very much hoping that these won't be grouped under a single
checkbox. Infographics by default seems fine since there is no specific
information that can be gleaned, but I recognize some people will want
to disable it. Indicators, particularly those for messaging, calendar
and connecting to networks via indicator-network, should be different.
Messaging and calendar should be configurable, but indicator-network
should not. (Please see aforementioned thread for context).

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gsettings-ubuntu-touch-schemas in
Ubuntu.
https://bugs.launchpad.net/bugs/1358340

Title:
  [Indicators] Complete greeter profiles

Status in The Date and Time Indicator:
  Confirmed
Status in The Messaging Menu:
  In Progress
Status in Sound Menu:
  Confirmed
Status in Transfer Indicator:
  Confirmed
Status in Ubuntu UX bugs:
  Fix Committed
Status in The Unity 8 shell:
  Fix Released
Status in “gsettings-ubuntu-touch-schemas” package in Ubuntu:
  Fix Released
Status in “indicator-datetime” package in Ubuntu:
  Confirmed
Status in “indicator-messages” package in Ubuntu:
  Confirmed
Status in “indicator-sound” package in Ubuntu:
  Confirmed
Status in “indicator-transfer” package in Ubuntu:
  Confirmed
Status in “ubuntu-system-settings” package in Ubuntu:
  Fix Released
Status in “unity8” package in Ubuntu:
  Fix Released
Status in “unity8” package in Ubuntu RTM:
  Fix Released

Bug description:
  A recent change in the interest of security removed access to the
  indicators when the phone is locked and the greeter is showing.

  This was an accentual change based on a misunderstanding

  There had been a plan to support media playback control via the sound
  indicator. Without this the user must unlock the phone in order to
  simply pause the music or change songs, etc.

  
  Desired resolution:

  - Revert the change that caused this issue

  - Add a switch to System Settings to enable security conscious user to
  switch off Launcher and Greeter access while the phone is locked.
  This setting should *always* be off by default.
  

To manage notifications about this bug go to:
https://bugs.launchpad.net/indicator-datetime/+bug/1358340/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1346868] Re: Canon MX310 printer hangs when printing LibreOffice Writer doc

2014-09-29 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1346868

Title:
  Canon MX310 printer hangs when printing LibreOffice Writer doc

Status in “cups” package in Ubuntu:
  Triaged

Bug description:
  New Linux user reports problem printing letters from Lenovo T60 with
  Linux Mint 17 (Qiana) on Canon MX310 printer using LibreOffice
  4.2.4.2.

  I've borrowed the printer and done a fresh install of Mint 17 and
  Ubuntu 14.04 and reproduced the problem on both systems.  A short
  letter prints to completion as far as the computer is concerned and is
  removed from the print queue.  The printer prints the full text but
  does not eject the page, and the display shows "PRINTING...".  The
  paper has to be manually pulled out of the printer and it has to be
  power cycled to resume normal operation.

  I will attach the document used.

  I've turned on the error log, but it's about 14MB, rather large to
  upload.

  I'll be returning the printer today, and travelling for perhaps a
  week, but after that I'm keen to resume investigation, though this is
  my first time with a printer problem so I'll be appreciating any
  guidance.

  In contrast, printing from Firefox and Gedit have not shown any
  problem.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: cups 1.7.2-0ubuntu1.1
  ProcVersionSignature: Ubuntu 3.13.0-30.55-generic 3.13.11.2
  Uname: Linux 3.13.0-30-generic i686
  ApportVersion: 2.14.1-0ubuntu3.2
  Architecture: i386
  CurrentDesktop: Unity
  Date: Tue Jul 22 11:52:10 2014
  InstallationDate: Installed on 2014-07-14 (7 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140417)
  Lpstat: device for MX310-series: 
usb://Canon/MX310%20series?serial=470CDE&interface=1
  MachineType: LENOVO 1706W5K
  Papersize: a4
  PccardctlIdent:
   Socket 0:
 no product info available
  PccardctlStatus:
   Socket 0:
 no card
  PpdFiles: MX310-series: Canon MX310 series - CUPS+Gutenprint v5.2.10-pre2
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-30-generic 
root=UUID=f88bfaa3-b8a8-4ec0-beaf-cf990a6066cc ro quiet splash
  SourcePackage: cups
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 04/21/2006
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 7BET45WW (1.05 )
  dmi.board.name: 1706W5K
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr7BET45WW(1.05):bd04/21/2006:svnLENOVO:pn1706W5K:pvrThinkPadX60:rvnLENOVO:rn1706W5K:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 1706W5K
  dmi.product.version: ThinkPad X60
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1346868/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1375249] Re: telepathy-ofono tries to open /proc/1728/fd/ and is DENIED access by apparmor

2014-09-29 Thread Jamie Strandboge 
Adding the rtm14 tag-- this needs to be fixed there and marking High as
I believe this could be performed as ota, but the issue needs to be
investigated (ie, I don't know if the dialer works properly when this
bug happens).

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to telepathy-mission-control-5 in Ubuntu.
https://bugs.launchpad.net/bugs/1375249

Title:
  telepathy-ofono tries to open /proc/1728/fd/ and is DENIED access by
  apparmor

Status in “telepathy-mission-control-5” package in Ubuntu:
  New

Bug description:
  I noticed quite a few occurences of these in my logs:

  hablet@ubuntu-phablet:/usr/share/ofono/scripts$ sudo dmesg  | grep -i ofo
  [sudo] password for phablet: 
  [   16.814527] type=1400 audit(1411984297.763:93): apparmor="DENIED" 
operation="open" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/proc/1728/fd/" pid=1728 comm="telepathy-ofono" requested_mask="r" 
denied_mask="r" fsuid=32011 ouid=32011
  [   16.827926] type=1400 audit(1411984297.783:94): apparmor="DENIED" 
operation="exec" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/usr/bin/pulseaudio" pid=1728 comm="telepathy-ofono" requested_mask="x" 
denied_mask="x" fsuid=32011 ouid=0
  [   16.843247] type=1400 audit(1411984297.793:95): apparmor="DENIED" 
operation="open" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/proc/1729/fd/" pid=1729 comm="telepathy-ofono" requested_mask="r" 
denied_mask="r" fsuid=32011 ouid=32011
  [   16.865588] type=1400 audit(1411984297.813:96): apparmor="DENIED" 
operation="exec" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/usr/bin/pulseaudio" pid=1729 comm="telepathy-ofono" requested_mask="x" 
denied_mask="x" fsuid=32011 ouid=0
  [   16.878315] type=1400 audit(1411984297.833:97): apparmor="DENIED" 
operation="open" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/proc/1735/fd/" pid=1735 comm="telepathy-ofono" requested_mask="r" 
denied_mask="r" fsuid=32011 ouid=32011
  [   16.882130] type=1400 audit(1411984297.833:98): apparmor="DENIED" 
operation="exec" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/usr/bin/pulseaudio" pid=1735 comm="telepathy-ofono" requested_mask="x" 
denied_mask="x" fsuid=32011 ouid=0

  Not sure how bad that is. But incidentally, I have not been able to
  get my new SIM to be recognized by the system.

  This is on an N4 running utopic, image #257

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/telepathy-mission-control-5/+bug/1375249/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1375249] Re: telepathy-ofono tries to open /proc/1728/fd/ and is DENIED access by apparmor

2014-09-29 Thread Jamie Strandboge 
telepathy-ofono is trying to start pulseaudio via a fork/exec for some
reason, but it should not be. I'm not comfortable letting telepathy-
ofono start pulseaudio because pulseaudio should be started by the
session, not by individual services. Seems like the upstart jobs need to
be adjusted so this doesn't happen.

** Tags added: apparmor rtm14

** Changed in: telepathy-mission-control-5 (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to telepathy-mission-control-5 in Ubuntu.
https://bugs.launchpad.net/bugs/1375249

Title:
  telepathy-ofono tries to open /proc/1728/fd/ and is DENIED access by
  apparmor

Status in “telepathy-mission-control-5” package in Ubuntu:
  New

Bug description:
  I noticed quite a few occurences of these in my logs:

  hablet@ubuntu-phablet:/usr/share/ofono/scripts$ sudo dmesg  | grep -i ofo
  [sudo] password for phablet: 
  [   16.814527] type=1400 audit(1411984297.763:93): apparmor="DENIED" 
operation="open" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/proc/1728/fd/" pid=1728 comm="telepathy-ofono" requested_mask="r" 
denied_mask="r" fsuid=32011 ouid=32011
  [   16.827926] type=1400 audit(1411984297.783:94): apparmor="DENIED" 
operation="exec" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/usr/bin/pulseaudio" pid=1728 comm="telepathy-ofono" requested_mask="x" 
denied_mask="x" fsuid=32011 ouid=0
  [   16.843247] type=1400 audit(1411984297.793:95): apparmor="DENIED" 
operation="open" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/proc/1729/fd/" pid=1729 comm="telepathy-ofono" requested_mask="r" 
denied_mask="r" fsuid=32011 ouid=32011
  [   16.865588] type=1400 audit(1411984297.813:96): apparmor="DENIED" 
operation="exec" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/usr/bin/pulseaudio" pid=1729 comm="telepathy-ofono" requested_mask="x" 
denied_mask="x" fsuid=32011 ouid=0
  [   16.878315] type=1400 audit(1411984297.833:97): apparmor="DENIED" 
operation="open" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/proc/1735/fd/" pid=1735 comm="telepathy-ofono" requested_mask="r" 
denied_mask="r" fsuid=32011 ouid=32011
  [   16.882130] type=1400 audit(1411984297.833:98): apparmor="DENIED" 
operation="exec" profile="/usr/lib/telepathy/telepathy-ofono" 
name="/usr/bin/pulseaudio" pid=1735 comm="telepathy-ofono" requested_mask="x" 
denied_mask="x" fsuid=32011 ouid=0

  Not sure how bad that is. But incidentally, I have not been able to
  get my new SIM to be recognized by the system.

  This is on an N4 running utopic, image #257

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/telepathy-mission-control-5/+bug/1375249/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1366380] Re: telepathy-mission-control is trying to open weird files on startup

2014-09-29 Thread Jamie Strandboge 
Thank you for using Ubuntu and filing a bug.

$ aa-decode 
2F6D656469612F53746F726167652F50726F66696C652F5562756E74752031342E30342F6C6F6F7374726F2F2E6C6F63616C2F73686172652F74656C6570617468792F6D697373696F6E2D636F6E74726F6C2F6163636F756E74732E636667
Decoded: /media/Storage/Profile/Ubuntu 
14.04/loostro/.local/share/telepathy/mission-control/accounts.cfg

Piotr, it looks like you have your HOME set to something non-standard.
Please see https://wiki.ubuntu.com/DebuggingApparmor#Adjusting_Tunables
for how to adjust your system to work with this.

** Changed in: telepathy-mission-control-5 (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to telepathy-mission-control-5 in Ubuntu.
https://bugs.launchpad.net/bugs/1366380

Title:
  telepathy-mission-control is trying to open weird files on startup

Status in “telepathy-mission-control-5” package in Ubuntu:
  Invalid

Bug description:
  Upon startup I'm getting a notice that an error occured. When I check
  the syslog I see errors like:

  Sep  6 19:57:22 Earth kernel: [   86.045357] type=1400 
audit(1410026242.433:76): apparmor="DENIED" operation="open" 
profile="/usr/lib/telepathy/mission-control-5" 
name=2F6D656469612F53746F726167652F50726F66696C652F5562756E74752031342E30342F6C6F6F7374726F2F2E636F6E6669672F6C69626163636F756E74732D676C69622F6163636F756E74732E6462
 pid=3007 comm="mission-control" requested_mask="rw" denied_mask="rw" 
fsuid=1000 ouid=1000
  Sep  6 19:57:22 Earth kernel: [   86.045707] type=1400 
audit(1410026242.433:77): apparmor="DENIED" operation="open" 
profile="/usr/lib/telepathy/mission-control-5" 
name=2F6D656469612F53746F726167652F50726F66696C652F5562756E74752031342E30342F6C6F6F7374726F2F2E636F6E6669672F6C69626163636F756E74732D676C69622F6163636F756E74732E6462
 pid=3007 comm="mission-control" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=1000
  Sep  6 19:57:22 Earth kernel: [   86.050493] type=1400 
audit(1410026242.437:78): apparmor="DENIED" operation="open" 
profile="/usr/lib/telepathy/mission-control-5" 
name=2F6D656469612F53746F726167652F50726F66696C652F5562756E74752031342E30342F6C6F6F7374726F2F2E636F6E6669672F64636F6E662F75736572
 pid=3007 comm="mission-control" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=1000
  Sep  6 19:57:22 Earth kernel: [   86.108894] type=1400 
audit(1410026242.497:79): apparmor="DENIED" operation="open" 
profile="/usr/lib/telepathy/mission-control-5" 
name=2F6D656469612F53746F726167652F50726F66696C652F5562756E74752031342E30342F6C6F6F7374726F2F2E6C6F63616C2F73686172652F74656C6570617468792F6D697373696F6E2D636F6E74726F6C2F6163636F756E74732E636667
 pid=3007 comm="mission-control" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=1000

  According to http://askubuntu.com/questions/410808/what-is-reason-for-
  apparmor-denied-operation-open, telepathy-mission-control-5 is trying
  to open a file it has no access to.

  However, the "name" part is completely rubbish. How can check what
  file telepathy is actually trying to open? How do I fix that?

  I am on Ubuntu 14.04 LTS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/telepathy-mission-control-5/+bug/1366380/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1370930] Re: apparmor cups samba problem no printing

2014-09-24 Thread Jamie Strandboge 
** Changed in: cups (Ubuntu)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1370930

Title:
  apparmor cups samba problem no printing

Status in “cups” package in Ubuntu:
  Fix Committed

Bug description:
  I configured a usb brother printer correctly (working) on ubuntu 14.04.1.
  Then I installed a samba server to share this printer on a windows network
  The samba printing from windows machines works correctly. The usb direct cups 
printing inform printing OK, jobs completed, but nothing prints. On syslog I 
see this apparmor DENIED messages:
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181601] type=1400 
audit(1411023117.729:74): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181649] type=1400 
audit(1411023117.729:75): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.182286] type=1400 
audit(1411023117.729:76): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394145] type=1400 
audit(1411023244.943:77): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394155] type=1400 
audit(1411023244.943:78): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394161] type=1400 
audit(1411023244.943:79): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394166] type=1400 
audit(1411023244.943:80): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"


  I install with apt-get last apparmor profiles, but I get this messages yet, 
with the same result (no printing):
  Sep 18 09:15:06 gabi-K55A kernel: [  100.620853] usblp0: removed
  Sep 18 09:15:06 gabi-K55A kernel: [  100.878155] usblp 1-4:1.0: usblp0: USB 
Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x04F9 pid 0x0037
  Sep 18 09:16:39 gabi-K55A kernel: [  193.894732] type=1400 
audit(1411024599.437:117): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=2384 
comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1370930/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1371097] Re: cupsd is not allowed to access /var/cache/samba/gencache.tdb by apparmor

2014-09-24 Thread Jamie Strandboge 
** Changed in: cups (Ubuntu)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1371097

Title:
  cupsd is not allowed to access /var/cache/samba/gencache.tdb by
  apparmor

Status in “cups” package in Ubuntu:
  Fix Committed

Bug description:
  For some reason /usr/sbin/cupsd tries to access
  /var/cache/samba/gencache.tdb. I have a printer setup via samba so
  that may be the reason.

  The apparmor profile for cupsd does not allow this. I get this error
  in the logs:

   kernel: [284527.967015] type=1400 audit(1411040510.770:103):
  apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
  name="/var/cache/samba/gencache.tdb" pid=1722 comm="smb"
  requested_mask="r" denied_mask="r" fsuid=7 ouid=0

  A listing of the apparmor profile (/etc/apparmor.d/usr.sbin.cupsd) is here:
  http://pastebin.ubuntu.com/8372024/

  The file /etc/apparmor.d/usr.sbin.cupsd belongs to the cups-daemon
  package

  The system silently fails to print from GUI. The fanny part is that I
  printed something successfully the day I set the printer up
  (yesterday).

