[Touch-packages] [Bug 2084008] Re: aa-complain: TypeError: 'NoneType' object is not callable

2024-10-09 Thread Georgia Garcia 
Hi! Thank you for reporting this issue. It was already fixed by upstream
AppArmor but the fix still needs to be applied in the apparmor package:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1218

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2084008

Title:
  aa-complain: TypeError: 'NoneType' object is not callable

Status in apparmor package in Ubuntu:
  New

Bug description:
  % lsb_release -rd
  No LSB modules are available.
  Description:  Ubuntu 24.04.1 LTS
  Release:  24.04

  % LANG=C apt policy python3-apparmor 
  python3-apparmor:
Installed: 4.0.1really4.0.1-0ubuntu0.24.04.3
Candidate: 4.0.1really4.0.1-0ubuntu0.24.04.3
Version table:
   *** 4.0.1really4.0.1-0ubuntu0.24.04.3 500
  500 http://jp.archive.ubuntu.com/ubuntu noble-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   4.0.0-beta3-0ubuntu3 500
  500 http://jp.archive.ubuntu.com/ubuntu noble/main amd64 Packages

  
  To reproduce an error

  
  % sudo aa-complain 
/var/lib/snapd/apparmor/profiles/snap.firmware-updater.firmware-notifier 
  Traceback (most recent call last):
File "/usr/sbin/aa-complain", line 33, in 
  tool.cmd_complain()
File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 140, in 
cmd_complain
  for (program, prof_filename, output_name) in 
self.get_next_for_modechange():
File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in 
get_next_for_modechange
  aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
   ^^^
  TypeError: 'NoneType' object is not callable

  
  An unexpected error occurred!

  For details, see /tmp/apparmor-bugreport-p60izqjw.txt
  Please consider reporting a bug at 
https://gitlab.com/apparmor/apparmor/-/issues
  and attach this file.
  

  
  A dummy assignment with _ on line 93 in file 
/usr/lib/python3/dist-packages/apparmor/tools.py
  overwrites a function defined on line 24.

   24 _ = init_translation()

   93 for (program, _, prof_filename) in self.get_next_to_profile():
 
   94 output_name = prof_filename if program is None else program
   95 
   96 if not os.path.isfile(prof_filename) or 
is_skippable_file(prof_filename):
   97 aaui.UI_Info(_('Profile for %s not found, skipping') % 
output_name)
   98 continue

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: python3-apparmor 4.0.1really4.0.1-0ubuntu0.24.04.3
  ProcVersionSignature: Ubuntu 6.8.0-45.45-generic 6.8.12
  Uname: Linux 6.8.0-45-generic x86_64
  NonfreeKernelModules: zfs nvidia_modeset nvidia
  ApportVersion: 2.28.1-0ubuntu3.1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Oct  9 15:02:43 2024
  PackageArchitecture: all
  ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-45-generic 
root=/dev/mapper/ubuntu--vg-ubuntu--lv ro quiet splash vt.handoff=7
  SourcePackage: apparmor
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2084008/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2039294] Re: apparmor docker

2024-10-04 Thread Georgia Garcia 
** Attachment added: "docker-default"
   
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+attachment/5824926/+files/docker-default

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2039294

Title:
  apparmor docker

Status in docker:
  New
Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:Ubuntu 23.10
  Release:23.10
  Codename:   mantic

  
  Docker version 24.0.5, build 24.0.5-0ubuntu1

  
  Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all 
signals?) doesn't reach the target process. Works when apparmor is uninstalled.

  
  [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172626 
comm="runc" requested_mask="receive" denied_mask="receive" signal=term 
peer="/usr/sbin/runc"
  [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172633 
comm="runc" requested_mask="receive" denied_mask="receive" signal=kill 
peer="/usr/sbin/runc"

To manage notifications about this bug go to:
https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2067900] Re: apparmor unconfined profile blocks pivot_root

2024-10-03 Thread Georgia Garcia 
Hi, mihalicyn, sorry for the delay answering.

That's unfortunately right. Ubuntu 12.04 ships apparmor 2.7 which didn't
have support for ABIs yet, so dc757a645cfa82f6ac252365df20a36a9ff82760
causes a regression on those early versions. I talked to @jjohansen and
we have agreed that this patch needs to be reverted, or partially
reverted so it doesn't affect older versions of the apparmor_parser -
even though are not currently supported, shouldn't break on newer
kernels.

This partial revert makes it work in my tests:

--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -665,7 +665,7 @@ static struct aa_label *profile_transition(const struct 
cred *subj_cred,
goto audit;
}
 
-   if (!profile_mediates(profile, AA_CLASS_FILE)) {
+   if (profile_unconfined(profile)) {
new = find_attach(bprm, profile->ns,
  &profile->ns->base.profiles, name, &info);
if (new) {

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2067900

Title:
  apparmor unconfined profile blocks pivot_root

Status in AppArmor:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  LXD team have got a report
  (https://github.com/canonical/lxd/issues/13389) from our user that on
  the Ubuntu Noble host it's not possible to run Docker containers
  inside a LXC container.

  After some investigation, it was discovered that problem connected
  with AppArmor profile which is shipped by default /etc/apparmor.d/runc
  (comes from
  
https://git.launchpad.net/ubuntu/+source/apparmor/commit/profiles/apparmor.d/runc?h=ubuntu/noble-
  devel&id=997aea8111bfa1e03960ae3a40321da73f0a6d96 )

  This profile is unconfined and should give all permissions to the runc
  daemon. But it does not work.

  Manual adding of "pivot_root," line and executing "systemctl reload
  apparmor.service" makes it work.

  After some further investigation it was found that on upstream Linux
  kernel problem is not reproducible.

  Our team was able to find a problematic commit:
  
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=dc757a645cfa82f6ac252365df20a36a9ff82760

  The following (partial) revert helps to solve the issue on Ubuntu
  kernel:

  diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
  index 74b7293ab971..b12e6bdfefb2 100644
  --- a/security/apparmor/mount.c
  +++ b/security/apparmor/mount.c
  @@ -678,7 +678,7 @@ static struct aa_label *build_pivotroot(const struct cred 
*subj_cred,
  AA_BUG(!new_path);
  AA_BUG(!old_path);
   
  -   if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
  +   if (profile_unconfined(profile) || !RULE_MEDIATES(rules, 
AA_CLASS_MOUNT))
  return aa_get_newest_label(&profile->label);
   
  error = aa_path_name(old_path, path_flags(profile, old_path),

  System info:

  # uname -a
  Linux ubuntu 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 
00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

  # cat /etc/os-release 
  PRETTY_NAME="Ubuntu 24.04 LTS"
  

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2072702] Re: AppArmor profile prevents use of TLS keys and certificates

2024-10-03 Thread Georgia Garcia 
I agree that if /etc/ipa/ca.crt is a standard location for that package
(which appears to be
https://pagure.io/freeipa/blob/master/f/ipaplatform/base/paths.py#_69)
then we could add it to the ssl_certs abstraction

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2072702

Title:
  AppArmor profile prevents use of TLS keys and certificates

Status in rsyslog package in Ubuntu:
  New

Bug description:
  I'm trying to use the following configuration:

  # certificate files
  $DefaultNetstreamDriverCAFile /etc/ipa/ca.crt
  $DefaultNetstreamDriverCertFile /etc/ssl/certs/FQDN.crt
  $DefaultNetstreamDriverKeyFile /etc/ssl/private/FQDN.key

  But AppArmor prevents the loading of /etc/ipa/ca.crt and the key file.