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: cups-daemon 1.7.2-0ubuntu1.2
  ProcVersionSignature: Ubuntu 3.13.0-35.62-generic 3.13.11.6
  Uname: Linux 3.13.0-35-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.14.1-0ubuntu3.4
  Architecture: amd64
  CupsErrorLog:
   
  Date: Thu Sep 18 15:27:52 2014
  InstallationDate: Installed on 2014-09-01 (17 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 
(20140722.2)
  Lpstat: device for SRB01PR001: smb://prs03ist00.lim.tepak.int/SRB01PR001
  MachineType: Apple Inc. MacPro5,1
  Papersize: a4
  PpdFiles: SRB01PR001: HP Color LaserJet CP3505 Postscript (recommended)
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.13.0-35-generic.efi.signed 
root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=7
  SourcePackage: cups
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 10/07/10
  dmi.bios.vendor: Apple Inc.
  dmi.bios.version: MP51.88Z.007F.B03.1010071432
  dmi.board.asset.tag: 0
  dmi.board.name: Mac-F221BEC8
  dmi.board.vendor: Apple Inc.
  dmi.chassis.type: 7
  dmi.chassis.vendor: Apple Inc.
  dmi.chassis.version: Mac-F221BEC8
  dmi.modalias: 
dmi:bvnAppleInc.:bvrMP51.88Z.007F.B03.1010071432:bd10/07/10:svnAppleInc.:pnMacPro5,1:pvr0.0:rvnAppleInc.:rnMac-F221BEC8:rvr:cvnAppleInc.:ct7:cvrMac-F221BEC8:
  dmi.product.name: MacPro5,1
  dmi.product.version: 0.0
  dmi.sys.vendor: Apple Inc.
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-07-23T01:20:18

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1371097/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1370930] Re: apparmor cups samba problem no printing

2014-09-24 Thread Jamie Strandboge 
Sorry, I meant the 'signal' rule instead of 'unix'.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1370930

Title:
  apparmor cups samba problem no printing

Status in “cups” package in Ubuntu:
  In Progress

Bug description:
  I configured a usb brother printer correctly (working) on ubuntu 14.04.1.
  Then I installed a samba server to share this printer on a windows network
  The samba printing from windows machines works correctly. The usb direct cups 
printing inform printing OK, jobs completed, but nothing prints. On syslog I 
see this apparmor DENIED messages:
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181601] type=1400 
audit(1411023117.729:74): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181649] type=1400 
audit(1411023117.729:75): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.182286] type=1400 
audit(1411023117.729:76): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394145] type=1400 
audit(1411023244.943:77): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394155] type=1400 
audit(1411023244.943:78): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394161] type=1400 
audit(1411023244.943:79): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394166] type=1400 
audit(1411023244.943:80): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"


  I install with apt-get last apparmor profiles, but I get this messages yet, 
with the same result (no printing):
  Sep 18 09:15:06 gabi-K55A kernel: [  100.620853] usblp0: removed
  Sep 18 09:15:06 gabi-K55A kernel: [  100.878155] usblp 1-4:1.0: usblp0: USB 
Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x04F9 pid 0x0037
  Sep 18 09:16:39 gabi-K55A kernel: [  193.894732] type=1400 
audit(1411024599.437:117): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=2384 
comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1370930/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1370930] Re: apparmor cups samba problem no printing

2014-09-24 Thread Jamie Strandboge 
I'm preparing an update for this now that implements the above. Note, I
do not have a third party printer so it is possible more fine tuning
will need to be done. Also note, the 'unix' rule will not work on
Debian-- it will need to be conditionally applied to Ubuntu until the
unix mediation is upstreamed and included in Debian.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1370930

Title:
  apparmor cups samba problem no printing

Status in “cups” package in Ubuntu:
  In Progress

Bug description:
  I configured a usb brother printer correctly (working) on ubuntu 14.04.1.
  Then I installed a samba server to share this printer on a windows network
  The samba printing from windows machines works correctly. The usb direct cups 
printing inform printing OK, jobs completed, but nothing prints. On syslog I 
see this apparmor DENIED messages:
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181601] type=1400 
audit(1411023117.729:74): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181649] type=1400 
audit(1411023117.729:75): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.182286] type=1400 
audit(1411023117.729:76): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394145] type=1400 
audit(1411023244.943:77): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394155] type=1400 
audit(1411023244.943:78): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394161] type=1400 
audit(1411023244.943:79): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394166] type=1400 
audit(1411023244.943:80): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"


  I install with apt-get last apparmor profiles, but I get this messages yet, 
with the same result (no printing):
  Sep 18 09:15:06 gabi-K55A kernel: [  100.620853] usblp0: removed
  Sep 18 09:15:06 gabi-K55A kernel: [  100.878155] usblp 1-4:1.0: usblp0: USB 
Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x04F9 pid 0x0037
  Sep 18 09:16:39 gabi-K55A kernel: [  193.894732] type=1400 
audit(1411024599.437:117): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=2384 
comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1370930/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1370930] Re: apparmor cups samba problem no printing

2014-09-24 Thread Jamie Strandboge 
Sigh, that's what I get for typing too fast. Debian does not support
dbus, signal, ptrace or unix rules -- all of these should be excluded in
Debian and included in Ubuntu.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1370930

Title:
  apparmor cups samba problem no printing

Status in “cups” package in Ubuntu:
  In Progress

Bug description:
  I configured a usb brother printer correctly (working) on ubuntu 14.04.1.
  Then I installed a samba server to share this printer on a windows network
  The samba printing from windows machines works correctly. The usb direct cups 
printing inform printing OK, jobs completed, but nothing prints. On syslog I 
see this apparmor DENIED messages:
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181601] type=1400 
audit(1411023117.729:74): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181649] type=1400 
audit(1411023117.729:75): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.182286] type=1400 
audit(1411023117.729:76): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394145] type=1400 
audit(1411023244.943:77): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394155] type=1400 
audit(1411023244.943:78): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394161] type=1400 
audit(1411023244.943:79): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394166] type=1400 
audit(1411023244.943:80): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"


  I install with apt-get last apparmor profiles, but I get this messages yet, 
with the same result (no printing):
  Sep 18 09:15:06 gabi-K55A kernel: [  100.620853] usblp0: removed
  Sep 18 09:15:06 gabi-K55A kernel: [  100.878155] usblp 1-4:1.0: usblp0: USB 
Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x04F9 pid 0x0037
  Sep 18 09:16:39 gabi-K55A kernel: [  193.894732] type=1400 
audit(1411024599.437:117): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=2384 
comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1370930/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1371097] Re: cupsd is not allowed to access /var/cache/samba/gencache.tdb by apparmor

2014-09-24 Thread Jamie Strandboge 
** Changed in: cups (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: cups (Ubuntu)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1371097

Title:
  cupsd is not allowed to access /var/cache/samba/gencache.tdb by
  apparmor

Status in “cups” package in Ubuntu:
  In Progress

Bug description:
  For some reason /usr/sbin/cupsd tries to access
  /var/cache/samba/gencache.tdb. I have a printer setup via samba so
  that may be the reason.

  The apparmor profile for cupsd does not allow this. I get this error
  in the logs:

   kernel: [284527.967015] type=1400 audit(1411040510.770:103):
  apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
  name="/var/cache/samba/gencache.tdb" pid=1722 comm="smb"
  requested_mask="r" denied_mask="r" fsuid=7 ouid=0

  A listing of the apparmor profile (/etc/apparmor.d/usr.sbin.cupsd) is here:
  http://pastebin.ubuntu.com/8372024/

  The file /etc/apparmor.d/usr.sbin.cupsd belongs to the cups-daemon
  package

  The system silently fails to print from GUI. The fanny part is that I
  printed something successfully the day I set the printer up
  (yesterday).

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: cups-daemon 1.7.2-0ubuntu1.2
  ProcVersionSignature: Ubuntu 3.13.0-35.62-generic 3.13.11.6
  Uname: Linux 3.13.0-35-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.14.1-0ubuntu3.4
  Architecture: amd64
  CupsErrorLog:
   
  Date: Thu Sep 18 15:27:52 2014
  InstallationDate: Installed on 2014-09-01 (17 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 
(20140722.2)
  Lpstat: device for SRB01PR001: smb://prs03ist00.lim.tepak.int/SRB01PR001
  MachineType: Apple Inc. MacPro5,1
  Papersize: a4
  PpdFiles: SRB01PR001: HP Color LaserJet CP3505 Postscript (recommended)
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.13.0-35-generic.efi.signed 
root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=7
  SourcePackage: cups
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 10/07/10
  dmi.bios.vendor: Apple Inc.
  dmi.bios.version: MP51.88Z.007F.B03.1010071432
  dmi.board.asset.tag: 0
  dmi.board.name: Mac-F221BEC8
  dmi.board.vendor: Apple Inc.
  dmi.chassis.type: 7
  dmi.chassis.vendor: Apple Inc.
  dmi.chassis.version: Mac-F221BEC8
  dmi.modalias: 
dmi:bvnAppleInc.:bvrMP51.88Z.007F.B03.1010071432:bd10/07/10:svnAppleInc.:pnMacPro5,1:pvr0.0:rvnAppleInc.:rnMac-F221BEC8:rvr:cvnAppleInc.:ct7:cvrMac-F221BEC8:
  dmi.product.name: MacPro5,1
  dmi.product.version: 0.0
  dmi.sys.vendor: Apple Inc.
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-07-23T01:20:18

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1371097/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1370930] Re: apparmor cups samba problem no printing

2014-09-24 Thread Jamie Strandboge 
** Changed in: cups (Ubuntu)
   Status: Confirmed => In Progress

** Changed in: cups (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: cups (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1370930

Title:
  apparmor cups samba problem no printing

Status in “cups” package in Ubuntu:
  In Progress

Bug description:
  I configured a usb brother printer correctly (working) on ubuntu 14.04.1.
  Then I installed a samba server to share this printer on a windows network
  The samba printing from windows machines works correctly. The usb direct cups 
printing inform printing OK, jobs completed, but nothing prints. On syslog I 
see this apparmor DENIED messages:
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181601] type=1400 
audit(1411023117.729:74): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181649] type=1400 
audit(1411023117.729:75): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.182286] type=1400 
audit(1411023117.729:76): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394145] type=1400 
audit(1411023244.943:77): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394155] type=1400 
audit(1411023244.943:78): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394161] type=1400 
audit(1411023244.943:79): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394166] type=1400 
audit(1411023244.943:80): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"


  I install with apt-get last apparmor profiles, but I get this messages yet, 
with the same result (no printing):
  Sep 18 09:15:06 gabi-K55A kernel: [  100.620853] usblp0: removed
  Sep 18 09:15:06 gabi-K55A kernel: [  100.878155] usblp 1-4:1.0: usblp0: USB 
Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x04F9 pid 0x0037
  Sep 18 09:16:39 gabi-K55A kernel: [  193.894732] type=1400 
audit(1411024599.437:117): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=2384 
comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1370930/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1370930] Re: apparmor cups samba problem no printing

2014-09-19 Thread Jamie Strandboge 
Actually, I see more Ux rules. Try this instead (also untested):
  /usr/bin/hpijs Cx -> third_party, 
   
  /usr/Brother/** Cx -> third_party, 
  /usr/lib/cups/backend/* Cx -> third_party,
  /usr/lib/cups/filter/** Cxr -> third_party,
  /usr/lib/cups/driver/* Cxr -> third_party,
  signal (send) peer=third_party,
  profile third_party {
file,
capability,
network,
audit deny capability mac_admin,
dbus,
signal,
ptrace,
unix,
  }

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1370930

Title:
  apparmor cups samba problem no printing

Status in “cups” package in Ubuntu:
  New

Bug description:
  I configured a usb brother printer correctly (working) on ubuntu 14.04.1.
  Then I installed a samba server to share this printer on a windows network
  The samba printing from windows machines works correctly. The usb direct cups 
printing inform printing OK, jobs completed, but nothing prints. On syslog I 
see this apparmor DENIED messages:
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181601] type=1400 
audit(1411023117.729:74): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181649] type=1400 
audit(1411023117.729:75): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.182286] type=1400 
audit(1411023117.729:76): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394145] type=1400 
audit(1411023244.943:77): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394155] type=1400 
audit(1411023244.943:78): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394161] type=1400 
audit(1411023244.943:79): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394166] type=1400 
audit(1411023244.943:80): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"


  I install with apt-get last apparmor profiles, but I get this messages yet, 
with the same result (no printing):
  Sep 18 09:15:06 gabi-K55A kernel: [  100.620853] usblp0: removed
  Sep 18 09:15:06 gabi-K55A kernel: [  100.878155] usblp 1-4:1.0: usblp0: USB 
Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x04F9 pid 0x0037
  Sep 18 09:16:39 gabi-K55A kernel: [  193.894732] type=1400 
audit(1411024599.437:117): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=2384 
comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1370930/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1370930] Re: apparmor cups samba problem no printing

2014-09-19 Thread Jamie Strandboge 
Since 14.04, apparmor has signal mediation. Cups is trying to kill some 
processes. To obtain 13.10 behavior, you could add this to usr.sbin.cupsd:
  signal,

However, this would obviously allow cups to send signals to anything. I'm 
guessing it is sending signals to third party backends. It would probably be 
best to change this rule:
  /usr/lib/cups/backend/* Ux,

to something like (untested):
  /usr/lib/cups/backend/* Cx -> cups_backends,
  signal (send) peer=cups_backends,
  profile cups_backends {
file,
capability,
network,
audit deny capability mac_admin,
dbus,
signal,
ptrace,
unix,
  }

In addition to fixing the above, this adds a modest improvement over
what we have now: backends aren't allowed to change MAC policy, can't
change_profile and can't use mount.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1370930

Title:
  apparmor cups samba problem no printing

Status in “cups” package in Ubuntu:
  New

Bug description:
  I configured a usb brother printer correctly (working) on ubuntu 14.04.1.
  Then I installed a samba server to share this printer on a windows network
  The samba printing from windows machines works correctly. The usb direct cups 
printing inform printing OK, jobs completed, but nothing prints. On syslog I 
see this apparmor DENIED messages:
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181601] type=1400 
audit(1411023117.729:74): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181649] type=1400 
audit(1411023117.729:75): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.182286] type=1400 
audit(1411023117.729:76): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" 
denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394145] type=1400 
audit(1411023244.943:77): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394155] type=1400 
audit(1411023244.943:78): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394161] type=1400 
audit(1411023244.943:79): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394166] type=1400 
audit(1411023244.943:80): apparmor="DENIED" operation="signal" 
profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" 
signal=term peer="unconfined"


  I install with apt-get last apparmor profiles, but I get this messages yet, 
with the same result (no printing):
  Sep 18 09:15:06 gabi-K55A kernel: [  100.620853] usblp0: removed
  Sep 18 09:15:06 gabi-K55A kernel: [  100.878155] usblp 1-4:1.0: usblp0: USB 
Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x04F9 pid 0x0037
  Sep 18 09:16:39 gabi-K55A kernel: [  193.894732] type=1400 
audit(1411024599.437:117): apparmor="DENIED" operation="open" 
profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=2384 
comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1370930/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-18 Thread Jamie Strandboge 
** Also affects: linux-mako (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux-goldfish (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux-flo (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux-manta (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: linux-mako (Ubuntu)
   Importance: Undecided => High

** Changed in: linux-mako (Ubuntu)
   Status: New => In Progress

** Changed in: linux-mako (Ubuntu)
   Importance: High => Critical

** Changed in: linux-goldfish (Ubuntu)
   Importance: Undecided => High

** Changed in: linux-goldfish (Ubuntu)
   Status: New => In Progress

** Changed in: linux-manta (Ubuntu)
   Importance: Undecided => High

** Changed in: linux-manta (Ubuntu)
   Status: New => In Progress

** Changed in: linux-flo (Ubuntu)
   Importance: Undecided => High

** Changed in: linux-flo (Ubuntu)
   Status: New => In Progress

** Changed in: linux-mako (Ubuntu)
   Importance: Critical => High

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Released
Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “libvirt” package in Ubuntu:
  Fix Released
Status in “lightdm” package in Ubuntu:
  Fix Released
Status in “linux” package in Ubuntu:
  In Progress
Status in “linux-flo” package in Ubuntu:
  In Progress
Status in “linux-goldfish” package in Ubuntu:
  In Progress
Status in “linux-mako” package in Ubuntu:
  In Progress
Status in “linux-manta” package in Ubuntu:
  In Progress
Status in “rsyslog” package in Ubuntu:
  Fix Released
Status in “tlsdate” package in Ubuntu:
  Fix Released

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernels lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE 
(exploratory manual testing, lxc, libvirt, etc)
  * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
   * Verify everything in 
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE 
(except juju since it doesn't have policy itself)

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  Extra information:
  While the apparmor userspace and kernel changes to support abstract, 
anonymous and fine-grained netlink socket can happen at different times, the 
apparmor userspace upload must correspond with uploads for packages that ship 
AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages 
outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles 
have been tested to either work without modification to the policy or updated 
and tested to work with updated policy. Common rules will be added to the 
apparmor base abstraction such that most packages shipping apparmor policy will 
not require updating. These updates will be prepared, tested and published en 
masse via a silo ppa.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old user

[Desktop-packages] [Bug 1361372] Re: Apparmor stopping Google Chrome from launching in guest session

2014-09-18 Thread Jamie Strandboge 
** Changed in: lightdm (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1361372

Title:
  Apparmor stopping Google Chrome from launching in guest session

Status in “lightdm” package in Ubuntu:
  In Progress

Bug description:
  As mentioned in comment 5 of bug #1298021, it seems that Google have
  modified how they package Chrome in their repository.

  Based on the fix for that bug, it appears that Chrome was packaged as
  /opt/google/chrome-stable/google-chrome-stable, /opt/google/chrome-
  beta/google-chrome-beta or /opt/google/chrome-unstable/google-chrome-
  unstable based on the package version. The current stable package,
  google-chrome-stable version 36.0.1985.143-1, from the repository at
  http://dl.google.com/linux/chrome/deb/installs the binary as
  /opt/google/chrome/google-chrome, which doesn't match any of the rules
  added to Apparmor.

  Adding the following additional line caused the browser to work in
  guest mode for me:

/opt/google/chrome/google-chrome Cx -> chromium,

  $ lsb_release -rd
  Description:  Ubuntu 14.04.1 LTS
  Release:  14.04

  $ apt-cache policy lightdm
  lightdm:
Installed: 1.10.1-0ubuntu1
Candidate: 1.10.1-0ubuntu1
Version table:
   *** 1.10.1-0ubuntu1 0
  500 http://gb.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.10.0-0ubuntu3 0
  500 http://gb.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1361372/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 870373] Re: guest session will not open

2014-09-18 Thread Jamie Strandboge 
Marking this as fixed. The user said a reinstall fixed it and the guest
session has been working fine for a long time. Please file a new bug if
you are still having issues.

** Changed in: lightdm (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/870373

Title:
  guest session will not open

Status in “lightdm” package in Ubuntu:
  Fix Released

Bug description:
  What I expected to happen:

  By choosing the guest session option (either from the login screen or
  the user menu when logged in to a normal account) a guest session
  should be launched.

  What happened instead:

  By choosing either method, the screen goes blank for a moment before I
  am returned to the login screen.

  Looking at the logs, it looks like the guest "/home" is created in
  /tmp, but for whatever reason it can't be used.  At first I thought it
  was due to the apparmor profile for the guest session, since it throws
  up a lot of denied  entries, but even after putting that profile in
  complain mode, the issue persists.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: lightdm 1.0.1-0ubuntu6
  ProcVersionSignature: Ubuntu 3.0.0-12.19-generic 3.0.4
  Uname: Linux 3.0.0-12-generic i686
  ApportVersion: 1.23-0ubuntu2
  Architecture: i386
  Date: Fri Oct  7 23:55:29 2011
  InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Beta i386 (20110901)
  ProcEnviron:
   LANGUAGE=en_GB:en
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: lightdm
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/870373/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-17 Thread Jamie Strandboge 
** Changed in: linux (Ubuntu)
   Importance: Undecided => Critical

** Changed in: linux (Ubuntu)
   Importance: Critical => High

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Released
Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “libvirt” package in Ubuntu:
  Fix Released
Status in “lightdm” package in Ubuntu:
  Fix Released
Status in “linux” package in Ubuntu:
  In Progress
Status in “rsyslog” package in Ubuntu:
  Fix Released
Status in “tlsdate” package in Ubuntu:
  Fix Released

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernels lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE 
(exploratory manual testing, lxc, libvirt, etc)
  * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
   * Verify everything in 
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE 
(except juju since it doesn't have policy itself)

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  Extra information:
  While the apparmor userspace and kernel changes to support abstract, 
anonymous and fine-grained netlink socket can happen at different times, the 
apparmor userspace upload must correspond with uploads for packages that ship 
AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages 
outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles 
have been tested to either work without modification to the policy or updated 
and tested to work with updated policy. Common rules will be added to the 
apparmor base abstraction such that most packages shipping apparmor policy will 
not require updating. These updates will be prepared, tested and published en 
masse via a silo ppa.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with updated kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, 
etc)
  * 14.10 system (Touch) with updated kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, 
etc)

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
a

[Desktop-packages] [Bug 1369391] Re: package nvidia-331 331.89-0ubuntu4 failed to install/upgrade: subprocess installed post-removal script returned error exit status 8

2014-09-15 Thread Jamie Strandboge 
*** This bug is a duplicate of bug 1369398 ***
https://bugs.launchpad.net/bugs/1369398

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to nvidia-graphics-drivers-331 in Ubuntu.
https://bugs.launchpad.net/bugs/1369391

Title:
  package nvidia-331 331.89-0ubuntu4 failed to install/upgrade:
  subprocess installed post-removal script returned error exit status 8

Status in “nvidia-graphics-drivers-331” package in Ubuntu:
  New

Bug description:
  1

  ProblemType: Package
  DistroRelease: Ubuntu 14.10
  Package: nvidia-331 331.89-0ubuntu4
  ProcVersionSignature: Ubuntu 3.16.0-14.20-generic 3.16.2
  Uname: Linux 3.16.0-14-generic x86_64
  ApportVersion: 2.14.7-0ubuntu2
  Architecture: amd64
  Date: Mon Sep 15 07:00:53 2014
  DuplicateSignature: package:nvidia-331:331.89-0ubuntu4:subprocess installed 
post-removal script returned error exit status 8
  ErrorMessage: subprocess installed post-removal script returned error exit 
status 8
  InstallationDate: Installed on 2014-09-14 (0 days ago)
  InstallationMedia: Ubuntu-GNOME 14.10 "Utopic Unicorn" - Alpha amd64 
(20140826)
  SourcePackage: nvidia-graphics-drivers-331
  Title: package nvidia-331 331.89-0ubuntu4 failed to install/upgrade: 
subprocess installed post-removal script returned error exit status 8
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.modprobe.d.nvidia.331.hybrid.conf: [deleted]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-331/+bug/1369391/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-08 Thread Jamie Strandboge 
FYI, when booting new userspace with old kernel, the parser will output 
something like this:
Warning from profile /usr/lib/telepathy/telepathy-ofono 
(/etc/apparmor.d/usr.lib.telepathy): downgrading extended network unix socket 
rule to generic network rule

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  In Progress
Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “libvirt” package in Ubuntu:
  In Progress
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  In Progress
Status in “rsyslog” package in Ubuntu:
  In Progress
Status in “tlsdate” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernels lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE 
(exploratory manual testing, lxc, libvirt, etc)
  * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
   * Verify everything in 
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE 
(except juju since it doesn't have policy itself)

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  Extra information:
  While the apparmor userspace and kernel changes to support abstract, 
anonymous and fine-grained netlink socket can happen at different times, the 
apparmor userspace upload must correspond with uploads for packages that ship 
AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages 
outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles 
have been tested to either work without modification to the policy or updated 
and tested to work with updated policy. Common rules will be added to the 
apparmor base abstraction such that most packages shipping apparmor policy will 
not require updating. These updates will be prepared, tested and published en 
masse via a silo ppa.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with updated kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, 
etc)
  * 14.10 system (Touch) with updated kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, 
etc)

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-08 Thread Jamie Strandboge 
1) old kernel and new userspace
- this is well tested and ready to land now

2) new kernel and old userspace
3) new kernel and new userspace
- these are tested, but need more testing on the kernel side. We are finalizing 
the kernel and will have these in place for kernel pull requests

Ah, I did not update AppArmor's debian/control for the Breaks like I did
for the signal and ptrace mediation, but meant to. Thanks for the
reminder, I'll do that now.

Here are the apparmor changes:
https://code.launchpad.net/~apparmor-dev/apparmor/apparmor-ubuntu-citrain.abstract

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  In Progress
Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “libvirt” package in Ubuntu:
  In Progress
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  In Progress
Status in “rsyslog” package in Ubuntu:
  In Progress
Status in “tlsdate” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernels lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE 
(exploratory manual testing, lxc, libvirt, etc)
  * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
   * Verify everything in 
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE 
(except juju since it doesn't have policy itself)

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  Extra information:
  While the apparmor userspace and kernel changes to support abstract, 
anonymous and fine-grained netlink socket can happen at different times, the 
apparmor userspace upload must correspond with uploads for packages that ship 
AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages 
outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles 
have been tested to either work without modification to the policy or updated 
and tested to work with updated policy. Common rules will be added to the 
apparmor base abstraction such that most packages shipping apparmor policy will 
not require updating. These updates will be prepared, tested and published en 
masse via a silo ppa.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with updated kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, 
etc)
  * 14.10 system (Touch) w

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-08 Thread Jamie Strandboge 
** Description changed:

  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages are
  listed in one bug because they are related, but the FFes may be granted
  and the uploads may happen at different times.
  
  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).
  
  Testing:
- * 14.10 system with previous kernel lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
+ * 14.10 system with current kernels lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE 
(exploratory manual testing, lxc, libvirt, etc)
  * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
   * Verify everything in 
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE 
(except juju since it doesn't have policy itself)
  
  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.
  
  Extra information:
  While the apparmor userspace and kernel changes to support abstract, 
anonymous and fine-grained netlink socket can happen at different times, the 
apparmor userspace upload must correspond with uploads for packages that ship 
AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages 
outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles 
have been tested to either work without modification to the policy or updated 
and tested to work with updated policy. Common rules will be added to the 
apparmor base abstraction such that most packages shipping apparmor policy will 
not require updating. These updates will be prepared, tested and published en 
masse via a silo ppa.
  
- 
  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).
  
  Testing:
  * 14.04 system with backported kernel: TODO
-  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
-  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
-  * aa-status: TODO
-  * lxc: TODO (containers can be created, started, shutdown)
-  * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
+  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
+  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
+  * aa-status: TODO
+  * lxc: TODO (containers can be created, started, shutdown)
+  * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with updated kernel:
-  * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, 
etc)
+  * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, 
etc)
  * 14.10 system (Touch) with updated kernel:
-  * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, 
etc)
+  * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, 
etc)
  
  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. Thi

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-08 Thread Jamie Strandboge 
** Description changed:

  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages are
  listed in one bug because they are related, but the FFes may be granted
  and the uploads may happen at different times.
+ 
+ = apparmor userspace =
+ Summary:
+ This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).
+ 
+ Testing:
+ * 14.10 system with previous kernel lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
+  * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE 
(exploratory manual testing, lxc, libvirt, etc)
+ * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
+  * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS 
(includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
+  * Verify everything in 
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE 
(except juju since it doesn't have policy itself)
+ 
+ Justification:
+ This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.
+ 
+ Extra information:
+ While the apparmor userspace and kernel changes to support abstract, 
anonymous and fine-grained netlink socket can happen at different times, the 
apparmor userspace upload must correspond with uploads for packages that ship 
AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages 
outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles 
have been tested to either work without modification to the policy or updated 
and tested to work with updated policy. Common rules will be added to the 
apparmor base abstraction such that most packages shipping apparmor policy will 
not require updating. These updates will be prepared, tested and published en 
masse via a silo ppa.
+ 
  
  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).
  
  Testing:
  * 14.04 system with backported kernel: TODO
-  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
-  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
-  * aa-status: TODO
-  * lxc: TODO (containers can be created, started, shutdown)
-  * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
- * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
-  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
-  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
-  * aa-status: TODO
-  * lxc: TODO (containers can be created, started, shutdown)
-  * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
-  * click-apparmor QRT touch image tests: TODO
-  * apparmor-easyprof-ubuntu QRT touch image tests: TODO
- * 14.10 system (non-Touch) with updated apparmor userspace capable of 
supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
-  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
-  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
-  * aa-status: TODO
-  * lxc: TODO (containers can be created, started, shutdown)
-  * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
-  * click-apparmor QRT touch image tests: TODO
-  * apparmor-easyprof-ubuntu QRT touch image tests: TODO
+  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
+  * exploratory manual testing: TODO (networking, aa-enforce with

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-05 Thread Jamie Strandboge 
isc-dhcp (4.2.4-7ubuntu14) utopic; urgency=medium

  * debian/apparmor-profile.dhclient: add file_inherit inet{,6} dgram rules
for child profiles

** Changed in: isc-dhcp (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  In Progress
Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “libvirt” package in Ubuntu:
  In Progress
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  In Progress
Status in “rsyslog” package in Ubuntu:
  In Progress
Status in “tlsdate” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO
  * 14.10 system (non-Touch) with updated apparmor userspace capable of 
supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes 
click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
  * 14.10 system with previous kernel lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE 
(exploratory manual testing, lxc, libvirt, etc)
   * test-apparmor.py: DONE
   * lightdm guest session: DONE (login, start browser, logout)
  * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https:/

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-05 Thread Jamie Strandboge 
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
   Importance: Undecided => Critical

** Changed in: apparmor (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  In Progress
Status in “isc-dhcp” package in Ubuntu:
  In Progress
Status in “libvirt” package in Ubuntu:
  In Progress
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  In Progress
Status in “rsyslog” package in Ubuntu:
  In Progress
Status in “tlsdate” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO
  * 14.10 system (non-Touch) with updated apparmor userspace capable of 
supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes 
click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
  * 14.10 system with previous kernel lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE 
(exploratory manual testing, lxc, libvirt, etc)
   * test-apparmor.py: DONE
   * lightdm guest session: DONE (login, start browser, logout)
  * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-04 Thread Jamie Strandboge 
** Tags added: rtm14 touch-2014-09-11

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  In Progress
Status in “isc-dhcp” package in Ubuntu:
  In Progress
Status in “libvirt” package in Ubuntu:
  In Progress
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  In Progress
Status in “rsyslog” package in Ubuntu:
  In Progress
Status in “tlsdate” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO
  * 14.10 system (non-Touch) with updated apparmor userspace capable of 
supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes 
click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
  * 14.10 system with previous kernel lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE 
(exploratory manual testing, lxc, libvirt, etc)
   * test-apparmor.py: DONE
   * lightdm guest session: DONE (login, start browser, logout)
  * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes 
test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
   * Verify everything in 
https://wiki.ubuntu.com/Securi

[Desktop-packages] [Bug 1365336] Re: Lightdm update=No desktop

2014-09-04 Thread Jamie Strandboge 
FYI I see this in a utopic amd64 qemu VM.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1365336

Title:
  Lightdm update=No desktop

Status in “lightdm” package in Ubuntu:
  Confirmed

Bug description:
  Update to lightdm from 1.11.7-0ubuntu1 to 1.11.8-0ubuntu1 leaves me
  with no desktop on normal boot.

  Machine boots directly to tty1.

  Logged in at tty1 and then startx leads to a desktop that requires
  password to start properly and with themes unapplied.

  Password required to reboot machine.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.10
  Package: lightdm 1.11.8-0ubuntu1
  ProcVersionSignature: Ubuntu 3.16.0-12.18-generic 3.16.1
  Uname: Linux 3.16.0-12-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.14.7-0ubuntu1
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Thu Sep  4 08:20:14 2014
  InstallationDate: Installed on 2014-07-17 (48 days ago)
  InstallationMedia: Xubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140717)
  SourcePackage: lightdm
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1365336/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1365336] Re: Lightdm update=No desktop

2014-09-04 Thread Jamie Strandboge 
Downgrading to lightdm 1.11.7 solves the issue for me.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1365336

Title:
  Lightdm update=No desktop

Status in “lightdm” package in Ubuntu:
  Confirmed

Bug description:
  Update to lightdm from 1.11.7-0ubuntu1 to 1.11.8-0ubuntu1 leaves me
  with no desktop on normal boot.

  Machine boots directly to tty1.

  Logged in at tty1 and then startx leads to a desktop that requires
  password to start properly and with themes unapplied.

  Password required to reboot machine.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.10
  Package: lightdm 1.11.8-0ubuntu1
  ProcVersionSignature: Ubuntu 3.16.0-12.18-generic 3.16.1
  Uname: Linux 3.16.0-12-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.14.7-0ubuntu1
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Thu Sep  4 08:20:14 2014
  InstallationDate: Installed on 2014-07-17 (48 days ago)
  InstallationMedia: Xubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140717)
  SourcePackage: lightdm
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1365336/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-04 Thread Jamie Strandboge 
** Description changed:

  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages are
  listed in one bug because they are related, but the FFes may be granted
  and the uploads may happen at different times.
  
  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).
  
  Testing:
  * 14.04 system with backported kernel: TODO
-  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
-  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
-  * aa-status: TODO
-  * lxc: TODO (containers can be created, started, shutdown)
-  * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
+  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
+  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
+  * aa-status: TODO
+  * lxc: TODO (containers can be created, started, shutdown)
+  * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
-  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
-  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
-  * aa-status: TODO
-  * lxc: TODO (containers can be created, started, shutdown)
-  * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
-  * click-apparmor QRT touch image tests: TODO
-  * apparmor-easyprof-ubuntu QRT touch image tests: TODO
+  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
+  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
+  * aa-status: TODO
+  * lxc: TODO (containers can be created, started, shutdown)
+  * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
+  * click-apparmor QRT touch image tests: TODO
+  * apparmor-easyprof-ubuntu QRT touch image tests: TODO
  * 14.10 system (non-Touch) with updated apparmor userspace capable of 
supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
-  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
-  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
-  * aa-status: TODO
-  * lxc: TODO (containers can be created, started, shutdown)
-  * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
-  * click-apparmor QRT touch image tests: TODO
-  * apparmor-easyprof-ubuntu QRT touch image tests: TODO
+  * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
+  * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
+  * aa-status: TODO
+  * lxc: TODO (containers can be created, started, shutdown)
+  * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
+  * click-apparmor QRT touch image tests: TODO
+  * apparmor-easyprof-ubuntu QRT touch image tests: TODO
  
  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.
  
  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).
  
  Testing:
  * 14.10 system with current kernel:
-  * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes 
click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
+  * https://wiki.ubu

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-02 Thread Jamie Strandboge 
** Also affects: tlsdate (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: tlsdate (Ubuntu)
   Status: New => In Progress

** Changed in: tlsdate (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  In Progress
Status in “isc-dhcp” package in Ubuntu:
  In Progress
Status in “libvirt” package in Ubuntu:
  In Progress
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  In Progress
Status in “lxc” package in Ubuntu:
  Triaged
Status in “rsyslog” package in Ubuntu:
  In Progress
Status in “tlsdate” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO
  * 14.10 system (non-Touch) with updated apparmor userspace capable of 
supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes 
click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
  * 14.10 system with previous kernel lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO 
(exploratory manual testing, lxc, libvirt, etc)
   * test-apparmor.py: TODO
   * lightdm guest session: TODO (login, start browser, logout)
  * 14.10 system kernel

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-09-02 Thread Jamie Strandboge 
** No longer affects: cups (Ubuntu)

** No longer affects: cups-filters (Ubuntu)

** Changed in: linux (Ubuntu)
 Assignee: (unassigned) => John Johansen (jjohansen)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups-filters in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  In Progress
Status in “isc-dhcp” package in Ubuntu:
  In Progress
Status in “libvirt” package in Ubuntu:
  In Progress
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  In Progress
Status in “lxc” package in Ubuntu:
  Triaged
Status in “rsyslog” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO
  * 14.10 system (non-Touch) with updated apparmor userspace capable of 
supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes 
click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
  * 14.10 system with previous kernel lacking abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO 
(exploratory manual testing, lxc, libvirt, etc)
   * test-apparmor.py: TODO
   * lightdm guest session: TODO (login, start browser, logout)
  * 14.10 system kernel capable of supporting abstract, anonymous and 
fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (incl

[Desktop-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-08-27 Thread Jamie Strandboge 
** Also affects: cups (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: cups-filters (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: cups (Ubuntu)
   Status: New => In Progress

** Changed in: cups-filters (Ubuntu)
   Status: New => In Progress

** Changed in: linux (Ubuntu)
   Status: Incomplete => In Progress

** Changed in: cups (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: cups-filters (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  In Progress
Status in “cups” package in Ubuntu:
  In Progress
Status in “cups-filters” package in Ubuntu:
  In Progress
Status in “isc-dhcp” package in Ubuntu:
  In Progress
Status in “libvirt” package in Ubuntu:
  In Progress
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  In Progress
Status in “lxc” package in Ubuntu:
  Triaged
Status in “rsyslog” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT 
passes all tests)
  * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO
  * 14.10 system (non-Touch) with updated apparmor userspace capable of 
supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant 
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures 
unrelated to apparmor))
   * click-apparmor QRT touch image tests: TODO
   * apparmor-easyprof-ubuntu QRT touch image tests: TODO

  Justification:
  This feature is required to support comprehensive application confinement on 
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest 
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also 
adds a welcome improvement to administrators wishing to further protect their 
systems.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket for apparmor userspace. When used with a compatible 
kernel, 'unix' and 'network netlink' rules are supported. When used without a 
compatible apparmor userspace (eg, on a trusty system with an utopic backport 
kernel), abstract, anonymous and fine-grained netlink socket mediation is not 
enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes 
click-apparmor, apparmor-easyprof-ubuntu, explorator

[Desktop-packages] [Bug 1362199] [NEW] [FFe] apparmor abstract, anonymous and netlink socket mediation

2014-08-27 Thread Jamie Strandboge 
olicy that require updates (eg, libvirt, lxc, etc). The packages outlined in 
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been 
tested to either work without modification to the policy or updated and tested 
to work with updated policy. Common rules will be added to the apparmor base 
abstraction such that most packages shipping apparmor policy will not require 
updating. These updates will be prepared, tested and published en masse via a 
silo ppa.