  I think rsyslog-gnutls should allow reading the key file.

  But perhaps /etc/ipa/ca.crt needs to be added to
  /etc/apparmor.d/abstractions/ssl_certs which is in the apparmor
  package.

  Version 8.2312.0-3ubuntu9

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2072702/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2083435] Re: AppArmor 4.1.0-beta1 contains an ABI break for aa_log_record

2024-10-01 Thread Georgia Garcia 
** Also affects: apparmor (Ubuntu)
   Importance: Undecided
   Status: New

** No longer affects: apparmor (Ubuntu)

** Also affects: apparmor (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: apparmor (Ubuntu Oracular)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2083435

Title:
  AppArmor 4.1.0-beta1 contains an ABI break for aa_log_record

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Oracular:
  New

Bug description:
  Commit 3c825eb001d33bb6f2480c4f78df03aee4c40396 in the Gitlab upstream
  adds a field called `execpath` to the `aa_log_record` struct. This
  field was added in the middle of the struct instead of the end,
  causing an ABI break in libapparmor without a corresponding major
  version number bump. This commit landed between v4.0.3 and
  v4.1.0-beta1, and unfortunately, Oracular currently packages
  v4.1.0-beta1.

  Thus, we need to land a patch to move the `execpath` field to the end
  of the struct ASAP to prevent an ABI break from making it into the
  Oracular release. The patch will be attached below [once available]
  and will be available as commit [SHA to be filled in once patch is
  merged upstream].

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2083435/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2073661] Re: nordvpn generates many ip6 warnng messages

2024-09-11 Thread Georgia Garcia 
It does seem to be an issue with their snap apparmor policy, which they
manage directly. Feel free to report the issue to them directly
https://github.com/NordSecurity/nordvpn-linux

** Changed in: apparmor (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2073661

Title:
  nordvpn generates many ip6 warnng messages

Status in apparmor package in Ubuntu:
  Invalid

Bug description:
  I'm running
  Description:  Ubuntu 22.04.4 LTS
  Release:  22.04

  with a nordvpn snap package 3.18.2 Release 7

  When I start the nordvpn client I get the following

  Jul 19 17:06:13 LeosGamesLaptop NetworkManager[933]:   
[1721401573.0079] platform-linux: do-add-ip6-address[3: 
fe80::fcf5:1632:5ed8:2a2]: failure 13 (Permission denied)
  Jul 19 17:06:15 LeosGamesLaptop NetworkManager[933]:   
[1721401575.0081] platform-linux: do-add-ip6-address[3: 
fe80::931:b858:79a8:b4a6]: failure 13 (Permission denied)
  Jul 19 17:06:17 LeosGamesLaptop NetworkManager[933]:   
[1721401577.0103] platform-linux: do-add-ip6-address[3: 
fe80::ad9f:af02:ca97:dd89]: failure 13 (Permission denied)
  Jul 19 17:06:19 LeosGamesLaptop NetworkManager[933]:   
[1721401579.0132] platform-linux: do-add-ip6-address[3: 
fe80::c045:b6e8:46:df8b]: failure 13 (Permission denied)
  Jul 19 17:06:20 LeosGamesLaptop systemd[1]: 
NetworkManager-dispatcher.service: Deactivated successfully.
  Jul 19 17:06:21 LeosGamesLaptop NetworkManager[933]:   
[1721401581.0138] ipv6ll[6d8a71e68927d1b3,ifindex=3]: changed: no IPv6 link 
local address to retry after Duplicate Address Detection failures (back off)
  Jul 19 17:06:30 LeosGamesLaptop nordvpn.nordvpnd[1117]: 2024/07/19 17:06:30 
[NC] connection lost:  pingresp not received, disconnecting
  Jul 19 17:06:30 LeosGamesLaptop nordvpn.nordvpnd[1117]: 2024/07/19 17:06:30 
[NC] start connection loop
  Jul 19 17:06:30 LeosGamesLaptop nordvpn.nordvpnd[1117]: 2024/07/19 17:06:30 
[Info] [NC] Connected
  Jul 19 17:06:30 LeosGamesLaptop nordvpn.nordvpnd[1117]: 2024/07/19 17:06:30 
[NC] Connected
  Jul 19 17:06:31 LeosGamesLaptop NetworkManager[933]:   
[1721401591.0158] platform-linux: do-add-ip6-address[3: 
fe80::6b7:eacf:c624:f887]: failure 13 (Permission denied)
  Jul 19 17:06:33 LeosGamesLaptop NetworkManager[933]:   
[1721401593.0167] platform-linux: do-add-ip6-address[3: 
fe80::50d6:60d3:cbff:3de7]: failure 13 (Permission denied)
  Jul 19 17:06:35 LeosGamesLaptop NetworkManager[933]:   
[1721401595.0196] platform-linux: do-add-ip6-address[3: 
fe80::fcf5:1632:5ed8:2a2]: failure 13 (Permission denied)
  Jul 19 17:06:37 LeosGamesLaptop NetworkManager[933]:   
[1721401597.0223] platform-linux: do-add-ip6-address[3: 
fe80::931:b858:79a8:b4a6]: failure 13 (Permission denied)
  Jul 19 17:06:39 LeosGamesLaptop NetworkManager[933]:   
[1721401599.0232] platform-linux: do-add-ip6-address[3: 
fe80::ad9f:af02:ca97:dd89]: failure 13 (Permission denied)
  Jul 19 17:06:41 LeosGamesLaptop NetworkManager[933]:   
[1721401601.0261] platform-linux: do-add-ip6-address[3: 
fe80::c045:b6e8:46:df8b]: failure 13 (Permission denied)
  Jul 19 17:06:43 LeosGamesLaptop NetworkManager[933]:   
[1721401603.0284] ipv6ll[6d8a71e68927d1b3,ifindex=3]: changed: no IPv6 link 
local address to retry after Duplicate Address Detection failures (back off)
  Jul 19 17:06:53 LeosGamesLaptop NetworkManager[933]:   
[1721401613.0319] platform-linux: do-add-ip6-address[3: 
fe80::6b7:eacf:c624:f887]: failure 13 (Permission denied)
  Jul 19 17:06:55 LeosGamesLaptop NetworkManager[933]:   
[1721401615.0338] platform-linux: do-add-ip6-address[3: 
fe80::50d6:60d3:cbff:3de7]: failure 13 (Permission denied)
  Jul 19 17:06:57 LeosGamesLaptop NetworkManager[933]:   
[1721401617.0349] platform-linux: do-add-ip6-address[3: 
fe80::fcf5:1632:5ed8:2a2]: failure 13 (Permission denied)

  Somebody in the Networkforum thinks that this may be apparmor related

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2073661/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2074068] Re: Squashfs image uses (null) compression, this version supports only xz, zlib.