** Affects: apparmor (Ubuntu)
 Importance: Critical
 Status: In Progress

** Affects: apparmor-easyprof-ubuntu (Ubuntu)
 Importance: Undecided
 Assignee: Jamie Strandboge (jdstrand)
 Status: In Progress

** Affects: isc-dhcp (Ubuntu)
 Importance: Undecided
 Assignee: Jamie Strandboge (jdstrand)
 Status: In Progress

** Affects: libvirt (Ubuntu)
 Importance: Undecided
 Assignee: Jamie Strandboge (jdstrand)
 Status: In Progress

** Affects: lightdm (Ubuntu)
 Importance: Undecided
 Assignee: Jamie Strandboge (jdstrand)
 Status: In Progress

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: lxc (Ubuntu)
 Importance: Undecided
 Assignee: Jamie Strandboge (jdstrand)
 Status: Triaged

** Affects: rsyslog (Ubuntu)
 Importance: Undecided
 Assignee: Jamie Strandboge (jdstrand)
 Status: In Progress


** Tags: kernel-bot-stop-nagging

** Changed in: apparmor (Ubuntu)
   Importance: Undecided => Critical

** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: libvirt (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: lxc (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: lightdm (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu)
   Importance: Undecided
   Status: New

** Tags added: kernel-bot-stop-nagging

** Also affects: rsyslog (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: isc-dhcp (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: rsyslog (Ubuntu)
   Status: New => In Progress

** Changed in: rsyslog (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: lightdm (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: libvirt (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: isc-dhcp (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: lxc (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: lightdm (Ubuntu)
   Status: New => In Progress

** Changed in: libvirt (Ubuntu)
   Status: New => In Progress

** Changed in: isc-dhcp (Ubuntu)
   Status: New => In Progress

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
   Status: New => In Progress

** Changed in: apparmor (Ubuntu)
   Status: New => In Progress

** Changed in: lxc (Ubuntu)
   Status: New => Triaged

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  In Progress
Status in “isc-dhcp” package in Ubuntu:
  In Progress
Status in “libvirt” package in Ubuntu:
  In Progress
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “linux” package in Ubuntu:
  New
Status in “lxc” package in Ubuntu:
  Triaged
Status in “rsyslog” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and 
fine-grained netlink socket via apparmor in the kernel. When used with a 
compatible apparmor userspace, 'unix' and 'network netlink' rules are 
supported. When used without a compatible apparmor userspace (eg, on a trusty 
system with an utopic backport kernel), abstract, anonymous and fine-grained 
netlink socket mediation is not enforced (ie, you can use this kernel with an 
old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, 
firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: T

[Desktop-packages] [Bug 1298021] Re: Google Chrome (not chromium) won't start in guest session

2014-08-27 Thread Jamie Strandboge 
This will be fixed in the next lightdm upload.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1298021

Title:
  Google Chrome (not chromium) won't start in guest session

Status in “lightdm” package in Ubuntu:
  Fix Released

Bug description:
  Related, but not a dupe of bug 577919
  Install Google Chrome (not chromium) and switch to a guest session
  Start chrome from a terminal
  See the following error:-

  "Failed to move to new PID namespace: Operation not permitted"

  I see these apparmor denials:-

  [Tue Mar 25 12:51:46 2014] type=1400 audit(1395861131.882:541): 
apparmor="DENIED" operation="capable" 
profile="/usr/lib/lightdm/lightdm-guest-session" pid=30034 
comm="chrome-sandbox" capability=21  capname="sys_admin"
  [Tue Mar 25 12:52:13 2014] type=1400 audit(1395861159.510:542): 
apparmor="DENIED" operation="open" 
profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/proc/30062/oom_score_adj" pid=30062 comm="chrome" requested_mask="wc" 
denied_mask="wc" fsuid=130 ouid=130

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: lightdm 1.9.13-0ubuntu1
  ProcVersionSignature: Ubuntu 3.13.0-19.40-generic 3.13.6
  Uname: Linux 3.13.0-19-generic x86_64
  ApportVersion: 2.13.3-0ubuntu1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Mar 26 19:08:04 2014
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2012-06-29 (634 days ago)
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 
(20120425)
  SourcePackage: lightdm
  UpgradeStatus: Upgraded to trusty on 2014-01-20 (65 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1298021/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1277812] Re: Scrolling using mouse wheel doesn't work

2014-08-26 Thread Jamie Royer 
I've been trying to find an answer to why the scroll wheel doesn't work
and this is the closest thing to it.

Scrolling with the mouse wheel in Chromium, terminal, LibreOffice  works
normally.  It jumps more than I'd like, but it scrolls after one notch
(you can feel the notches as you scroll).

Scrolling with the mouse wheel in Nautilus, Synaptic Package Manager,
Evince is poor.  If you keep scrolling it will eventually scroll up /
down but it is very sporadic and jittery.  The faster you scroll the
sooner it moves.  Using evince as an example, I just scrolled up one
notch at a time (i.e. slowly - about one notch every half second) and
the page moved after the third notch.  I then changed directions and it
moved after the seventh notch.  Try again and get different results.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to banshee in Ubuntu.
https://bugs.launchpad.net/bugs/1277812

Title:
  Scrolling using mouse wheel doesn't work

Status in Banshee Music Player:
  New
Status in “banshee” package in Ubuntu:
  Triaged

Bug description:
  Since I've upgraded to trusty, I can't scroll any pane in banshee
  using the mouse wheel. The scroll bars on the side and keyboard do
  work.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: banshee 2.9.0-2ubuntu1
  ProcVersionSignature: Ubuntu 3.13.0-6.23-generic 3.13.0
  Uname: Linux 3.13.0-6-generic x86_64
  ApportVersion: 2.13.2-0ubuntu2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sat Feb  8 08:14:55 2014
  InstallationDate: Installed on 2013-06-02 (250 days ago)
  InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
  SourcePackage: banshee
  UpgradeStatus: Upgraded to trusty on 2013-12-05 (64 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/banshee/+bug/1277812/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1359615] Re: [precise] critical: flash stopped working after last update

2014-08-21 Thread Jamie Strandboge 
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1359615

Title:
  [precise] critical: flash stopped working after last update

Status in “chromium-browser” package in Ubuntu:
  New

Bug description:
  Ubuntu released new version of chromium-browser
  (36.0.1985.125-0ubuntu1.12.04.0~pkg897) for LTS 12.04 precise relase.
  After updating chromium-browser from previous version
  (34.0.1847.116-0ubuntu~1.12.04.0~pkg884) flash plugin stopped working.

  Flash plugin is properly installed but it chromium does not see it and
  show message that is not installed. Firefox has no problem and can
  load flash object.

  I suspect that this is because of dropping NPAPI support in chrome 36.
  But ubuntu does not have pepper flash in repositories so it is not
  possible to use flash on 12.04 anymore.

  So this is critical problem because one month ago everything worked
  fine and new *broken* version of chromium-browser is in precise-
  security/universe archive. I suggest to revert chromium back to
  *working* version or do something else -- because new *security*
  update totally broke flash support on 12.04 LTS release.

  Once again 12.04 is LTS release where is expected that updates marked
  as security will *not* break existing application support -- this is
  not *experimental* update.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1359615/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1230091] Re: [enhancement] Trusted Session surface management (required for appstore app trust model), modal subwindows

2014-08-20 Thread Jamie Strandboge 
I didn't here back on the bug, however, online accounts and trust-store
now have sufficient Mir support to utilize trust sessions, and we can
therefore remove the rtm14 tag and likely reduce the severity. I will
take care of the Ubuntu tasks.

** Tags removed: application-confinement rtm14

** No longer affects: apparmor-easyprof-ubuntu (Ubuntu)

** Changed in: signon (Ubuntu)
   Status: Confirmed => Invalid

** Changed in: content-hub
   Status: Triaged => Invalid

** Changed in: signon (Ubuntu)
   Importance: Critical => Undecided

** Changed in: content-hub
   Importance: Medium => Undecided

** Changed in: unity-mir (Ubuntu)
   Importance: Critical => Undecided

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to signon in Ubuntu.
https://bugs.launchpad.net/bugs/1230091

Title:
  [enhancement] Trusted Session surface management (required for
  appstore app trust model), modal subwindows

Status in Content sharing/picking infrastructure and service:
  Invalid
Status in Mir:
  Triaged
Status in Unity Mir:
  Triaged
Status in “signon” package in Ubuntu:
  Invalid
Status in “unity-mir” package in Ubuntu:
  Confirmed

Bug description:
  (I'm filing this as a bug in order to be able to point other people to
  it, and to track its progress; if there's a blueprint containing this
  task, please let me know)

  Some components (such as the Online Accounts trusted helper) need to
  be able to pop-up a window (typically, a dialog) on top of the running
  application. Such windows should be modal to the application, that is
  the user should not be able to interact with the application while the
  modal window is displayed on top of them. This also means that in the
  task switcher one shouldn't see two windows, but only the topmost
  modal window (and parts of the application window, in case the modal
  window on top is a non-fullscreen dialog).

  For developers, this API already exists in Qt: see 
https://qt-project.org/doc/qt-5.1/qtgui/qwindow.html#fromWinId
  It needs to be implemented in the QPA plugin, so feel free to add the 
relevant projects to the bug report.

  From jdstrand>
  This is a hard requirement for application confinement because of our trust 
model-- permission to access sensitive data by AppStore apps is typically 
granted or denied at the time of access (caching the result for later use as 
appropriate), so users have a context for the access being requested. We do 
this instead of throwing up a permissions prompt at installation. However, for 
it to work, trusted helpers like online accounts and location require this 
functionality from unity-mir. A trust-store is also being implemented so other 
services like calendar and contacts can do the same. Because this feature is 
not implemented, the implementation for online accounts, location and the 
trust-store is blocked and appstore apps are therefore able to access these 
services without the user knowing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/content-hub/+bug/1230091/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1308488] Re: apparmor messages when opening pdfs attached to mail

2014-08-13 Thread Jamie Strandboge 
No it wasn't, sorry. Uploading the proper policy now. Thanks!

** Changed in: evince (Ubuntu)
   Status: Fix Released => In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1308488

Title:
  apparmor messages when opening pdfs attached to mail

Status in “evince” package in Ubuntu:
  In Progress

Bug description:
  When opening a pdf file which is attached to a mail with evolution the
  following errors are raised

  Apr 16 12:09:04 nb-heiko kernel: [14156.403031] type=1400 
audit(1397642944.077:117): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-Z05FEX/" pid=23527 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  Apr 16 12:22:25 nb-heiko kernel: [14958.101986] type=1400 
audit(1397643745.129:118): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-YJUBEX/" pid=23828 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  Apr 16 12:26:33 nb-heiko kernel: [15206.548457] type=1400 
audit(1397643993.373:119): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-HKSAEX/" pid=24771 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  Apr 16 12:26:57 nb-heiko kernel: [15230.855886] type=1400 
audit(1397644017.661:120): apparmor="DENIED" operation="open" 
profile="/usr/bin/evince" name="/dev/tty" pid=24771 comm="evince" 
requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
  Apr 16 12:27:06 nb-heiko kernel: [15240.062832] type=1400 
audit(1397644026.861:121): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-40AZDX/" pid=24834 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  Apr 16 12:37:16 nb-heiko kernel: [15850.176969] type=1400 
audit(1397644636.485:122): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-99C7DX/" pid=3982 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

  
  I'm using Ubuntu 14.04 with Gnom3 ppas enabled.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: evince-common 3.11.92-0ubuntu1~trusty1 [origin: 
LP-PPA-gnome3-team-gnome3-staging]
  ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
  Uname: Linux 3.13.0-24-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Wed Apr 16 13:22:40 2014
  EcryptfsInUse: Yes
  PackageArchitecture: all
  SourcePackage: evince
  UpgradeStatus: Upgraded to trusty on 2014-03-21 (25 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1308488/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1236079] Re: evince crashed with SIGSEGV in gtk_container_accessible_remove_gtk()

2014-08-12 Thread Jamie Strandboge 
*** This bug is a duplicate of bug 1096837 ***
https://bugs.launchpad.net/bugs/1096837

** This bug has been marked a duplicate of bug 1096837
   [apparmor] Evince does not save files to external disks unless I rename them 
with the .pdf extension

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1236079

Title:
  evince crashed with SIGSEGV in gtk_container_accessible_remove_gtk()

Status in “evince” package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 13.10

  evince:
Installed: 3.10.0-0ubuntu1
Candidate: 3.10.0-0ubuntu1
Version table:
   *** 3.10.0-0ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ saucy/main i386 Packages
  500 http://gb.archive.ubuntu.com/ubuntu/ saucy/main i386 Packages
  100 /var/lib/dpkg/status
  I was not expecting anything to happen it just did while I was copying and 
saving files on a USB stick.

  What happened was an unexpected error message.  I have reported this
  as a new bug because all the existing similar bugs appear to have been
  resolved in older versions.

  ProblemType: Crash
  DistroRelease: Ubuntu 13.10
  Package: evince 3.10.0-0ubuntu1
  ProcVersionSignature: Ubuntu 3.11.0-11.17-generic 3.11.3
  Uname: Linux 3.11.0-11-generic i686
  ApportVersion: 2.12.5-0ubuntu1
  Architecture: i386
  Date: Sun Oct  6 21:56:37 2013
  ExecutablePath: /usr/bin/evince
  InstallationDate: Installed on 2013-10-04 (1 days ago)
  InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Beta i386 (20130925.1)
  MarkForUpload: True
  ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-3.11.0-11-generic 
root=UUID=2c8732de-2be7-4477-b39e-cd33df0f05ea ro quiet splash vt.handoff=7
  ProcEnviron:
   LANGUAGE=en_GB:en
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SegvAnalysis:
   Segfault happened at: 0xb74a5409:mov0xcc(%eax),%edx
   PC (0xb74a5409) ok
   source "0xcc(%eax)" (0x00cc) not located in a known VMA region (needed 
readable region)!
   destination "%edx" ok
  SegvReason: reading NULL VMA
  Signal: 11
  SourcePackage: evince
  StacktraceTop:
   ?? () from /usr/lib/i386-linux-gnu/libgtk-3.so.0
   g_cclosure_marshal_VOID__OBJECT () from 
/usr/lib/i386-linux-gnu/libgobject-2.0.so.0
   g_closure_invoke () from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
   ?? () from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
   g_signal_emit_valist () from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
  Title: evince crashed with SIGSEGV in g_cclosure_marshal_VOID__OBJECT()
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1236079/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1320132] Re: Evince crashes with segmentation fault

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1320132

Title:
  Evince crashes with segmentation fault

Status in “evince” package in Ubuntu:
  New

Bug description:
  1. Open the pdf attached
  2. See evince crashing with segmentation fault

  I tried to deliver a backtrace but failed. Behaviour is somewhat different in 
gdb - evince freezes now and does not crash. When I close evince and get back 
to the terminal I am not able to type anything in the command line. CTRC+C does 
not help.
  This is how far I got:

  GNU gdb (Ubuntu 7.7-0ubuntu3) 7.7
  Copyright (C) 2014 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later 
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
  and "show warranty" for details.
  This GDB was configured as "x86_64-linux-gnu".
  Type "show configuration" for configuration details.
  For bug reporting instructions, please see:
  .
  Find the GDB manual and other documentation resources online at:
  .
  For help, type "help".
  Type "apropos word" to search for commands related to "word"...
  Reading symbols from evince...(no debugging symbols found)...done.
  (gdb) sdhandle SIG33 pass nostop noprint
  SignalStopPrint   Pass to program Description
  SIG33 No  No  Yes Real-time event 33
  (gdb) set pagination 0
  (gdb) run
  Starting program: /usr/bin/evince 
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  [New Thread 0x7f0453194700 (LWP 25150)]
  [New Thread 0x7f0452786700 (LWP 25151)]
  [New Thread 0x7f0451f85700 (LWP 25152)]
  [New Thread 0x7f0451784700 (LWP 25153)]
  [New Thread 0x7f042d761700 (LWP 25154)]
  [Thread 0x7f042d761700 (LWP 25154) exited]
  [New Thread 0x7f042d761700 (LWP 25158)]
  [Thread 0x7f042d761700 (LWP 25158) exited]
  [New Thread 0x7f042d761700 (LWP 25162)]
  [New Thread 0x7f04274ce700 (LWP 25163)]
  [New Thread 0x7f0426ccd700 (LWP 25164)]
  [Thread 0x7f04274ce700 (LWP 25163) exited]
  [Thread 0x7f0426ccd700 (LWP 25164) exited]

  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x7f042d761700 (LWP 25162)]
  0x7f045c8effd5 in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
  (gdb)

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: evince 3.10.3-0ubuntu10
  ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9
  Uname: Linux 3.13.0-24-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.1
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Fri May 16 09:51:48 2014
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-11-26 (170 days ago)
  InstallationMedia: Xubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016)
  SourcePackage: evince
  UpgradeStatus: Upgraded to trusty on 2014-04-22 (23 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1320132/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1303171] Re: switching to overwrite mode with insert key, close evince, delete PDF results in crash

2014-08-12 Thread Jamie Strandboge 
*** This bug is a duplicate of bug 1096837 ***
https://bugs.launchpad.net/bugs/1096837

** This bug is no longer a duplicate of bug 1236079
   evince crashed with SIGSEGV in gtk_container_accessible_remove_gtk()
** This bug has been marked a duplicate of bug 1096837
   [apparmor] Evince does not save files to external disks unless I rename them 
with the .pdf extension

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1303171

Title:
  switching to overwrite mode with insert key, close evince, delete PDF
  results in crash

Status in “evince” package in Ubuntu:
  New

Bug description:
  opening this file
  
http://www.aok.de/assets/media/nordost/zuzahlungsbefreiung-antrag-erstattung.pdf

  in evince version 3.10.3 and entering data in the table works fine

  If you enable overwrite mode with insert key on keyboard entering text
  is not possible anymore in evince. Cut and paste works via right mouse
  button click, though.