2024-09-11 Thread Georgia Garcia 
From the comments in the forum, it seems that the AppImage was
corrupted. Since it doesn't seem apparmor related, I'm setting this bug
as Invalid. Feel free to change back it if you don't agree.

** Changed in: apparmor (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2074068

Title:
  Squashfs image uses (null) compression, this version supports only xz,
  zlib.

Status in apparmor package in Ubuntu:
  Invalid

Bug description:
  Hello
  How resolve

  a@b:~/Téléchargements$ ./DoctolibProDesktop-latest.AppImage
  Squashfs image uses (null) compression, this version supports only xz, zlib.

  Cannot mount AppImage, please check your FUSE setup.
  You might still be able to extract the contents of this AppImage 
  if you run it with the --appimage-extract option. 
  See https://github.com/AppImage/AppImageKit/wiki/FUSE 
  for more information
  open dir error: No such file or directory

  
  a@b:~/Téléchargements$ ./DoctolibProDesktop-latest.AppImage  
--appimage-extract
  Squashfs image uses (null) compression, this version supports only xz, zlib.
  Failed to open squashfs image

  
  a@b:~/Téléchargements$ ./DoctolibProDesktop-latest.AppImage  
--appimage-extract-and-run
  Squashfs image uses (null) compression, this version supports only xz, zlib.
  Failed to open squashfs image
  Failed to extract AppImage

  
  dpkg -l | grep libfuse
  ii  libfuse2:amd64 2.9.9-5ubuntu3 
   amd64Filesystem in Userspace (library)
  ii  libfuse3-3:amd64   3.10.5-1build1 
   amd64Filesystem in Userspace (library) (3.x version)

   lsb_release -a
  No LSB modules are available.
  Distributor ID:   Ubuntu
  Description:  Ubuntu 22.04.4 LTS
  Release:  22.04
  Codename: jammy

  
  And https://forum.ubuntu-fr.org/viewtopic.php?pid=22775048#p22775048

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2074068/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2074277] Re: my network wifi and land have a very bad working

2024-09-11 Thread Georgia Garcia 
Hi! Could you add some logs so we can determine if it's apparmor
related? You can run the following command to get them automatically.

apport-collect -p apparmor 2074277

** Changed in: apparmor (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2074277

Title:
  my network wifi and land have a very bad working

Status in apparmor package in Ubuntu:
  Incomplete
Status in ubuntu-core-security package in Ubuntu:
  New

Bug description:
  I am thinking the problem begind with a update , because previous the 
computer was working without problem, the same system with the same hardware , 
work without problem in debian , i try to found the error but i am thinking i 
do not understand enough the log the system, question if is possible dot a 
diagnostic log , for understand the log of the problem , i wan know if is 
posible put a diagnostic mode for the network and for put a more information 
for you , in this moment i have a two wifi card and besides a usb ethernet 
cable , and i can not see a video from edx is very slow but for my opinion the 
problem is only in ubuntu in debian i do not have problem in the same machine , 
thanks you for your time and your excellent system  .
  this i noe log of update 
  2024-07-13 09:56:32,101 INFO Packages that will be upgraded: 
linux-generic-hwe-2
  4.04 linux-headers-generic-hwe-24.04 linux-image-generic-hwe-24.04 
linux-libc-de
  v linux-modules-nvidia-470-generic-hwe-24.04 linux-tools-common openssh-client
  2024-07-13 09:56:32,101 INFO Writing dpkg log to 
/var/log/unattended-upgrades/un
  attended-upgrades-dpkg.log

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2074277/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2067900] Re: apparmor unconfined profile blocks pivot_root

2024-09-11 Thread Georgia Garcia 
Sorry for the delay. The fix had landed but it was reverted due to a
regression. We have a  4.0.1really4.0.1-0ubuntu0.24.04.3 update but
it is still sitting in noble-proposed
https://people.canonical.com/~ubuntu-archive/pending-sru.html

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2067900

Title:
  apparmor unconfined profile blocks pivot_root

Status in AppArmor:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  LXD team have got a report
  (https://github.com/canonical/lxd/issues/13389) from our user that on
  the Ubuntu Noble host it's not possible to run Docker containers
  inside a LXC container.

  After some investigation, it was discovered that problem connected
  with AppArmor profile which is shipped by default /etc/apparmor.d/runc
  (comes from
  
https://git.launchpad.net/ubuntu/+source/apparmor/commit/profiles/apparmor.d/runc?h=ubuntu/noble-
  devel&id=997aea8111bfa1e03960ae3a40321da73f0a6d96 )

  This profile is unconfined and should give all permissions to the runc
  daemon. But it does not work.

  Manual adding of "pivot_root," line and executing "systemctl reload
  apparmor.service" makes it work.

  After some further investigation it was found that on upstream Linux
  kernel problem is not reproducible.

  Our team was able to find a problematic commit:
  
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=dc757a645cfa82f6ac252365df20a36a9ff82760

  The following (partial) revert helps to solve the issue on Ubuntu
  kernel:

  diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
  index 74b7293ab971..b12e6bdfefb2 100644
  --- a/security/apparmor/mount.c
  +++ b/security/apparmor/mount.c
  @@ -678,7 +678,7 @@ static struct aa_label *build_pivotroot(const struct cred 
*subj_cred,
  AA_BUG(!new_path);
  AA_BUG(!old_path);
   
  -   if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
  +   if (profile_unconfined(profile) || !RULE_MEDIATES(rules, 
AA_CLASS_MOUNT))
  return aa_get_newest_label(&profile->label);
   
  error = aa_path_name(old_path, path_flags(profile, old_path),

  System info:

  # uname -a
  Linux ubuntu 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 
00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

  # cat /etc/os-release 
  PRETTY_NAME="Ubuntu 24.04 LTS"
  

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2078467] Re: aa-enforce /etc/apparmor.d/* - Error

2024-08-30 Thread Georgia Garcia 
Hi appe!

There's a new version of apparmor in the noble-proposed pocket that should fix 
this issue: 
https://launchpad.net/ubuntu/+source/apparmor/4.0.1really4.0.1-0ubuntu0.24.04.3
https://wiki.ubuntu.com/Testing/EnableProposed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2078467

Title:
  aa-enforce /etc/apparmor.d/* - Error

Status in apparmor package in Ubuntu:
  New

Bug description:
  Executing "aa-enforce /etc/apparmor.d/*" does not work on Ubuntu 24.04.
  There is already an upstream fix 
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1218/diffs?commit_id=6f9e841e74f04cac78da71fd2e8af3f973af94fc).
  Suspect more will run into this issue now when the CIS Benchmark for Ubuntu 
24.04 was released this week.