  
  Closing evince and deleting PDF file from desktop via right mouse button 
click results in crash in evince.

  ProblemType: Crash
  DistroRelease: Ubuntu 14.04
  Package: evince 3.10.3-0ubuntu10
  ProcVersionSignature: Ubuntu 3.13.0-22.44-generic 3.13.8
  Uname: Linux 3.13.0-22-generic i686
  ApportVersion: 2.14-0ubuntu1
  Architecture: i386
  CrashCounter: 1
  CurrentDesktop: LXDE
  Date: Sat Apr  5 23:01:28 2014
  ExecutablePath: /usr/bin/evince
  InstallationDate: Installed on 2014-03-29 (7 days ago)
  InstallationMedia: Lubuntu 14.04 LTS "Trusty Tahr" - Beta i386 (20140326)
  ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-22-generic 
root=UUID=cc6833db-542d-41b5-9976-8a516ce458d4 ro quiet splash vt.handoff=7
  SegvAnalysis: Skipped: missing required field "Disassembly"
  Signal: 11
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dialout dip fax floppy fuse lpadmin plugdev sambashare 
sudo tape vboxusers video

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1303171/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1000919] Re: Pages and documents have delayed scrolling and documents won't close when I click on the X

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1000919

Title:
  Pages and documents have delayed scrolling and documents won't close
  when I click on the X

Status in “evince” package in Ubuntu:
  New

Bug description:
  Scrolling on webpages and documents is delayed and sometimes doesn't
  even work.  I am trying to close out a pdf document and it won't
  close.  I have had this probelm before.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: evince 3.2.1-0ubuntu2.2
  ProcVersionSignature: Ubuntu 3.0.0-19.33-generic 3.0.27
  Uname: Linux 3.0.0-19-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 1.23-0ubuntu4
  Architecture: amd64
  Date: Thu May 17 14:22:52 2012
  ExecutablePath: /usr/bin/evince
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
  ProcEnviron:
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: evince
  UpgradeStatus: Upgraded to oneiric on 2011-11-28 (171 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1000919/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1344810] Re: etc/apparmor.d/usr.bin.evince should allow /run/user/*/gvfs-metadata/**

2014-08-12 Thread Jamie Strandboge 
** Changed in: evince (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1344810

Title:
  etc/apparmor.d/usr.bin.evince should allow /run/user/*/gvfs-
  metadata/**

Status in “evince” package in Ubuntu:
  In Progress

Bug description:
  /etc/apparmor.d/usr.bin.evince has a line

@{HOME}/.local/share/gvfs-metadata/** l,

  However, it is possible (seen on trusty) for session state files to be stored 
under /run/user// instead of ~/.local/share/ . Please consider adding
owner /run/user/*/gvfs-metadata/** l,
  to the apparmor profile.

  Moreover (but this may be worth discussing and tracking separately)
  I've seen evince being denied "r" access to gvfs-
  metadata/home-[[:xdigit:]]+.log . I'm not sure what it needs that
  access for, but maybe there is a legitimate need?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1344810/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1348473] Re: when printing if I selet custom pages the print order is wrong

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1348473

Title:
  when printing if I selet custom pages the print order is wrong

Status in “evince” package in Ubuntu:
  New

Bug description:
  I have hp 1515 printer. for example I have a document includes 10
  pages. When I select 5 6 7 pages to print I expect first it prints 7.
  page and 5. last. But it prints 5. page first and 7. page last. It is
  wrong because everytime I have to order papers by hand again.

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: evince 3.10.3-0ubuntu10.1
  ProcVersionSignature: Ubuntu 3.13.0-32.57-generic 3.13.11.4
  Uname: Linux 3.13.0-32-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri Jul 25 07:10:23 2014
  ExecutablePath: /usr/bin/evince
  InstallationDate: Installed on 2014-07-23 (1 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  ProcEnviron:
   LANGUAGE=tr
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=tr_TR.UTF-8
   SHELL=/bin/bash
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1348473/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1279387] Re: Crtl+ and page keys doesn't doing proper cursor movement operation if caret navigation feature enabled

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1279387

Title:
  Crtl+ and page keys doesn't doing proper cursor movement operation if
  caret navigation feature enabled

Status in Evince document viewer:
  Fix Released
Status in “evince” package in Ubuntu:
  Triaged

Bug description:
  Dear Developers,

  If Evince 3.10.3 version the caret navigation support is enabled (require 
this if a visually impaired user want reading a PDF file with screen reader 
support), CTRL+HOME, CTRL+END, CTRL+SHIFT+HOME, CTRL+SHIFT+END, PAGEUP, 
PAGEDOWN keys doesn't doing proper cursor movement operation.
  Steps to reproduce:
  1. Launch evince, and opening a PDF file.
  2. Press F7 key to enable caret navigation support, the popup dialog click 
enable button.
  After this, normal arrow keys doing proper cursor movement operations, 
SHIFT+ARROW keys doing normal selection operations, CTRL+SHIFT+ARROW keys 
selecting the proper direction of the text (word, paragraph).
  3. Try pressing CTRL+HOME, CTRL+END, CTRL+SHIFT+HOME, CTRL+SHIFT+END, PAGEUP, 
PAGEDOWN keystrokes.
  Expected result if caret navigation support enabled: happening the proper 
cursor movement operation. CTRL+HOME jumps top of the document, CTRL+END jumps 
end of the document, pageup switch I think one page back, PAGEDOWN switch next 
page. CTRL+SHIFT+HOME need selecting from actual cursor position to top of the 
document, CTRL+SHIFT+END need selecting from cursor position to the end of the 
document.
  Actual result: this keystrokes nothing doing.

  If PAGEUP and PAGEDOWN related not possible goto the next or previous
  page, enough to large parts scrolling the caret.

  Attila

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: evince 3.10.3-0ubuntu6
  ProcVersionSignature: Ubuntu 3.13.0-8.28-generic 3.13.2
  Uname: Linux 3.13.0-8-generic i686
  ApportVersion: 2.13.2-0ubuntu2
  Architecture: i386
  CurrentDesktop: GNOME
  Date: Wed Feb 12 16:23:12 2014
  InstallationDate: Installed on 2013-12-13 (61 days ago)
  InstallationMedia: BeLin 3.02 i386
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/evince/+bug/1279387/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1158223] Re: evince prints crop marks

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1158223

Title:
  evince prints crop marks

Status in Evince document viewer:
  New
Status in “evince” package in Ubuntu:
  Triaged

Bug description:
  When printing the attached PDF file crop marks from Adobe Reader on
  Windows, it prints nice A4 pages without crop marks.

  On Ubuntu 12.04 LTS, evince prints the attached PDF file with crop
  marks - and also select A3 paper instead of A4.

  The intent of the author was clearly to print without crop marks by
  default.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: evince 3.4.0-0ubuntu1.6
  ProcVersionSignature: Ubuntu 3.2.0-38.61-generic 3.2.37
  Uname: Linux 3.2.0-38-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.0.1-0ubuntu17.1
  Architecture: amd64
  Date: Thu Mar 21 11:26:22 2013
  MarkForUpload: True
  ProcEnviron:
   LANGUAGE=fr_FR:
   TERM=xterm
   PATH=(custom, no user)
   LANG=fr_FR.UTF-8
   SHELL=/bin/bash
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/evince/+bug/1158223/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1303200] Re: evince crashed with SIGSEGV

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1303200

Title:
  evince crashed with SIGSEGV

Status in “evince” package in Ubuntu:
  New

Bug description:
  evince failed to close while having a fillable form PDF file from the
  United States Internal Revenue Service open.

  ProblemType: Crash
  DistroRelease: Ubuntu 14.04
  Package: evince 3.10.3-0ubuntu10
  ProcVersionSignature: Ubuntu 3.13.0-23.45-generic 3.13.8
  Uname: Linux 3.13.0-23-generic i686
  ApportVersion: 2.14.1-0ubuntu1
  Architecture: i386
  CurrentDesktop: XFCE
  Date: Sat Apr  5 21:31:01 2014
  Disassembly: No symbol table is loaded.  Use the "file" command.
  ExecutablePath: /usr/bin/evince
  InstallationDate: Installed on 2014-01-21 (75 days ago)
  InstallationMedia: Xubuntu 13.10 "Saucy Salamander" - Release i386 (20131016)
  ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-23-generic 
root=UUID=525d5b24-f047-466b-8672-a77337d8ce61 ro quiet splash vt.handoff=7
  Registers: => 0xb7436399: Cannot access memory at address 0xb7436399
  SegvAnalysis: Failure: invalid literal for int() with base 16: '0xb7436399:'
  Signal: 11
  SourcePackage: evince
  StacktraceTop:
   
  Title: evince crashed with SIGSEGV
  UpgradeStatus: Upgraded to trusty on 2014-03-10 (26 days ago)
  UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1303200/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1308488] Re: apparmor messages when opening pdfs attached to mail

2014-08-12 Thread Jamie Strandboge 
** Changed in: evince (Ubuntu)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1308488

Title:
  apparmor messages when opening pdfs attached to mail

Status in “evince” package in Ubuntu:
  In Progress

Bug description:
  When opening a pdf file which is attached to a mail with evolution the
  following errors are raised

  Apr 16 12:09:04 nb-heiko kernel: [14156.403031] type=1400 
audit(1397642944.077:117): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-Z05FEX/" pid=23527 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  Apr 16 12:22:25 nb-heiko kernel: [14958.101986] type=1400 
audit(1397643745.129:118): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-YJUBEX/" pid=23828 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  Apr 16 12:26:33 nb-heiko kernel: [15206.548457] type=1400 
audit(1397643993.373:119): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-HKSAEX/" pid=24771 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  Apr 16 12:26:57 nb-heiko kernel: [15230.855886] type=1400 
audit(1397644017.661:120): apparmor="DENIED" operation="open" 
profile="/usr/bin/evince" name="/dev/tty" pid=24771 comm="evince" 
requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
  Apr 16 12:27:06 nb-heiko kernel: [15240.062832] type=1400 
audit(1397644026.861:121): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-40AZDX/" pid=24834 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  Apr 16 12:37:16 nb-heiko kernel: [15850.176969] type=1400 
audit(1397644636.485:122): apparmor="DENIED" operation="mkdir" 
profile="/usr/bin/evince" name="/run/user/1000/at-spi2-99C7DX/" pid=3982 
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

  
  I'm using Ubuntu 14.04 with Gnom3 ppas enabled.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: evince-common 3.11.92-0ubuntu1~trusty1 [origin: 
LP-PPA-gnome3-team-gnome3-staging]
  ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
  Uname: Linux 3.13.0-24-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Wed Apr 16 13:22:40 2014
  EcryptfsInUse: Yes
  PackageArchitecture: all
  SourcePackage: evince
  UpgradeStatus: Upgraded to trusty on 2014-03-21 (25 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1308488/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1327534] Re: Upon opening some pdf-files Evince causes the PC to freeze completely

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1327534

Title:
  Upon opening some pdf-files Evince causes the PC to freeze completely

Status in “evince” package in Ubuntu:
  New

Bug description:
  After opening couple dozen pdf files one after another (closing
  previous before) a random pdf caused the whole system to freeze,
  totally. Had to force shutdown from the power button, losing all my
  work. After boot the same document opens fine. The unpredictability of
  which pdf file will freeze the system next makes using Evince a bad
  gamble.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: evince 3.10.3-0ubuntu10
  ProcVersionSignature: Ubuntu 3.13.0-29.53-generic 3.13.11.2
  Uname: Linux 3.13.0-29-generic i686
  ApportVersion: 2.14.1-0ubuntu3.2
  Architecture: i386
  CurrentDesktop: LXDE
  Date: Sat Jun  7 14:58:26 2014
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1327534/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1289023] Re: Some contents is missing while printing a pdf (text on 1st page)

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1289023

Title:
  Some contents is missing while printing a pdf (text on 1st page)

Status in “evince” package in Ubuntu:
  New

Bug description:
  When printing the following PDF (see attachment) with evince, I got a
  "blank" page for the first page (see output.pdf).

  Maybe related to libcairo instead of evince, I don't know, and maybe
  it's already know/fixed upstream.

  This PDF display and print correctly with okular.

  I've generated "output.pdf" by printing to a file, I get the same
  thing on my printer.

  I'm running Ubuntu 12.04.4 with all update applied.

  As this is a bill came from a hardware reseller, I've removed some personals 
informations (like postbox, and account number) with pdfedit, so there is no 
more confidential data on it.
  Please note, the original document trigger exactly the same problem (pdfedit 
didn't change anything).

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: evince 3.4.0-0ubuntu1.7
  ProcVersionSignature: Ubuntu 3.11.0-17.31~precise1-generic 3.11.10.3
  Uname: Linux 3.11.0-17-generic x86_64
  ApportVersion: 2.0.1-0ubuntu17.6
  Architecture: amd64
  Date: Thu Mar  6 23:02:19 2014
  MarkForUpload: True
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1289023/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1214874] Re: evince save pdf with read only permissions

2014-08-12 Thread Jamie Strandboge 
*** This bug is a duplicate of bug 1096837 ***
https://bugs.launchpad.net/bugs/1096837

** This bug has been marked a duplicate of bug 1096837
   [apparmor] Evince does not save files to external disks unless I rename them 
with the .pdf extension

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1214874

Title:
  evince save pdf with read only permissions

Status in “evince” package in Ubuntu:
  Confirmed

Bug description:
  evince save pdf with read only permissions instead of read/write.
  After saving the file, evince can not create new folder in the folder where 
was saved the file.

  The pdf was opened from thunderbird

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: evince 3.6.1-1ubuntu3
  ProcVersionSignature: Ubuntu 3.8.0-29.42-generic 3.8.13.5
  Uname: Linux 3.8.0-29-generic x86_64
  ApportVersion: 2.9.2-0ubuntu8.3
  Architecture: amd64
  Date: Wed Aug 21 14:25:59 2013
  InstallationDate: Installed on 2013-07-10 (41 days ago)
  InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
  MarkForUpload: True
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1214874/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1131196] Re: unity appear and disapear very fast with evince in presentation mode and switching desktop

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1131196

Title:
  unity appear and disapear very fast with evince in presentation mode
  and switching desktop

Status in “evince” package in Ubuntu:
  New

Bug description:
  I put a pdf in presentation mode in evince and then switch to the
  right desktop. When coming back, unity appear and disappear very fast
  during the changing desktop picture.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: evince 3.4.0-0ubuntu1.4
  ProcVersionSignature: Ubuntu 3.5.0-24.37~precise1-generic 3.5.7.4
  Uname: Linux 3.5.0-24-generic x86_64
  NonfreeKernelModules: nvidia wl
  ApportVersion: 2.0.1-0ubuntu17.1
  Architecture: amd64
  Date: Thu Feb 21 12:44:43 2013
  InstallationMedia: Ubuntu 12.04.2 LTS "Precise Pangolin" - Release amd64 
(20130213)
  MarkForUpload: True
  ProcEnviron:
   PATH=(custom, no user)
   LANG=fr_FR.UTF-8
   SHELL=/bin/bash
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1131196/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1188395] Re: evince fires asserts

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1188395

Title:
  evince fires asserts

Status in “evince” package in Ubuntu:
  Confirmed

Bug description:
  Evince fires two asserts when displaying a pdf.

  jeff@lorax:~ $ evince /tmp/foo.pdf

  (evince:9853): GLib-GObject-WARNING **:
  /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:2593: instance
  `0xb8865580' has no handler with id `4368'

  (evince:9853): GLib-GObject-WARNING **: 
/build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:2593: instance `0xb8865580' 
has no handler with id `4369'
  jeff@lorax:~ $ ubuntu-bug evince

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: evince 3.6.1-1ubuntu3
  ProcVersionSignature: Ubuntu 3.8.0-23.34-generic 3.8.11
  Uname: Linux 3.8.0-23-generic i686
  ApportVersion: 2.9.2-0ubuntu8
  Architecture: i386
  Date: Thu Jun  6 21:47:12 2013
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2010-03-13 (1181 days ago)
  InstallationMedia: Ubuntu-Netbook-Remix 9.10 "Karmic Koala" - Release i386 
(20091028.4)
  MarkForUpload: True
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: evince
  UpgradeStatus: Upgraded to raring on 2013-04-28 (39 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1188395/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1188379] Re: Processor overhead

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1188379

Title:
  Processor overhead

Status in “evince” package in Ubuntu:
  New

Bug description:
  When I start my ASUS Z53J F3JC  with the wireless switch set to OFF
  the Duo T5500 CPU is constantly overloaded to 70% and more.