  Description:Ubuntu 24.04.1 LTS
  Release:24.04

  ---
  root@ubuntu2404:/etc/apparmor.d# dpkg -l |grep apparmor
  ii  apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1
   amd64user-space parser utility for AppArmor
  ii  apparmor-profiles4.0.1really4.0.0-beta3-0ubuntu0.1
   all  experimental profiles for AppArmor security policies
  ii  apparmor-utils   4.0.1really4.0.0-beta3-0ubuntu0.1
   all  utilities for controlling AppArmor
  ii  libapparmor1:amd64   4.0.1really4.0.0-beta3-0ubuntu0.1
   amd64changehat AppArmor library
  ii  python3-apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1
   all  AppArmor Python3 utility library
  ii  python3-libapparmor  4.0.1really4.0.0-beta3-0ubuntu0.1
   amd64AppArmor library Python3 bindings
  ---

  ---
  root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/*
  Setting /etc/apparmor.d/1password to enforce mode.
  Traceback (most recent call last):
File "/usr/sbin/aa-enforce", line 33, in 
  tool.cmd_enforce()
File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in 
cmd_enforce
  for (program, prof_filename, output_name) in 
self.get_next_for_modechange():
File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in 
get_next_for_modechange
  aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
   ^^^
  TypeError: 'NoneType' object is not callable

  
  An unexpected error occurred!

  For details, see /tmp/apparmor-bugreport-yi5o6kwm.txt
  Please consider reporting a bug at 
https://gitlab.com/apparmor/apparmor/-/issues
  and attach this file.
  -


  Workaround is to edit /usr/lib/python3/dist-packages/apparmor/tools.py
  as the upstream fix suggests.

  
  -for (program, _, prof_filename) in self.get_next_to_profile():
  +for (program, _ignored, prof_filename) in self.get_next_to_profile():

  
  -for (program, _, prof_filename) in self.get_next_to_profile():
  +for (program, _ignored, prof_filename) in self.get_next_to_profile():


  
  Then it works:

  root@ubuntu2404:/etc/apparmor.d# vim 
/usr/lib/python3/dist-packages/apparmor/tools.py
  root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/*
  Setting /etc/apparmor.d/1password to enforce mode.
  Profile for /etc/apparmor.d/abi not found, skipping
  Profile for /etc/apparmor.d/abstractions not found, skipping
  Profile for /etc/apparmor.d/apache2.d not found, skipping
  Setting /etc/apparmor.d/bin.ping to enforce mode.
  Setting /etc/apparmor.d/brave to enforce mode.
  Setting /etc/apparmor.d/buildah to enforce mode.
  Setting /etc/apparmor.d/busybox to enforce mode.
  Setting /etc/apparmor.d/cam to enforce mode.
  Setting /etc/apparmor.d/ch-checkns to enforce mode.
  Setting /etc/apparmor.d/chrome to enforce mode.
  Setting /etc/apparmor.d/ch-run to enforce mode.
  Setting /etc/apparmor.d/code to enforce mode.
  Setting /etc/apparmor.d/crun to enforce mode.
  Setting /etc/apparmor.d/devhelp to enforce mode.
  Profile for /etc/apparmor.d/disable not found, skipping
  Setting /etc/apparmor.d/Discord to enforce mode.
  Setting /etc/apparmor.d/element-desktop to enforce mode.
  Setting /etc/apparmor.d/epiphany to enforce mode.
  Setting /etc/apparmor.d/evolution to enforce mode.
  Setting /etc/apparmor.d/firefox to enforce mode.
  Setting /etc/apparmor.d/flatpak to enforce mode.
  Profile for /etc/apparmor.d/force-complain not found, skipping
  Setting /etc/apparmor.d/geary to enforce mode.
  Setting /etc/apparmor.d/github-desktop to enforce mode.
  Setting /etc/apparmor.d/goldendict to enforce mode.
  Setting /etc/apparmor.d/ipa_verify to enforce mode.
  Setting /etc/apparmor.d/kchmviewer to enforce mode.
  Setting /etc/apparmor.d/keybase to enforce mode.
  Setting /etc/apparmor.d/lc-compliance to e

[Touch-packages] [Bug 2039294] Re: apparmor docker

2024-08-27 Thread Georgia Garcia 
@lazka: you can use this profile:
https://pastebin.canonical.com/p/VbmH97Rhqp/

I grabbed it from upstream:
https://github.com/moby/moby/blob/master/profiles/apparmor/template.go

Note that for the rule "signal (receive) peer={{.DaemonProfile}}," in the 
template I assumed the DaemonProfile is unconfined and it it's not, you will 
have to change it. To check if that's the case, you can run
"ps axZ | grep dockerd" and check the value of the first column.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2039294

Title:
  apparmor docker

Status in docker:
  New
Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:Ubuntu 23.10
  Release:23.10
  Codename:   mantic

  
  Docker version 24.0.5, build 24.0.5-0ubuntu1

  
  Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all 
signals?) doesn't reach the target process. Works when apparmor is uninstalled.

  
  [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172626 
comm="runc" requested_mask="receive" denied_mask="receive" signal=term 
peer="/usr/sbin/runc"
  [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172633 
comm="runc" requested_mask="receive" denied_mask="receive" signal=kill 
peer="/usr/sbin/runc"

To manage notifications about this bug go to:
https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

2024-08-22 Thread Georgia Garcia 
Verification completed in bug 2064672

** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in Wike:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Fix Committed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in foliate package in Ubuntu:
  Fix Committed
Status in freecad package in Ubuntu:
  Invalid
Status in geary package in Ubuntu:
  Fix Released
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Invalid
Status in goldendict-webengine package in Ubuntu:
  Fix Released
Status in guix package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Fix Released
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Incomplete
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Fix Released
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Fix Released
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Invalid
Status in qmapshack package in Ubuntu:
  Fix Released
Status in qutebrowser package in Ubuntu:
  Fix Released
Status in rssguard package in Ubuntu:
  Fix Released
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Fix Released
Status in tellico package in Ubuntu:
  Fix Released
Status in tor package in Ubuntu:
  Confirmed
Status in wike package in Ubuntu:
  Fix Committed
Status in apparmor source package in Noble:
  Fix Committed

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2060100] Re: denials from sshd in noble

2024-08-22 Thread Georgia Garcia 
Verification completed in bug 2064672

** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060100

Title:
  denials from sshd in noble

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Noble:
  Fix Committed

Bug description:
  2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit:
  type=1400 audit(1711512628.920:155): apparmor="DENIED"
  operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290
  comm="sshd" family="unix" sock_type="stream" protocol=0
  requested_mask="bind" denied_mask="bind"
  addr="@63cf34db7fbab75f/bus/sshd/system"

  2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit:
  type=1107 audit(1711514469.771:333907): pid=703 uid=101
  auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED"
  operation="dbus_method_call"  bus="system"
  path="/org/freedesktop/login1"
  interface="org.freedesktop.login1.Manager"
  member="CreateSessionWithPIDFD" mask="send"
  name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd"
  peer_pid=688 peer_label="unconfined"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`

2024-08-22 Thread Georgia Garcia 
Verification completed in bug 2064672

** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2072811

Title:
  Apparmor: New update broke flatpak with `apparmor="DENIED"`

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Noble:
  Fix Committed
Status in apparmor source package in Oracular:
  Fix Released

Bug description:
  The recent apparmor update appear to have broken some flatpak's ability to 
save file, e.g.:
  - org.keepassxc.KeePassXC
  - org.ksnip.ksnip

  It seems update introduced a new profile ("/etc/apparmor.d/bwrap-
  userns-restrict"), which is causing the issue below.