  If I move the switch to ON load of every core goes down becoming
  regular.

  Maybe a kernel bug?

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: evince 3.6.1-1ubuntu3
  ProcVersionSignature: Ubuntu 3.8.0-23.34-generic 3.8.11
  Uname: Linux 3.8.0-23-generic i686
  NonfreeKernelModules: nvidia
  ApportVersion: 2.9.2-0ubuntu8.1
  Architecture: i386
  Date: Thu Jun  6 22:10:57 2013
  EcryptfsInUse: Yes
  MarkForUpload: True
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1188379/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1184228] Re: Evince CTRL+N command, new window, no display

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1184228

Title:
  Evince  CTRL+N command, new window, no display

Status in “evince” package in Ubuntu:
  New

Bug description:
  To reproduce in 12.04. Open a PDF to run Evince. Go to an arbitrary
  page with some content displayed. Select a zoom level so that
  something is displayed.

  Hit CTRL+N. A new window shows but has blank display. The workaround
  for now is to adjust zoom. Then PDF page is displayed. Should not need
  to do this, because last window displayed the content.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: evince 3.4.0-0ubuntu1.4
  ProcVersionSignature: Ubuntu 3.5.0-23.35~precise1-generic 3.5.7.2
  Uname: Linux 3.5.0-23-generic x86_64
  ApportVersion: 2.0.1-0ubuntu17.1
  Architecture: amd64
  Date: Sat May 25 18:27:36 2013
  ExecutablePath: /usr/bin/evince
  MarkForUpload: True
  ProcAttrCurrent: /usr/bin/evince (enforce)
  ProcEnviron:
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1184228/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1159724] Re: Error setting extended attribute 'xdg.origin.url' while saving a duplicate

2014-08-12 Thread Jamie Strandboge 
*** This bug is a duplicate of bug 1096837 ***
https://bugs.launchpad.net/bugs/1096837

** This bug has been marked a duplicate of bug 1096837
   [apparmor] Evince does not save files to external disks unless I rename them 
with the .pdf extension

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1159724

Title:
  Error setting extended attribute 'xdg.origin.url' while saving a
  duplicate

Status in Thunar file manager:
  New
Status in “evince” package in Ubuntu:
  Confirmed

Bug description:
  When I download a file from Chromium by choosing the "open" option (so
  the file is saved in /tmp AFAIK), when I do a file-save copy... I get
  this error in the red ribbon:

  Error setting extended attribute 'xdg.origin.url': Operation not
  supported

  The file seems to save fine, though, so there seems to be no reason
  for this error notification.

  Don't know if it makes a difference, but my /tmp is set to mount in
  memory, since I run a SSD. This is my fstab entry:

  tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0

  Expected behaviour - no error notification.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.10
  Package: evince 3.6.0-0ubuntu2
  ProcVersionSignature: Ubuntu 3.5.0-25.39-generic 3.5.7.4
  Uname: Linux 3.5.0-25-generic x86_64
  ApportVersion: 2.6.1-0ubuntu10
  Architecture: amd64
  Date: Mon Mar 25 11:43:48 2013
  InstallationDate: Installed on 2012-10-19 (156 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
  MarkForUpload: True
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/thunar/+bug/1159724/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1173807] Re: Failed to create cairo scaled font

2014-08-12 Thread Jamie Strandboge 
*** This bug is a duplicate of bug 1096837 ***
https://bugs.launchpad.net/bugs/1096837

** This bug has been marked a duplicate of bug 1096837
   [apparmor] Evince does not save files to external disks unless I rename them 
with the .pdf extension

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1173807

Title:
  Failed to create cairo scaled font

Status in “evince” package in Ubuntu:
  Confirmed

Bug description:
  Evince UI is broken in a way that all UI caracters are replaced with squares 
(http://i.imgur.com/JeeLOBE.png). 
  On launching from the command line, with no document:

  $evince

  (evince:30876): Pango-WARNING **: failed to create cairo scaled font,
  expect ugly output. the offending font is 'Ubuntu Light 11'

  (evince:30876): Pango-WARNING **: font_face status is: out of memory

  (evince:30876): Pango-WARNING **: scaled_font status is: out of memory

  (evince:30876): Pango-WARNING **: shaping failure, expect ugly output.
  shape-engine='BasicEngineFc', font='Ubuntu Light 11', text='?'

  (evince:30876): Pango-WARNING **: failed to create cairo scaled font,
  expect ugly output. the offending font is 'Ubuntu Light 11'

  (evince:30876): Pango-WARNING **: font_face status is: 

  (evince:30876): Pango-WARNING **: scaled_font status is: out of memory

  (evince:30876): Pango-WARNING **: failed to create cairo scaled font,
  expect ugly output. the offending font is 'Ubuntu Light 15.83984375'

  (evince:30876): Pango-WARNING **: font_face status is: 

  (evince:30876): Pango-WARNING **: scaled_font status is: out of memory

  (evince:30876): Pango-WARNING **: shaping failure, expect ugly output.
  shape-engine='BasicEngineFc', font='Ubuntu Light 15.83984375',
  text='This document is locked and can only be read by entering the
  correct password.'

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: evince 3.6.1-1ubuntu3
  ProcVersionSignature: Ubuntu 3.8.0-19.29-generic 3.8.8
  Uname: Linux 3.8.0-19-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.9.2-0ubuntu8
  Architecture: amd64
  Date: Sun Apr 28 11:20:05 2013
  InstallationDate: Installed on 2012-10-31 (178 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
  MarkForUpload: True
  SourcePackage: evince
  UpgradeStatus: Upgraded to raring on 2013-04-26 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1173807/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1200295] Re: evince cannot open attachment that is not PDF

2014-08-12 Thread Jamie Strandboge 
** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1200295

Title:
  evince cannot open attachment that is not PDF

Status in “evince” package in Ubuntu:
  New

Bug description:
  I have a pdf file with a few files attached. Some of the attachments
  are PDFs, some are not. The PDF attachments are opened Ok, whereas
  non-PDF attachments cannot be opened as, seemingly, evince tries to
  open them by itself instead of calling appropriate application.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: evince 3.4.0-0ubuntu1.6
  ProcVersionSignature: Ubuntu 3.2.0-49.75-generic 3.2.46
  Uname: Linux 3.2.0-49-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.0.1-0ubuntu17.3
  Architecture: amd64
  Date: Thu Jul 11 19:19:39 2013
  InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
  MarkForUpload: True
  SourcePackage: evince
  UpgradeStatus: Upgraded to precise on 2013-01-01 (190 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1200295/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1290157] Re: evince: show containing folder not working under Lubuntu 14.04

2014-08-12 Thread Jamie Strandboge 
** Changed in: evince (Ubuntu)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1290157

Title:
  evince: show containing folder not working under Lubuntu 14.04

Status in “evince” package in Ubuntu:
  In Progress

Bug description:
  open a pdf file.

  goto file> open containing folder.

  error message appears:
  Could not open the containing folder
  Failed to execute child process "audacious" (Permission denied)

  is it related to bug #1022962 ?

  tks,
  ibere

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: evince 3.10.3-0ubuntu9
  ProcVersionSignature: Ubuntu 3.13.0-16.36-generic 3.13.5
  Uname: Linux 3.13.0-16-generic i686
  ApportVersion: 2.13.3-0ubuntu1
  Architecture: i386
  CurrentDesktop: LXDE
  Date: Sun Mar  9 21:19:53 2014
  InstallationDate: Installed on 2014-03-09 (0 days ago)
  InstallationMedia: Lubuntu 14.04 "Trusty Tahr" - Alpha i386 (20140309)
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1290157/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1032812] Re: evince crashes when trying to display print dialog when tmpdir is not writable

2014-08-12 Thread Jamie Strandboge 
** Summary changed:

- evince crashes on invoking print dialog
+ evince crashes when trying to display print dialog when tmpdir is not writable

** Tags removed: apparmor

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1032812

Title:
  evince crashes when trying to display print dialog when tmpdir is not
  writable

Status in “evince” package in Ubuntu:
  Confirmed

Bug description:
  Since yesterday, whenever I press control-p in evince, it crashes.
  I'm including the dump it produces (in normal operation mode).

  Description:  Ubuntu 12.04 LTS
  Release:  12.04


  evince:
Installed: 3.4.0-0ubuntu1.3
Candidate: 3.4.0-0ubuntu1.3
Version table:
   *** 3.4.0-0ubuntu1.3 0
  500 http://ca.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   3.4.0-0ubuntu1 0
  500 http://ca.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: evince 3.4.0-0ubuntu1.3
  ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
  Uname: Linux 3.2.0-27-generic x86_64
  ApportVersion: 2.0.1-0ubuntu11
  Architecture: amd64
  Date: Fri Aug  3 15:14:32 2012
  InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Beta amd64 (20110921.2)
  SourcePackage: evince
  UpgradeStatus: Upgraded to precise on 2012-05-10 (85 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1032812/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1330430] Re: apparmor profile needs review/improvement

2014-08-12 Thread Jamie Strandboge 
*** This bug is a duplicate of bug 1096837 ***
https://bugs.launchpad.net/bugs/1096837

** This bug has been marked a duplicate of bug 1096837
   [apparmor] Evince does not save files to external disks unless I rename them 
with the .pdf extension

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1330430

Title:
  apparmor profile needs review/improvement

Status in “evince” package in Ubuntu:
  Confirmed

Bug description:
  Apparmor rules for evince forbid opening a PDF from an external drive mounted 
under /media/… unless its filename ends in '.pdf'.
  Same file will be opened if it is copied to /home/… or renamed to a filename 
tailing in '.pdf' on the external drive.
  See bugs #1096837 and #1327161.

  On a GNU/Linux system like Ubuntu these rules are useless because
  filetype is not determined by an extension. Checking the filename adds
  no security. It smells like snakeoil to me.

  Please review the apparmor profile. On an GNU/Linux system opening a
  PDF should not denied on filename.

  This bug affects Ubuntu versions 14.04 LTS, 12.04 LTS and 10.04 LTS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1330430/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1096837] Re: [apparmor] Evince does not save files to external disks unless I rename them with the .pdf extension

2014-08-12 Thread Jamie Strandboge 
** Changed in: evince (Ubuntu)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1096837

Title:
  [apparmor] Evince does not save files to external disks unless I
  rename them with the .pdf extension

Status in Evince document viewer:
  Unknown
Status in “evince” package in Ubuntu:
  In Progress

Bug description:
  I open a pdf document from springerlink. It has the name "0012132432" (no pdf
  extension). If I try and "Save a copy" of the file with the exact same name
  into my $HOME folder, there is no problem, the file is saved with that name. 
If
  I try and "Save a copy" of the file with the exact same name into my
  /media/Disk directory (i.e. where /dev/sda6 was mounted) or some other disk
  apart from the mountpoint of $HOME, it doesn't save it, UNLESS I rename the
  file and place the .pdf extension like this: "0012132432.pdf". Then it saves 
it
  without any problem. I had this issue with Evince 3.6.1, now in Evince 3.7.1
  the annoying bug persists. Please note that there is no permission problem: I
  can easily transfer files from $HOME to /media/Disk and vice versa, without 
any
  requirement for root password. It's clearly a bug in Evince, please fix it, it
  actually scared the guys on the #linux IRC channel, irc.freenode.org, due to
  its dumbness. 

  I have tried deactivating apparmor...it was of no avail, the error still 
shows up.
  I also reported this bug here: https://bugzilla.gnome.org/process_bug.cgi

To manage notifications about this bug go to:
https://bugs.launchpad.net/evince/+bug/1096837/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1229066] Re: evince-thumbnailer can't run mktexpk

2014-08-12 Thread Jamie Strandboge 
** Package changed: evince (Ubuntu) => apparmor (Ubuntu)

** Changed in: apparmor (Ubuntu)
   Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1229066

Title:
  evince-thumbnailer can't run mktexpk

Status in “apparmor” package in Ubuntu:
  Triaged

Bug description:
  On Ubuntu 12.04, when running /usr/bin/evince-thumbnailer on a .dvi
  file that references a font for which there is no PK file on the
  system yet, AppArmor blocks the execution of
  /usr/share/texmf/web2c/mktexnam etc. Here are sample audit log
  messages:

  [ 5720.378549] type=1400 audit(1379921624.784:28): apparmor="DENIED" 
operation="exec" parent=6181 
profile="/usr/bin/evince-thumbnailer//sanitized_helper" 
name="/usr/share/texmf/web2c/mktexnam" pid=6204 comm="mktexpk" 
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
  [ 5720.384833] type=1400 audit(1379921624.788:29): apparmor="DENIED" 
operation="exec" parent=6181 
profile="/usr/bin/evince-thumbnailer//sanitized_helper" 
name="/usr/share/texmf/web2c/mktexupd" pid=6209 comm="mktexpk" 
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

  I suspect this is because the sanitized_helper profile in 
/etc/apparmor.d/abstractions/ubuntu-helpers only covers /bin, /sbin, /usr/bin 
and /usr/sbin, not /usr/share/texmf/web2c . I'm not sure whether this bug 
should be filed against apparmor, evince or texlive-binaries; I can think of at 
least three ways of addressing the issue:
  1) add "/usr/share/texmf/web2c/* Pixr" to the sanitized_helper profile;
  2) modify the profile for /usr/bin/evince-thumbnailer to use something other 
than sanitized_helper;
  3) provide a separate AppArmor profile for the /usr/bin/mktexpk wrapper (and 
its siblings).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1229066/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1000802] Re: Unable to open external email address link to Thunderbird

2014-08-12 Thread Jamie Strandboge 
/etc/apparmor.d/usr.bin.evince uses the ubuntu-email abstraction which
includes policy to start thunderbird and has since before 12.04. Can you
attach your /etc/apparmor.d/usr.bin.evince?

** Changed in: evince (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1000802

Title:
  Unable to open external email address link to Thunderbird

Status in “evince” package in Ubuntu:
  Incomplete

Bug description:
  When I click an email address in a pdf file, I get this error message:
  Unable to open external link
  Failed to execute child process "thunderbird" (Permission denied)

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: evince 3.4.0-0ubuntu1
  ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
  Uname: Linux 3.2.0-24-generic x86_64
  ApportVersion: 2.0.1-0ubuntu7
  Architecture: amd64
  Date: Thu May 17 17:01:31 2012
  ExecutablePath: /usr/bin/evince
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 
(20120425)
  KernLog:
   May 17 16:59:15 Desktop-PC kernel: [ 5420.543619] type=1400 
audit(1337266755.758:31): apparmor="DENIED" operation="exec" parent=1 
profile="/usr/bin/evince" name="/usr/lib/thunderbird/thunderbird.sh" pid=20588 
comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
   May 17 17:01:00 Desktop-PC kernel: [ 5524.803020] type=1400 
audit(1337266860.018:32): apparmor="DENIED" operation="exec" parent=1 
profile="/usr/bin/evince" name="/usr/lib/thunderbird/thunderbird.sh" pid=20653 
comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
   May 17 17:01:02 Desktop-PC kernel: [ 5527.087523] type=1400 
audit(1337266862.302:33): apparmor="DENIED" operation="exec" parent=1 
profile="/usr/bin/evince" name="/usr/lib/thunderbird/thunderbird.sh" pid=20655 
comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
  ProcEnviron:
   LANGUAGE=en_GB:en
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: evince
  UpgradeStatus: No upgrade log present (probably fresh install)
  XsessionErrors: (compiz:19490): GConf-CRITICAL **: gconf_client_add_dir: 
assertion `gconf_valid_key (dirname, NULL)' failed

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1000802/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1355804] Re: Evince apparmor settings not allowing sitewide dconf changes

2014-08-12 Thread Jamie Strandboge 
** Changed in: evince (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1355804

Title:
  Evince apparmor settings not allowing sitewide dconf changes

Status in “evince” package in Ubuntu:
  In Progress

Bug description:
  Description:Ubuntu 14.04.1 LTS

  apt-cache policy evince evince-common
  evince:
Installed: 3.10.3-0ubuntu10.1
Candidate: 3.10.3-0ubuntu10.1
Version table:
   *** 3.10.3-0ubuntu10.1 0
  500 http://dk.archive.ubuntu.com/ubuntu/ trusty-updates/main i386 
Packages
  100 /var/lib/dpkg/status
   3.10.3-0ubuntu10 0
  500 http://dk.archive.ubuntu.com/ubuntu/ trusty/main i386 Packages
  evince-common:
Installed: 3.10.3-0ubuntu10.1
Candidate: 3.10.3-0ubuntu10.1
Version table:
   *** 3.10.3-0ubuntu10.1 0
  500 http://dk.archive.ubuntu.com/ubuntu/ trusty-updates/main i386 
Packages
  100 /var/lib/dpkg/status
   3.10.3-0ubuntu10 0
  500 http://dk.archive.ubuntu.com/ubuntu/ trusty/main i386 Packages

  
  There are a few issues here. The main problem is that the Evince apparmor 
settings does not honor site wide dconf settings as described in dconf(7). I'm 
currently preparing a multiuser setup where we need some site wide 
configurations, one of which affects Evince.