   To reproduce 

  (I'm using KeepassXC as example, but same issue for ksnip):

  1. Install and run KeepassXC

  ```bash
  flatpak install org.keepassxc.KeePassXC
  flatpak run org.keepassxc.KeePassXC
  ```

  2. Got error: "Access error for config file
  /home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"

  Looking at `journalctl -f`, I see these apparmor DENIED entries:

  ```txt
  Jul 12 09:44:36 ubuntu2404 systemd[2144]: Started 
app-flatpak-org.keepassxc.KeePassXC-4010.scope.
  Jul 12 09:44:37 ubuntu2404 kernel: kauditd_printk_skb: 6 callbacks suppressed
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="bwrap" 
name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.106:311): apparmor="DENIED" operation="link" class="file" 
profile="bwrap" 
name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.106:312): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" 
name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.106:313): apparmor="DENIED" operation="link" class="file" 
profile="unpriv_bwrap" 
name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211"
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.341:314): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="bwrap" 
name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.341:315): apparmor="DENIED" operation="link" class="file" 
profile="bwrap" 
name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.341:316): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="unpriv_bwrap" 
name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 
audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" 
profile="unpriv_bwrap" 
name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini"
 pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000 
target="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214"
  Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 
audit(1720741478.704:318): apparmor="DENIED" operation="link" class="file" 
info="Failed name lookup - deleted entry" error=-2 profile="bwrap" 
name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317217" 
pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 
ouid=1000
  Jul 12 09:44:38 ubuntu2404 kernel: audit: type=1400 
audit(1720741478.704:319): apparmor="DENIED" operation="link" class="file"

[Touch-packages] [Bug 2064672] Re: [SRU] - fixes for apparmor on noble

2024-08-20 Thread Georgia Garcia 
Verification completed on apparmor noble-proposed

$ apt policy apparmor
apparmor:
  Installed: 4.0.1really4.0.1-0ubuntu0.24.04.3
  Candidate: 4.0.1really4.0.1-0ubuntu0.24.04.3
  Version table:
 *** 4.0.1really4.0.1-0ubuntu0.24.04.3 100
100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
100 /var/lib/dpkg/status
 4.0.1really4.0.0-beta3-0ubuntu0.1 500
500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
 4.0.0-beta3-0ubuntu3 500
500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages


$ sudo python3 ./test-apparmor.py
--
Ran 62 tests in 1854.594s

OK (skipped=3)

Wike works as expected.
Foliate opens the test epub and works as expected.
transmission-gtk starts as expected.

Due to Bug 2072811, setzer still does not open (as expected, see #24) but
org.keepassxc.KeePassXC works as expected, so does org.ksnip.ksnip, 
org.videolan.VLC, and com.discordapp.Discord

org.gnome.Recipes works both with and without --unshare=network

** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2064672

Title:
  [SRU] - fixes for apparmor on noble

Status in apparmor package in Ubuntu:
  In Progress
Status in apparmor source package in Noble:
  Fix Committed

Bug description:
  [ Impact ]

  This SRU has several fixes:

  add unconfined profile for tuxedo-control-center (Bug 2046844)
  fix issues appointed by coverity
  fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386)
  fix redefinition of _ which caused an issue with translation, failing 
aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387)
  add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814)
  add network inet mediation documentation to apparmor.d
  fix inet conditionals to only generate rules for inet family 
(https://gitlab.com/apparmor/apparmor/-/issues/384)
  add unconfined wike profile (Bug 2060810)
  add unconfined foliate profile (Bug 2060767)
  fix chromium_browser profile 
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1208)
  add profiles for Transmission family of Bittorrent clients
  add profile for unshare utility (Bug 2046844)
  add profile for bwrap utility (Bug 2046844)
  fix unconfined firefox profile to support mozilla.org download (Bug 2056297)
  fix getattr and setattr perm mapping on mqueue rules 
(https://gitlab.com/apparmor/apparmor/-/issues/377 and 
https://gitlab.com/apparmor/apparmor/-/issues/378)
  fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376)
  fix sshd profile (Bug 2060100)
  fix apparmor tools to allow mount destination globbing 
(https://gitlab.com/apparmor/apparmor/-/issues/381)
  fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380)
  move pam-related permissions to abstractions/authentication 
(https://bugzilla.opensuse.org/show_bug.cgi?id=1220032)
  fix condition in policydb serialization to only encode xtable if 
kernel_supports_permstable32
  relax mount rules in utils to fix use of virtiofs and other file-system types

  [ Test Plan ]

  * Make sure to reboot after upgrading (Bug 2072811)
  This has been extensively tested via the AppArmor regression test
  script in the QA Regression Testing repo:
  https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

  Steps:
  $ git clone https://git.launchpad.net/qa-regression-testing
  $ ./scripts/make-test-tarball ./scripts/test-apparmor.py 
  Copying: test-apparmor.py
  Copying: testlib.py
  Copying: install-packages
  Copying: packages-helper
  Copying: apparmor/

  Test files: /tmp/qrt-test-apparmor.tar.gz

  To run, copy the tarball somewhere, then do:
  $ tar -zxf qrt-test-apparmor.tar.gz
  $ cd ./qrt-test-apparmor
  $ sudo ./install-packages test-apparmor.py
  $ ./test-apparmor.py -v

  This script runs various tests against the installed apparmor
  package, as well as building and running the various upstream
  regression and other test suites against this installed package:
    - 
https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads
    - 
https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads
    - 
https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads
    - 
https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads

  The final test output was:

  --
  Ran 62 tests in 1977.045s

  OK (skipped=3)

  georgia@sec-noble-amd64:~$ apt policy apparmor
  apparmor:
Installed: 4.0.1really4.0.1-0ubuntu0.24.04.3
Candidate: 4.0.1really4.0.1-0ubuntu0.24.04.3

  Run additional tests:

  1. Install wike and

[Touch-packages] [Bug 2077413] Re: apparmor unconfined profile blocks signal sending

2024-08-20 Thread Georgia Garcia 
I have noticed that a lot of AppArmor policies use peer=unconfined when
they meant *any* peer. I believe this is also the case for bug 2040483.

I see little difference in allowing "signal (receive) peer=unconfined,"
vs "signal (receive)," in abstractions/base, so I proposed
https://gitlab.com/apparmor/apparmor/-/merge_requests/1310 but I'm open