  Problem (1): As described in dconf(7) system wide settings can be made
  by creating and editing /etc/dconf/profile/user, which will be read if
  it exists. However if we do

  echo 'user-db:user' | sudo tee -a /etc/dconf/profile/user
  sudo dconf update
  evince

  We get the following warning

  (evince:9145): dconf-WARNING **: Unable to open
  /etc/dconf/profile/user: Permission denied

  and the following message in SYSLOG

  kernel: [ 1129.931888] type=1400 audit(1407843498.164:65):
  apparmor="DENIED" operation="open" profile="/usr/bin/evince"
  name="/etc/dconf/profile/user" pid=9145 comm="evince"
  requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  Indeed if we search through all files in /etc/apparmod.d , /etc/dconf
  is not mentioned anywhere.

  Possible solution:  Add

  /etc/dconf/** r,

  to /etc/apparmor.d/abscractions/evince (I've added it at the end of
  the /etc/ list already there), and run

  sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

  Then there are no complaints anymore

  Problem (2): Again reading dconf(7) it is recommended to change the
  settigns if /home is NFS mounted. Thus in /etc/dconf/profile/user we
  should replace /user-db:user' by 'service-db:keyfile/user'

  This causes a new permission denied problem. Remember to run 'sudo
  dconf update' and log out and ind again.

  (evince:19187): dconf-WARNING **: unable to open file '/run/user/1000
  /dconf-service/keyfile/user': Failed to open file '/run/user/1000
  /dconf-service/keyfile/user': open() failed: Permission denied; expect
  degraded performance

  from syslog:

  kernel: [ 5430.597984] type=1400 audit(1407848788.264:81):
  apparmor="DENIED" operation="open" profile="/usr/bin/evince"
  name="/run/user/1000/dconf-service/keyfile/user" pid=19188
  comm=64636F6E6620776F726B6572 requested_mask="r" denied_mask="r"
  fsuid=1000 ouid=1000

  
  The apparmor files does mention '/run/user/' (in usr.bin.evince):

  # Maybe add to an abstraction?
owner /{,var/}run/user/*/dconf/  w,
owner /{,var/}run/user/*/dconf/user  rw,

  however, this does not match 'dconf-service'. One can fix this by
  adding

  owner /{,var/}run/user/*/dconf-service/keyfile/  w,
  owner /{,var/}run/user/*/dconf-service/keyfile/user  rw,

  to /etc/apparmor.d/abstractions/evince (I added them right after the
  other 'owner' lines at the top

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1355804/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 984093] Re: vino http server binds to external interfaces despite local_only configuration

2014-08-11 Thread Jamie Strandboge 
Thanks for the patch! I'm uncomfortable ACKing this patch without more
supporting information that it disabling it won't break people. I think
the proper thing to do is continue to wait on upstream's response. It
would probably make the process go quicker if a patch was submitted
upstream that fixed the buggy behavior.

Unsubscribing ubuntu-sponsors for now. If you'd like to have a patch
applied to Ubuntu, please link to a bzr branch or supply a debdiff (see
https://wiki.ubuntu.com/SponsorshipProcess for details).

Thanks again.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to vino in Ubuntu.
https://bugs.launchpad.net/bugs/984093

Title:
  vino http server binds to external interfaces despite local_only
  configuration

Status in GNOME Remote Desktop:
  New
Status in “vino” package in Ubuntu:
  Triaged

Bug description:
  Environment:

  Debian Wheezy
  Vino 3.2.2-1+b1

  Vino is configured for local access only via:

  gconftool-2 --set /desktop/gnome/remote_access/local_only --type bool
  true

  Vino's vnc server is only listening on localhost:5900 and no other
  interfaces - as expected.

  Vino's http server, though, is listening on all interfaces, despite
  the local_only configuration. The expected behaviour would be for all
  vino services, including the http server, to only bind to the
  localhost interface when configured accordingly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/vino/+bug/984093/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1308771] Re: Update Swedish spellcheck and hyphenation dictionaries

2014-08-11 Thread Jamie Strandboge 
Unsubscribing ubuntu-sponsors for now. Please resubscribe after
commenting on/adjusting the packaging. Thanks!

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to openoffice.org-hyphenation in Ubuntu.
https://bugs.launchpad.net/bugs/1308771

Title:
  Update Swedish spellcheck and hyphenation dictionaries

Status in “libreoffice-dictionaries” package in Ubuntu:
  Fix Released
Status in “openoffice.org-hyphenation” package in Ubuntu:
  Fix Released
Status in “libreoffice-dictionaries” source package in Trusty:
  Triaged
Status in “openoffice.org-hyphenation” source package in Trusty:
  Triaged

Bug description:
  trusty SRU request
  ==

  [Impact]
  While the libreoffice-dictionaries source package contains reasonably updated 
spell check dictionaries and hyphenation patterns for Swedish, it does 
currently not build hunspell-sv-se and hyphen-sv. In Utopic this has now been 
fixed, and the outdated hyphenation patterns for Swedish in 
openoffice.org-hyphenation have been dropped.

  It's desirable that it's fixed in Trusty as well, so Swedish 14.04
  users don't need to go hunting on the web for up-to-date writing aids.
  After all, LibreOffice is one of the core tools on the desktop.

  [Test Case]
  I haven't figured out specific examples of words or patterns that are 
currently missing and will be included with this SRU.

  [Regression Potential]
  Once it has been verified that the up-to-date dictionaries are installed 
correctly, and that spell checking and hyphenation works as expected in 
LibreOffice, the risk for regression ought to be limited to the risk that 
certain words or patterns, which are currently included, proves to have been 
dropped.

  [Other Info]
  I have attached an SRU patch for libreoffice-dictionaries. As regards 
openoffice.org-hyphenation, some encoding problem in one of the removed files 
prevented me from creating a patch that applies seamlessly. Instead I simply 
suggest that openoffice.org-hyphenation 0.8 is uploaded to trusty-proposed as 
version 0.7.1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libreoffice-dictionaries/+bug/1308771/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1313298] Re: State of youtube plugin

2014-08-11 Thread Jamie Strandboge 
Thank you for providing a debdiff. Two comments:
 * debian/changelog is much too terse with 'Adjust control.in'. This should be 
more descriptive, such as 'debian/control.in: adjust descriptions for 
youtube...'
 * changing the description is of course fine, however other comments in this 
bug suggest that the plugin is completely broken or crashes. Shouldn't this 
code either be fixed or not shipped?

Please adjust debian/changelog and comment on whether the code should be
shipped at all. Unsubscribing ubuntu-sponsors for now. Please feel free
to resubscribe after making these changes. Thanks!

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to totem in Ubuntu.
https://bugs.launchpad.net/bugs/1313298

Title:
  State of youtube plugin

Status in “totem” package in Ubuntu:
  Confirmed

Bug description:
  The youtube plugin is advertised in the package details, but it looks
  like its not shipped anymore.

  $ apt-cache show totem-plugins | grep -i youtube
  * Search, browse for and play videos from YouTube

  $ dpkg -L totem-plugins | grep -i youtube

  This is for totem-plugins 3.10.1-1ubuntu4

  The youtube plugin is still listed in the documentation:
  
https://help.gnome.org/users/totem/stable/totem-plugins.html.en#totem-plugins-youtube

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/totem/+bug/1313298/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1308771] Re: Update Swedish spellcheck and hyphenation dictionaries

2014-08-11 Thread Jamie Strandboge 
I'm not an expert on these dictionaries, however, the build succeeds,
the packaging looks reasonable and the resulting binaries look mostly
similar to the binaries for other languages. However, most of the
hyphen-* packages have something in
/usr/share/myspell/infos/ooo/hyphen-*, but hyphen-sv does not. Can you
comment?

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to openoffice.org-hyphenation in Ubuntu.
https://bugs.launchpad.net/bugs/1308771

Title:
  Update Swedish spellcheck and hyphenation dictionaries

Status in “libreoffice-dictionaries” package in Ubuntu:
  Fix Released
Status in “openoffice.org-hyphenation” package in Ubuntu:
  Fix Released
Status in “libreoffice-dictionaries” source package in Trusty:
  Triaged
Status in “openoffice.org-hyphenation” source package in Trusty:
  Triaged

Bug description:
  trusty SRU request
  ==

  [Impact]
  While the libreoffice-dictionaries source package contains reasonably updated 
spell check dictionaries and hyphenation patterns for Swedish, it does 
currently not build hunspell-sv-se and hyphen-sv. In Utopic this has now been 
fixed, and the outdated hyphenation patterns for Swedish in 
openoffice.org-hyphenation have been dropped.

  It's desirable that it's fixed in Trusty as well, so Swedish 14.04
  users don't need to go hunting on the web for up-to-date writing aids.
  After all, LibreOffice is one of the core tools on the desktop.

  [Test Case]
  I haven't figured out specific examples of words or patterns that are 
currently missing and will be included with this SRU.

  [Regression Potential]
  Once it has been verified that the up-to-date dictionaries are installed 
correctly, and that spell checking and hyphenation works as expected in 
LibreOffice, the risk for regression ought to be limited to the risk that 
certain words or patterns, which are currently included, proves to have been 
dropped.

  [Other Info]
  I have attached an SRU patch for libreoffice-dictionaries. As regards 
openoffice.org-hyphenation, some encoding problem in one of the removed files 
prevented me from creating a patch that applies seamlessly. Instead I simply 
suggest that openoffice.org-hyphenation 0.8 is uploaded to trusty-proposed as 
version 0.7.1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libreoffice-dictionaries/+bug/1308771/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1354496] Re: Screen doesn't always lock correctly after inactivity

2014-08-08 Thread Jamie Strandboge 
*** This bug is a duplicate of bug 49579 ***
https://bugs.launchpad.net/bugs/49579

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-screensaver in Ubuntu.
https://bugs.launchpad.net/bugs/1354496

Title:
  Screen doesn't always lock correctly after inactivity

Status in “gnome-screensaver” package in Ubuntu:
  Confirmed

Bug description:
  When my laptop shuts off the screen due to inactivity, when I come
  back, the screen isn't locked.  I can start back to work and interact
  with my apps, then the screen locks after I've started back to work.

  Expected behavior:  The screen locks after the inactivity timeout has
  expired (5 minutes in my case).

  Actual behavior:  When I "wake up" the screen, it's not locked, but
  then locks a few seconds after I've started to work.

  I use my laptop for system administration, including access to a
  production environmnent, and can't have it left unlocked.

  The behavior doesn't seem to be consistent, but I'll keep testing to
  see if there are specific scenarios under which this occurs.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: gnome-screensaver 3.6.1-0ubuntu13
  ProcVersionSignature: Ubuntu 3.13.0-32.57-generic 3.13.11.4
  Uname: Linux 3.13.0-32-generic x86_64
  NonfreeKernelModules: fglrx
  ApportVersion: 2.14.1-0ubuntu3.3
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri Aug  8 10:55:22 2014
  GnomeSessionIdleInhibited: No
  GnomeSessionInhibitors: None
  GsettingsGnomeSession:
   org.gnome.desktop.session session-name 'ubuntu'
   org.gnome.desktop.session idle-delay uint32 300
  InstallationDate: Installed on 2014-07-28 (10 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 
(20140722.2)
  SourcePackage: gnome-screensaver
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/1354496/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1086058] Re: my unity laucher and environment disappeared when i changed certain permission in dpkg file while installing hadoop.

2014-08-08 Thread Jamie Strandboge 
Thanks for your comments. This does not appear to be a bug report and we
are closing it. We appreciate the difficulties you are facing, but it
would make more sense to raise your question in the support tracker.
Please visit https://answers.launchpad.net/ubuntu/+addquestion

** Information type changed from Private Security to Public

** Changed in: unity
   Status: New => Invalid

** Changed in: unity (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dp-unity
https://bugs.launchpad.net/bugs/1086058

Title:
  my unity laucher and environment disappeared when i changed certain
  permission in dpkg file while installing hadoop.

Status in Unity:
  Invalid
Status in “unity” package in Ubuntu:
  Invalid

Bug description:
  my settings for flashdrive is not working.
  users and groups are disabled. error: configuration cannot be loaded.

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1086058/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1342312] Re: ghostscript hangs reading certain pdfs

2014-08-08 Thread Jamie Strandboge 
** Changed in: ghostscript (Ubuntu)
   Importance: Undecided => Low

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to ghostscript in Ubuntu.
https://bugs.launchpad.net/bugs/1342312

Title:
  ghostscript hangs reading certain pdfs

Status in “ghostscript” package in Ubuntu:
  New

Bug description:
  On a few pdfs, gs hangs and uses 100% cpu forever.

  This could be used as a denial of service through imagemagick which
  uses ghostscript as a delegate, and commonly used in php etc... which
  is how I found the issue.

  The packages from utopic (9.14~dfsg-0ubuntu3) processes these pdfs
  correctly.

  To reproduce:
  gs WaddellAndReedJCL0814ThirdHProvSE.pdf

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: ghostscript 9.10~dfsg-0ubuntu10.2
  ProcVersionSignature: Ubuntu 3.13.0-30.55-generic 3.13.11.2
  Uname: Linux 3.13.0-30-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: Unity
  Date: Tue Jul 15 14:34:26 2014
  InstallationDate: Installed on 2014-04-20 (86 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  Lpstat:
   device for Bizhub7222: socket://10.0.0.201:9100
   device for HP-Photosmart-6520-series: 
dnssd://Photosmart%206520%20series%20%5B1B47AD%5D._ipp._tcp.local/
  MachineType: ASUSTeK COMPUTER INC. UX32VD
  Papersize: letter
  PpdFiles:
   HP-Photosmart-6520-series: HP Photosmart 6520 Series, hpcups 3.14.3
   Bizhub7222: HP LaserJet 5L - CUPS+Gutenprint v5.2.10-pre2
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-30-generic 
root=UUID=2f256b0b-ee87-463a-af04-e892e0be9192 ro quiet splash pcie_aspm=force 
drm.vblankoffdelay=1 i915.semaphores=1
  SourcePackage: ghostscript
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 11/16/2012
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: UX32VD.213
  dmi.board.asset.tag: ATN12345678901234567
  dmi.board.name: UX32VD
  dmi.board.vendor: ASUSTeK COMPUTER INC.
  dmi.board.version: 1.0
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: ASUSTeK COMPUTER INC.
  dmi.chassis.version: 1.0
  dmi.modalias: 
dmi:bvnAmericanMegatrendsInc.:bvrUX32VD.213:bd11/16/2012:svnASUSTeKCOMPUTERINC.:pnUX32VD:pvr1.0:rvnASUSTeKCOMPUTERINC.:rnUX32VD:rvr1.0:cvnASUSTeKCOMPUTERINC.:ct10:cvr1.0:
  dmi.product.name: UX32VD
  dmi.product.version: 1.0
  dmi.sys.vendor: ASUSTeK COMPUTER INC.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1342312/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1230091] Re: [enhancement] Trusted Session surface management (required for appstore app trust model), modal subwindows

2014-08-08 Thread Jamie Strandboge 
What is that bug?

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to signon in Ubuntu.
https://bugs.launchpad.net/bugs/1230091

Title:
  [enhancement] Trusted Session surface management (required for
  appstore app trust model), modal subwindows

Status in Content sharing/picking infrastructure and service:
  Triaged
Status in Mir:
  Triaged
Status in Unity Mir:
  Triaged
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Confirmed
Status in “signon” package in Ubuntu:
  Confirmed
Status in “unity-mir” package in Ubuntu:
  Confirmed

Bug description:
  (I'm filing this as a bug in order to be able to point other people to
  it, and to track its progress; if there's a blueprint containing this
  task, please let me know)

  Some components (such as the Online Accounts trusted helper) need to
  be able to pop-up a window (typically, a dialog) on top of the running
  application. Such windows should be modal to the application, that is
  the user should not be able to interact with the application while the
  modal window is displayed on top of them. This also means that in the
  task switcher one shouldn't see two windows, but only the topmost
  modal window (and parts of the application window, in case the modal
  window on top is a non-fullscreen dialog).

  For developers, this API already exists in Qt: see 
https://qt-project.org/doc/qt-5.1/qtgui/qwindow.html#fromWinId
  It needs to be implemented in the QPA plugin, so feel free to add the 
relevant projects to the bug report.

  From jdstrand>
  This is a hard requirement for application confinement because of our trust 
model-- permission to access sensitive data by AppStore apps is typically 
granted or denied at the time of access (caching the result for later use as 
appropriate), so users have a context for the access being requested. We do 
this instead of throwing up a permissions prompt at installation. However, for 
it to work, trusted helpers like online accounts and location require this 
functionality from unity-mir. A trust-store is also being implemented so other 
services like calendar and contacts can do the same. Because this feature is 
not implemented, the implementation for online accounts, location and the 
trust-store is blocked and appstore apps are therefore able to access these 
services without the user knowing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/content-hub/+bug/1230091/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1230391] Re: please provide visual cue during background recording

2014-07-31 Thread Jamie Strandboge 
** Changed in: pulseaudio (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1230391

Title:
  please provide visual cue during background recording

Status in “pulseaudio” package in Ubuntu:
  Confirmed

Bug description:
  After bug #1224756 is fixed, we should provide a visual cue for when
  an app moves to the background and is recording audio. This will allow
  an app like Skype to work normally in the foreground, but if the user
  launches another app into the foreground, the user is able to see that
  he/she is still on the Skype call. In addition to the usability
  benefit, this provides a security benefit because it stops
  eavesdropping because the user will have a visual cue that the
  malicious/misbehaving app is recording audio.