to discussion.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2077413

Title:
  apparmor unconfined profile blocks signal sending

Status in AppArmor:
  New
Status in apparmor package in Ubuntu:
  New

Bug description:
  Dear friends,

  if I'm not missing anything it looks like we have one more bug with
  unconfined AppArmor profiles.

  Reproducer description.

  

  1. Create 4 files with the following content:

  # cat apparmor_signal_test_wrap.sh 
  #!/bin/sh

  cat /proc/self/attr/apparmor/current

  ./apparmor_signal_test.sh

  kill -9 $(cat test.pid)

  # cat apparmor_signal_test.sh 
  #!/bin/sh

  cat /proc/self/attr/apparmor/current

  sleep 1000 &
  echo $! > test.pid

  # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap

  #include 

  "/home/ubuntu/apparmor_signal_test_wrap.sh" flags=(unconfined) {
#include 

capability,
dbus,
file,
network,
  }

  # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test

  #include 

  "/home/ubuntu/apparmor_signal_test.sh" {
#include 

capability,
dbus,
file,
network,
  }

  2. Load AppArmor profiles:

  apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test
  apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap

  3. run program

  # ./apparmor_signal_test_wrap.sh 
  /home/ubuntu/apparmor_signal_test_wrap.sh (unconfined)
  /home/ubuntu/apparmor_signal_test.sh (enforce)
  ./apparmor_signal_test_wrap.sh: 7: kill: Permission denied

  4. check dmesg:

  [ 4043.092218] audit: type=1400 audit(1724153768.037:191):
  apparmor="DENIED" operation="signal" class="signal"
  profile="/home/ubuntu/apparmor_signal_test.sh" pid=10561
  comm="apparmor_signal" requested_mask="receive" denied_mask="receive"
  signal=kill peer="/home/ubuntu/apparmor_signal_test_wrap.sh"

  Expected behavior:
  ./apparmor_signal_test_wrap.sh should exit without any errors.

  

  This bug affects LXD when we enable a new unconfined mode (in lxd-support 
snapd interface).
  Originally, this problem was reported as a comment in another LP bug for 
AppArmor:
  https://bugs.launchpad.net/apparmor/+bug/2067900/comments/2
  but it looks like problem is deeper in this case.

  We had to revert:
  https://github.com/canonical/lxd-pkg-snap/pull/489
  because of this and a few other issues.

  System info:

  # cat /etc/os-release 
  PRETTY_NAME="Ubuntu 24.04 LTS"
  NAME="Ubuntu"
  VERSION_ID="24.04"
  VERSION="24.04 LTS (Noble Numbat)"

  # uname -a
  Linux ubuntu 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul  5 
10:34:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

  # apt info apparmor
  Package: apparmor
  Version: 4.0.1really4.0.0-beta3-0ubuntu0.1

  # apparmor_parser -V
  AppArmor parser version 4.0.0~beta3
  Copyright (C) 1999-2008 Novell Inc.
  Copyright 2009-2018 Canonical Ltd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2077413/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2077158] Re: /etc/apparmor.d/usr.bin.pasta is missing in Ubuntu's apparmor package

2024-08-16 Thread Georgia Garcia 
Since the profile is not shipped by the apparmor package, I'm marking it
as invalid and adding the correct package passt

** Also affects: passt (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: apparmor (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2077158

Title:
  /etc/apparmor.d/usr.bin.pasta is missing in Ubuntu's apparmor package

Status in apparmor package in Ubuntu:
  Invalid
Status in passt package in Ubuntu:
  New

Bug description:
  Ubuntu's apparmor package contains `/etc/apparmor.d/usr.bin.passt`,
  but accidentally lacks `/etc/apparmor.d/usr.bin.pasta` which is needed
  for `/usr/bin/pasta` (included in `passt` package).

  Ubuntu has to cherry-pick
  
.

  
  ref: Comment from Stefano Brivio  (sbrivio-rh) 


  > ### About the AppArmor issue
  > 
  > I finally had the chance to check this on Ubuntu 23.10, 24.04, a current 
snapshot of the upcoming 24.10, a current openSUSE Tumbleweed version, and a 
current Debian unstable (sid) installation.
  > 
  > The issue occurs on Ubuntu 23.10 (`passt-0.0~git20230627.289301b-1`) and 
24.04 (`passt-0.0~git20240220.1e6f92b-1`) only (not on 24.10, not on openSUSE, 
not on Debian) because, together with the change outlined in [Ubuntu's SE045 
specification](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626)
 and AppArmor's 
[wiki](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction),
 a Debian package 
[commit](https://salsa.debian.org/sbrivio/passt/-/commit/4a77ef55c34c579d4845aa2dfd003abf2195ea9b)
 is also missing from those versions.
  > 
  > That commit actually includes the AppArmor profile for `pasta(1)` in the 
package. The AppArmor ABI of the profile is `3.0`, so it doesn't contain an 
explicit `allow userns create`, but the mere fact that there's a profile with 
ABI 3.0 allows pasta to create its sandboxing user namespace.
  > 
  > Quoting from Ubuntu's SE045 specification, one step for that change should 
have been:
  > 
  > > identify all packages within the Ubuntu archive that make use of 
unprivileged user namespaces
  > 
  > but this was somehow missed, I guess (I'm the maintainer of the Debian 
package, but I didn't get any notification).
  > 
  > Now, while Ubuntu 24.10 and openSUSE Tumbleweed ship AppArmor packages with 
support for the `4.0` ABI, Debian unstable still ships 3.1.17, so, to keep 
things simple and still ship a single AppArmor profile (developed upstream), I 
won't update the profile to ABI 4.0 yet. Updating the profile wouldn't solve 
the issue anyway.
  > 
  > So, how do we solve this? We would need to backport that Debian commit to 
Ubuntu 24.04 (and possibly 23.10), but I can't seem to register a Launchpad 
account to even start the 
[process](https://wiki.ubuntu.com/UbuntuBackports#Procedure) (wrong email 
address? :smile: ). If somebody could do that, or at least **file an Ubuntu 
issue**, that would be great. Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2077158/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8

2024-03-26 Thread Georgia Garcia 
The fix is similar for privoxy. I attached the debdiff that fixes it.

** Patch added: "privoxy_3.0.34-3ubuntu2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/cups-browsed/+bug/2058866/+attachment/5759689/+files/privoxy_3.0.34-3ubuntu2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2058866

Title:
  proposed-migration for cups-browsed 2.0.0-0ubuntu8

Status in apparmor package in Ubuntu:
  Invalid
Status in cups-browsed package in Ubuntu:
  Fix Released
Status in privoxy package in Ubuntu:
  In Progress

Bug description:
  cups-browsed 2.0.0-0ubuntu8 on armhf segfaults on startup (detected
  via an autopkgtest), early enough that LD_DEBUG=all gives no output.
  A local no-change rebuild of 2.0.0-0ubuntu7 succeeded and the
  executable ran, so 8 was uploaded to try to fix this.  But the
  executable somehow ONLY runs as ./debian/cups-browsed/usr/sbin/cups-
  browsed and segfaults when invoked as /usr/sbin/cups-browsed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8

2024-03-26 Thread Georgia Garcia 
Ah, sorry, Łukasz. I didn't see you were working on it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2058866

Title:
  proposed-migration for cups-browsed 2.0.0-0ubuntu8

Status in apparmor package in Ubuntu:
  Invalid
Status in cups-browsed package in Ubuntu:
  Fix Released
Status in privoxy package in Ubuntu:
  In Progress

Bug description:
  cups-browsed 2.0.0-0ubuntu8 on armhf segfaults on startup (detected
  via an autopkgtest), early enough that LD_DEBUG=all gives no output.
  A local no-change rebuild of 2.0.0-0ubuntu7 succeeded and the
  executable ran, so 8 was uploaded to try to fix this.  But the
  executable somehow ONLY runs as ./debian/cups-browsed/usr/sbin/cups-
  browsed and segfaults when invoked as /usr/sbin/cups-browsed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

2024-03-15 Thread Georgia Garcia 
Erich Eickmeyer, I don't have a Tuxedo Computer to test, so could you
please check if the following profile works for you?

$ echo "# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi ,
include 

profile tuxedo-control-center /opt/tuxedo-control-center/tuxedo-control-center 
flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists 
}" | sudo tee /etc/apparmor.d/tuxedo-control-center

$ sudo apparmor_parser /etc/apparmor.d/tuxedo-control-center

and restart tuxedo-control-center.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in AppArmor:
  New
Status in akonadiconsole package in Ubuntu:
  Fix Released
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in firefox package in Ubuntu:
  Confirmed
Status in freecad package in Ubuntu:
  Confirmed
Status in geary package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Released
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Fix Released
Status in kgeotag package in Ubuntu:
  Fix Released
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in loupe package in Ubuntu:
  Confirmed
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Fix Released
Status in plasma-welcome package in Ubuntu:
  Fix Released
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Released
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2033282] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: yeni apparmor paketi pre-installation betiği alt süreci 1 hatalı çıkış kodu ile sona erdi

2024-03-08 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851

** This bug has been marked a duplicate of bug 2032851
   package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor 
package pre-installation script subprocess returned error exit status 1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2033282

Title:
  package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: yeni
  apparmor paketi pre-installation betiği alt süreci 1 hatalı çıkış kodu
  ile sona erdi

Status in apparmor package in Ubuntu:
  New

Bug description:
  SORUN YAŞTIYOR

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.12-4ubuntu5.3
  ProcVersionSignature: Ubuntu 5.4.0-150.167~18.04.1-generic 5.4.233
  Uname: Linux 5.4.0-150-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.29
  Architecture: amd64
  Date: Mon Aug 28 15:09:33 2023
  ErrorMessage: yeni apparmor paketi pre-installation betiği alt süreci 1 
hatalı çıkış kodu ile sona erdi
  InstallationDate: Installed on 2023-08-28 (0 days ago)
  InstallationMedia: Ubuntu 18.04.6 LTS "Bionic Beaver" - Release amd64 
(20210915)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.4.0-150-generic 
root=UUID=cf42fc8c-3bc3-4454-8d4e-02385791533a ro quiet splash vt.handoff=7
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3.2
   apt  2.0.9
  SourcePackage: apparmor
  Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: yeni 
apparmor paketi pre-installation betiği alt süreci 1 hatalı çıkış kodu ile sona 
erdi
  UpgradeStatus: Upgraded to focal on 2023-08-28 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2033282/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2038443] Re: mantic:linux: ubuntu_qrt_apparmor: ApparmorTestsuites.test_regression_testsuiteattach_disconnected.

2024-03-08 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2051932 ***
https://bugs.launchpad.net/bugs/2051932

** This bug has been marked a duplicate of bug 2051932
   attach_disconnected test from test_regression_testsuite of 
ubuntu_qrt_apparmor failed with "Unable to run test sub-executable" on Mantic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2038443

Title:
  mantic:linux: ubuntu_qrt_apparmor:
  ApparmorTestsuites.test_regression_testsuiteattach_disconnected.

Status in apparmor package in Ubuntu:
  New
Status in linux package in Ubuntu:
  Confirmed
Status in apparmor source package in Mantic:
  New
Status in linux source package in Mantic:
  Confirmed

Bug description:
  This might be apparmor, the test case, kernel or anything in between:

  7720s   running attach_disconnected
  7720s   Fatal Error (unix_fd_server): Unable to run test sub-executable

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2038443/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP

2024-02-16 Thread Georgia Garcia 
** Changed in: devhelp (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: devhelp (Ubuntu)
 Assignee: (unassigned) => Georgia Garcia (georgiag)

** Changed in: epiphany-browser (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: epiphany-browser (Ubuntu)
 Assignee: (unassigned) => Georgia Garcia (georgiag)

** Changed in: evolution (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: evolution (Ubuntu)
 Assignee: (unassigned) => Georgia Garcia (georgiag)

** Changed in: opam (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: opam (Ubuntu)
 Assignee: (unassigned) => Georgia Garcia (georgiag)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

Status in akonadiconsole package in Ubuntu:
  In Progress
Status in akregator package in Ubuntu:
  Fix Released
Status in angelfish package in Ubuntu:
  In Progress
Status in apparmor package in Ubuntu:
  Fix Released
Status in bubblewrap package in Ubuntu:
  Confirmed
Status in cantor package in Ubuntu:
  Fix Released
Status in devhelp package in Ubuntu:
  Fix Released
Status in digikam package in Ubuntu:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Fix Released
Status in evolution package in Ubuntu:
  Fix Released
Status in falkon package in Ubuntu:
  Fix Released
Status in freecad package in Ubuntu:
  Confirmed
Status in ghostwriter package in Ubuntu:
  Fix Committed
Status in gnome-packagekit package in Ubuntu:
  Confirmed
Status in goldendict-webengine package in Ubuntu:
  Confirmed
Status in kalgebra package in Ubuntu:
  Fix Released
Status in kchmviewer package in Ubuntu:
  Confirmed
Status in kdeplasma-addons package in Ubuntu:
  Confirmed
Status in kgeotag package in Ubuntu:
  In Progress
Status in kiwix package in Ubuntu:
  Confirmed
Status in kmail package in Ubuntu:
  Fix Released
Status in konqueror package in Ubuntu:
  Fix Released
Status in kontact package in Ubuntu:
  Fix Released
Status in marble package in Ubuntu:
  Fix Released
Status in notepadqq package in Ubuntu:
  Confirmed
Status in opam package in Ubuntu:
  Fix Released
Status in pageedit package in Ubuntu:
  Confirmed
Status in plasma-desktop package in Ubuntu:
  Confirmed
Status in plasma-welcome package in Ubuntu:
  In Progress
Status in privacybrowser package in Ubuntu:
  Confirmed
Status in qmapshack package in Ubuntu:
  Confirmed
Status in qutebrowser package in Ubuntu:
  Confirmed