  This needs design.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1230391/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1230091] Re: [enhancement] Trusted Session surface management (required for appstore app trust model), modal subwindows

2014-07-31 Thread Jamie Strandboge 
If there is another bug that should be used for Mir trust session
support and online accounts use of it for rtm, please let me know. For
now, adding rtm14 tag.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to signon in Ubuntu.
https://bugs.launchpad.net/bugs/1230091

Title:
  [enhancement] Trusted Session surface management (required for
  appstore app trust model), modal subwindows

Status in Content sharing/picking infrastructure and service:
  Triaged
Status in Mir:
  Triaged
Status in Unity Mir:
  Triaged
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Confirmed
Status in “signon” package in Ubuntu:
  Confirmed
Status in “unity-mir” package in Ubuntu:
  Confirmed

Bug description:
  (I'm filing this as a bug in order to be able to point other people to
  it, and to track its progress; if there's a blueprint containing this
  task, please let me know)

  Some components (such as the Online Accounts trusted helper) need to
  be able to pop-up a window (typically, a dialog) on top of the running
  application. Such windows should be modal to the application, that is
  the user should not be able to interact with the application while the
  modal window is displayed on top of them. This also means that in the
  task switcher one shouldn't see two windows, but only the topmost
  modal window (and parts of the application window, in case the modal
  window on top is a non-fullscreen dialog).

  For developers, this API already exists in Qt: see 
https://qt-project.org/doc/qt-5.1/qtgui/qwindow.html#fromWinId
  It needs to be implemented in the QPA plugin, so feel free to add the 
relevant projects to the bug report.

  From jdstrand>
  This is a hard requirement for application confinement because of our trust 
model-- permission to access sensitive data by AppStore apps is typically 
granted or denied at the time of access (caching the result for later use as 
appropriate), so users have a context for the access being requested. We do 
this instead of throwing up a permissions prompt at installation. However, for 
it to work, trusted helpers like online accounts and location require this 
functionality from unity-mir. A trust-store is also being implemented so other 
services like calendar and contacts can do the same. Because this feature is 
not implemented, the implementation for online accounts, location and the 
trust-store is blocked and appstore apps are therefore able to access these 
services without the user knowing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/content-hub/+bug/1230091/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1230091] Re: [enhancement] Trusted Session surface management (required for appstore app trust model), modal subwindows

2014-07-31 Thread Jamie Strandboge 
Removing suayc and trusty tasks since we won't fix those and they are
cluttering the reports. Adjusting the Ubuntu tasks to Critical since
online accounts use of trust sessions is an rtm requirement.

** No longer affects: unity-mir (Ubuntu Saucy)

** No longer affects: unity-mir (Ubuntu Trusty)

** No longer affects: signon (Ubuntu Trusty)

** No longer affects: signon (Ubuntu Saucy)

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
   Importance: Undecided => Critical

** Changed in: signon (Ubuntu)
   Importance: High => Critical

** Changed in: unity-mir (Ubuntu)
   Importance: High => Critical

** Tags added: rtm14

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to signon in Ubuntu.
https://bugs.launchpad.net/bugs/1230091

Title:
  [enhancement] Trusted Session surface management (required for
  appstore app trust model), modal subwindows

Status in Content sharing/picking infrastructure and service:
  Triaged
Status in Mir:
  Triaged
Status in Unity Mir:
  Triaged
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Confirmed
Status in “signon” package in Ubuntu:
  Confirmed
Status in “unity-mir” package in Ubuntu:
  Confirmed

Bug description:
  (I'm filing this as a bug in order to be able to point other people to
  it, and to track its progress; if there's a blueprint containing this
  task, please let me know)

  Some components (such as the Online Accounts trusted helper) need to
  be able to pop-up a window (typically, a dialog) on top of the running
  application. Such windows should be modal to the application, that is
  the user should not be able to interact with the application while the
  modal window is displayed on top of them. This also means that in the
  task switcher one shouldn't see two windows, but only the topmost
  modal window (and parts of the application window, in case the modal
  window on top is a non-fullscreen dialog).

  For developers, this API already exists in Qt: see 
https://qt-project.org/doc/qt-5.1/qtgui/qwindow.html#fromWinId
  It needs to be implemented in the QPA plugin, so feel free to add the 
relevant projects to the bug report.

  From jdstrand>
  This is a hard requirement for application confinement because of our trust 
model-- permission to access sensitive data by AppStore apps is typically 
granted or denied at the time of access (caching the result for later use as 
appropriate), so users have a context for the access being requested. We do 
this instead of throwing up a permissions prompt at installation. However, for 
it to work, trusted helpers like online accounts and location require this 
functionality from unity-mir. A trust-store is also being implemented so other 
services like calendar and contacts can do the same. Because this feature is 
not implemented, the implementation for online accounts, location and the 
trust-store is blocked and appstore apps are therefore able to access these 
services without the user knowing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/content-hub/+bug/1230091/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-07-31 Thread Jamie Strandboge 
** Changed in: pulseaudio (Ubuntu Utopic)
   Importance: High => Critical

** No longer affects: pulseaudio (Ubuntu Saucy)

** No longer affects: pulseaudio (Ubuntu Trusty)

** No longer affects: pulseaudio (Ubuntu Utopic)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user ("Foo wants to use
  the microphone. Is this ok? Yes|No"), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1348251] Re: please make use of pam_tally2 for Touch login and screenunlock

2014-07-31 Thread Jamie Strandboge 
** Changed in: ubuntu-touch-session (Ubuntu)
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1348251

Title:
  please make use of pam_tally2 for Touch login and screenunlock

Status in Light Display Manager:
  Fix Released
Status in “lightdm” package in Ubuntu:
  Fix Released
Status in “ubuntu-touch-session” package in Ubuntu:
  New

Bug description:
  Ubuntu Touch will soon have/now has the ability to set a PIN/password
  for the user. If the password is set, we should provide some
  protection against brute force password guessing since many users will
  choose to use PINs rather than proper passwords. This is required for
  devices for RTM, but not for the traditional Ubuntu desktop.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1348251/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1348251] Re: please make use of pam_tally2 for Touch login and screenunlock

2014-07-25 Thread Jamie Strandboge 
Right, I don't think we want to enable pam_tally2 on desktop at this
time. We may want to as we move towards converged and people are using
PINs as passwords. Your branch seems to handle this very well. lightdm
can remain unchanged (except for this patch) on the desktop, and the
ubuntu-touch-session package can ship the necessary files to incorporate
pam_tally2.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1348251

Title:
  please make use of pam_tally2 for Touch login and screenunlock

Status in “lightdm” package in Ubuntu:
  Incomplete

Bug description:
  Ubuntu Touch will soon have/now has the ability to set a PIN/password
  for the user. If the password is set, we should provide some
  protection against brute force password guessing since many users will
  choose to use PINs rather than proper passwords. This is required for
  devices for RTM, but not for the traditional Ubuntu desktop.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1348251/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1348251] Re: please make use of pam_tally2 for Touch login and screenunlock

2014-07-25 Thread Jamie Strandboge 
Thanks for you work on this!

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1348251

Title:
  please make use of pam_tally2 for Touch login and screenunlock

Status in “lightdm” package in Ubuntu:
  Incomplete

Bug description:
  Ubuntu Touch will soon have/now has the ability to set a PIN/password
  for the user. If the password is set, we should provide some
  protection against brute force password guessing since many users will
  choose to use PINs rather than proper passwords. This is required for
  devices for RTM, but not for the traditional Ubuntu desktop.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1348251/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1348251] Re: please make use of pam_tally2 for Touch login and screenunlock

2014-07-24 Thread Jamie Strandboge 
** Summary changed:

- please make use of pam_tally2 with lightdm-greeter
+ please make use of pam_tally2 for Touch login and screenunlock

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1348251

Title:
  please make use of pam_tally2 for Touch login and screenunlock

Status in “lightdm” package in Ubuntu:
  New

Bug description:
  Ubuntu Touch will soon have/now has the ability to set a PIN/password
  for the user. If the password is set, we should provide some
  protection against brute force password guessing since many users will
  choose to use PINs rather than proper passwords. This is required for
  devices for RTM, but not for the traditional Ubuntu desktop.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1348251/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1348251] [NEW] please make use of pam_tally2 with lightdm-greeter

2014-07-24 Thread Jamie Strandboge 
Public bug reported:

Ubuntu Touch will soon have/now has the ability to set a PIN/password
for the user. If the password is set, we should provide some protection
against brute force password guessing since many users will choose to
use PINs rather than proper passwords. This is required for devices for
RTM, but not for the traditional Ubuntu desktop.

** Affects: lightdm (Ubuntu)
 Importance: High
 Status: New


** Tags: rtm14

** Changed in: lightdm (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1348251

Title:
  please make use of pam_tally2 with lightdm-greeter

Status in “lightdm” package in Ubuntu:
  New

Bug description:
  Ubuntu Touch will soon have/now has the ability to set a PIN/password
  for the user. If the password is set, we should provide some
  protection against brute force password guessing since many users will
  choose to use PINs rather than proper passwords. This is required for
  devices for RTM, but not for the traditional Ubuntu desktop.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1348251/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1338251] Re: package nvidia-331 331.38-0ubuntu7 failed to install/upgrade

2014-07-18 Thread Jamie Strandboge 
** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to nvidia-graphics-drivers-331 in Ubuntu.
https://bugs.launchpad.net/bugs/1338251

Title:
  package nvidia-331 331.38-0ubuntu7 failed to install/upgrade

Status in “nvidia-graphics-drivers-331” package in Ubuntu:
  New

Bug description:
  sudo: /etc/sudoers.d is owned by gid 27, should be 0

  ProblemType: Package
  DistroRelease: Ubuntu 14.04
  Package: nvidia-331 331.38-0ubuntu7
  ProcVersionSignature: Ubuntu 3.13.0-30.54-generic 3.13.11.2
  Uname: Linux 3.13.0-30-generic i686
  ApportVersion: 2.14.1-0ubuntu3.2
  Architecture: i386
  Date: Sun Jul  6 17:26:26 2014
  DuplicateSignature: package:nvidia-331:331.38-0ubuntu7:
  ErrorMessage:
   
  InstallationDate: Installed on 2014-06-26 (9 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140417)
  SourcePackage: nvidia-graphics-drivers-331
  Title: package nvidia-331 331.38-0ubuntu7 failed to install/upgrade
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.modprobe.d.nvidia.331.hybrid.conf: [deleted]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-331/+bug/1338251/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services

2014-07-17 Thread Jamie Strandboge 
Adjusted the bug statuses based on the updated description. This is
"Won't Fix" for Utopic ("Triaged" when "V" opens).

** Changed in: urfkill (Ubuntu Utopic)
   Status: In Progress => Won't Fix

** Changed in: ubuntu-system-settings (Ubuntu Utopic)
   Status: In Progress => Won't Fix

** Changed in: indicator-network (Ubuntu)
   Status: In Progress => Triaged

** Changed in: indicator-network (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: indicator-network (Ubuntu Utopic)
   Importance: Undecided => Wishlist

** Changed in: network-manager (Ubuntu)
   Status: In Progress => Triaged

** Changed in: network-manager (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: network-manager (Ubuntu Utopic)
   Importance: Undecided => Wishlist

** Changed in: nuntium (Ubuntu)
   Status: In Progress => Triaged

** Changed in: nuntium (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: nuntium (Ubuntu Utopic)
   Importance: Undecided => Wishlist

** Changed in: ofono (Ubuntu)
   Status: In Progress => Triaged

** Changed in: powerd (Ubuntu)
   Status: In Progress => Triaged

** Changed in: powerd (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: powerd (Ubuntu Utopic)
   Importance: Undecided => Wishlist

** Changed in: ubuntu-download-manager (Ubuntu)
   Status: In Progress => Triaged

** Changed in: ubuntu-download-manager (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: ubuntu-download-manager (Ubuntu Utopic)
   Importance: Undecided => Wishlist

** Changed in: urfkill (Ubuntu)
   Status: In Progress => Triaged

** Changed in: urfkill (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: urfkill (Ubuntu Utopic)
   Status: Won't Fix => Triaged

** Changed in: urfkill (Ubuntu Utopic)
   Importance: Undecided => Wishlist

** Changed in: ubuntu-system-settings (Ubuntu)
   Status: In Progress => Triaged

** Changed in: ubuntu-system-settings (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: ubuntu-system-settings (Ubuntu Utopic)
   Status: Won't Fix => Triaged

** Changed in: ubuntu-system-settings (Ubuntu Utopic)
   Importance: Undecided => Wishlist

** Changed in: urfkill (Ubuntu Utopic)
   Status: Triaged => Won't Fix

** Changed in: ubuntu-system-settings (Ubuntu Utopic)
   Status: Triaged => Won't Fix

** Changed in: indicator-network (Ubuntu)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: indicator-network (Ubuntu Utopic)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: network-manager (Ubuntu)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: network-manager (Ubuntu Utopic)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: nuntium (Ubuntu)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: nuntium (Ubuntu Utopic)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: ofono (Ubuntu)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: ofono (Ubuntu Utopic)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: powerd (Ubuntu)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: powerd (Ubuntu Utopic)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: ubuntu-download-manager (Ubuntu)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: ubuntu-download-manager (Ubuntu Utopic)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: ubuntu-system-settings (Ubuntu)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: ubuntu-system-settings (Ubuntu Utopic)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: urfkill (Ubuntu)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

** Changed in: urfkill (Ubuntu Utopic)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1296415

Title:
  [security] please use apparmor to restrict access to ofono to approved
  services

Status in “indicator-network” package in Ubuntu:
  Triaged
Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “network-manager” package in Ubuntu:
  Triaged
Status in “nuntium” package in Ubuntu:
  Triaged
Status in “ofono” package in Ubuntu:
  Triaged
Status in “powerd” package in Ubuntu:
  Triaged
Status in “ubuntu-download-manager” package in Ubuntu:
  Triaged
Status in “ubuntu-system-settings” package in Ubuntu:
  Triaged
Status in “urfkill” package in Ubuntu:
  Triaged
Status in “indicator-network” source package in Utop

[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services

2014-07-17 Thread Jamie Strandboge 
** Changed in: indicator-network (Ubuntu Utopic)
   Status: In Progress => Won't Fix

** Changed in: network-manager (Ubuntu Utopic)
   Status: In Progress => Won't Fix

** Changed in: nuntium (Ubuntu Utopic)
   Status: In Progress => Won't Fix

** Changed in: ofono (Ubuntu Utopic)
   Status: In Progress => Won't Fix

** Changed in: powerd (Ubuntu Utopic)
   Status: In Progress => Won't Fix

** Changed in: ubuntu-download-manager (Ubuntu Utopic)
   Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1296415

Title:
  [security] please use apparmor to restrict access to ofono to approved
  services

Status in “indicator-network” package in Ubuntu:
  Triaged
Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “network-manager” package in Ubuntu:
  Triaged
Status in “nuntium” package in Ubuntu:
  Triaged
Status in “ofono” package in Ubuntu:
  Triaged
Status in “powerd” package in Ubuntu:
  Triaged
Status in “ubuntu-download-manager” package in Ubuntu:
  Triaged
Status in “ubuntu-system-settings” package in Ubuntu:
  Triaged
Status in “urfkill” package in Ubuntu:
  Triaged
Status in “indicator-network” source package in Utopic:
  Triaged
Status in “isc-dhcp” source package in Utopic:
  Fix Released
Status in “network-manager” source package in Utopic:
  Triaged
Status in “nuntium” source package in Utopic:
  Triaged
Status in “ofono” source package in Utopic:
  Triaged
Status in “powerd” source package in Utopic:
  Triaged
Status in “ubuntu-download-manager” source package in Utopic:
  Triaged
Status in “ubuntu-system-settings” source package in Utopic:
  Won't Fix
Status in “urfkill” source package in Utopic:
  Triaged

Bug description:
  NOTE: After further review from the security team, unfortunately what
  is presented as a solution in this bug is not sufficient to block
  unconfined processes from connecting to ofono for essentially two
  reasons:

   a) anything that is unconfined can change into another profile, so an 
unconfined process can simply change into the profile of one of the allowed 
services, and
   b) this doesn't protect against scenarios where the user is able to alter 
the behavior of the allowed services running in the user session (eg, 
indicator-network and ubuntu-system-settings)

  'a' is solvable by making sure that the user's session starts under a
  new AppArmor "user-session" profile that prevents changing profile in
  to one of the allowed services (of course, the user session services
  continue to run under their own profiles). We'd have to investigate
  the best method for profile attachment in this case as well. An
  alternative might be to store the profile attachment in the inode of
  the binary when AppArmor adds this.

  'b' is perhaps solvable by more strictly confining these allowed user
  session services (eg, 'audit deny ptrace tracedby peer=user-session,
  audit deny owner /** m, preventing QML loading, future AppArmor
  environment filtering, etc') along with, importantly, hardening these
  services to the point that they can't be controlled via environment,
  configuration, library loading, etc, etc. An alternative solution
  would be to run these services as another user in such a way that the
  user cannot alter their behavior beyond what is exposed in the UI.

  Preventing unconfined from doing things is a difficult prospect and
  while I think with the recent improvements with AppArmor over the last
  two cycles finally makes the notion plausible, significant work
  remains to solve 'a' and 'b'. This is cannot be achieved for RTM
  (note, this only affected limiting unconfined and has no effect on
  application isolation, which is in full effect and does not suffer
  from this at all).

  Description:
  It would be useful to limit the services that can connect to ofonod over 
DBus. We can implement this be creating an otherwise permissive AppArmor 
profile for ofonod that will limit any DBus calls to ofonod to a list of peer 
profiles (specifically excluding 'unconfined'). The list of peer profiles is:
   - indicator-network
   - network-manager (and dispatcher.d/03mmsproxy)
   - nuntium
   - telepathy-ofono
   - ofono-scripts
   - powerd
   - ubuntu-download-manager
   - system-settings
   - urfkill

  Each of the above needs to have a profile created for it, adjusting
  the boot scripts as necessary to ensure that the profile is loaded
  before the service starts. The peer profile implementation will be
  wide open as the purpose of the profile is (currently) to simply
  ensure the process of the service has the correct AppArmor labeling
  (though this opens the possibility to confine these services down the
  road if desired).

  Merge requests have been requested for everything except urfkill,
  which has a debdiff attached to this bug. As mentioned, the AppArmor
  profile

<    1   2   3   4   5   6   7   8   9   10   >