Status in rssguard package in Ubuntu:
  Confirmed
Status in steam package in Ubuntu:
  Fix Committed
Status in supercollider package in Ubuntu:
  Confirmed
Status in tellico package in Ubuntu:
  Fix Released

Bug description:
  Hi, I run Ubuntu development branch 24.04 and I have a problem with
  Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
  this error

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  $ epiphany
  bwrap: Creating new namespace failed: Permission denied

  ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch 
dbus-proxy: Le processus fils s’est terminé avec le code 1
  Trappe pour point d'arrêt et de trace (core dumped)

  Thanks for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2052489] Re: Mate Daily Graphic Layer does not come up - apparmor denied snap desktop integration

2024-02-06 Thread Georgia Garcia 
** Also affects: apparmor
   Importance: Undecided
   Status: New

** No longer affects: apparmor

** Also affects: lightdm (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2052489

Title:
  Mate Daily Graphic Layer does not come up - apparmor denied snap
  desktop integration

Status in apparmor package in Ubuntu:
  Confirmed
Status in lightdm package in Ubuntu:
  New

Bug description:
  Noble Mate Daily 20230205 ISO

  Boots up past Splash to black screen. Last errors in logs are about
  apparmor denied on snap desktop integration...

  So the graphics layer is being denied because of an apparmor error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052489/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2051506] Re: apparmor blocks libnss-resolve socket

2024-02-06 Thread Georgia Garcia 
Hi Gunnar,
could you share which AppArmor version you are running? and which kernel 
version?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2051506

Title:
  apparmor blocks libnss-resolve socket

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Usage of `libnss-resolve` socket is blocked by apparmor.

  Evidence:
  - Install `libnss-resolve`
  - Set /etc/nsswitch.conf to have `hosts: files resolve`
  - Try resolving anything, it fails

  `strace` of affected process reveals:
  `connect(5, {sa_family=AF_UNIX, 
sun_path="/run/systemd/resolve/io.systemd.Resolve"}, 42) = -1 EACCES 
(Permission denied)`

  Run `aa-disable` on affected profile and `strace` it again, it works:
  `connect(5, {sa_family=AF_UNIX, 
sun_path="/run/systemd/resolve/io.systemd.Resolve"}, 42) = 0`

  Note that using `aa-complain` DOES NOT work.

  p.s. has this ever worked?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2051506/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2052297] Re: Please add opt.keybase.keybase profile

2024-02-05 Thread Georgia Garcia 
** Changed in: apparmor (Ubuntu)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2052297

Title:
  Please add opt.keybase.keybase profile

Status in apparmor package in Ubuntu:
  Fix Committed

Bug description:
  Like the other Chrome binaries, Keybase also needs a profile:

  abi ,

  /opt/keybase/Keybase flags=(unconfined) {
  allow userns create,
  }

  
  Keybase is heavily used for security and boot engineering for cross-vendor 
communication and broken without it

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2052297/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2018439] Re: Apparmor crashes GPU acceleration

2024-02-01 Thread Georgia Garcia 
Hi Daniel!
Thanks for testing and making sure. As you were able to figure out, the 
AppArmor parser accepts both include and #includes, although we are deprecating 
the latter. 

Since the AppArmor policy is distributed by the Mozilla Team's firefox,
they need to add this permission to their AppArmor profile in the
package.

** Changed in: apparmor (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2018439

Title:
  Apparmor crashes GPU acceleration

Status in apparmor package in Ubuntu:
  Invalid
Status in firefox package in Ubuntu:
  Confirmed

Bug description:
  Apparmor crashes GPU acceleration

  Firefox GPU acceleration started crashing after updating from Ubuntu
  22.10 to 23.04.

  $ lsb_release -rd
  No LSB modules are available.
  Description:Ubuntu 23.04
  Release:23.04

  $ apt-cache policy firefox
  firefox:
Installed: 113.0+build1-0ubuntu0.23.04.1~mt1
Candidate: 113.0+build1-0ubuntu0.23.04.1~mt1
Version table:
   1:1snap1-0ubuntu3 500
  500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu lunar/main 
amd64 Packages
   *** 113.0+build1-0ubuntu0.23.04.1~mt1 999
  500 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu 
lunar/main amd64 Packages
  100 /var/lib/dpkg/status

  $ apt-cache policy libglx-mesa0 
  libglx-mesa0:
Installed: 23.0.3~kisak1~k
Candidate: 23.0.3~kisak1~k
Version table:
   *** 23.0.3~kisak1~k 500
  500 https://ppa.launchpadcontent.net/kisak/kisak-mesa/ubuntu 
kinetic/main amd64 Packages
  100 /var/lib/dpkg/status
   23.0.2-1ubuntu1 500
  500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu lunar/main 
amd64 Packages

  $ apt-cache policy apparmor
  apparmor:
Installed: 3.0.8-1ubuntu2
Candidate: 3.0.8-1ubuntu2
Version table:
   *** 3.0.8-1ubuntu2 500
  500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu lunar/main 
amd64 Packages
  100 /var/lib/dpkg/status

  # Expected behavior

  Firefox should not crash in WebGL aquarium and continue to work
  properly like on 22.10. It should successfully use my GPU to make
  scrolling smooths and save battery when watching videos.

  # Actual behavior

  1. Startup takes a second or two longer than usual
  2. Typing in the address bar is slow
  3. Scrolling takes 400% CPU usage
  4. Scrolling stutters
  5. VAAPI on https://www.w3schools.com/html/html5_video.asp is no longer used 
as shown in intel_gpu_top
  6. Fans start spinning and battery goes down fast
  7. glxtest failures had to be manually deleted in about:config
  8. Only a few fish in WebGL aquarium 
(https://webglsamples.org/aquarium/aquarium.html) load before Firefox 
force-closes with the message: "Mozilla Crash Reporter Firefox had a problem 
and crashed. Unfortunately, the crash reporter is unable to submit a crash 
report. Details: The application did not leave a crash dump file. Close"
  9. The following lines are relevant in dmesg after clearing it:

  [22157.695580] kauditd_printk_skb: 6 callbacks suppressed
  [22157.695582] audit: type=1400 audit(1683153440.994:2583): apparmor="DENIED" 
operation="capable" class="cap" profile="firefox" pid=15898 comm="firefox" 
capability=21  capname="sys_admin"
  [22157.739641] audit: type=1400 audit(1683153441.038:2584): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/sys/devices/pci:00/:00:02.0/revision" pid=15901 comm="firefox" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [22157.739647] audit: type=1400 audit(1683153441.038:2585): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/sys/devices/pci:00/:00:02.0/config" pid=15901 comm="firefox" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [22157.739719] audit: type=1400 audit(1683153441.038:2586): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/sys/devices/pci:00/:00:02.0/revision" pid=15901 comm="firefox" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [22157.739729] audit: type=1400 audit(1683153441.038:2587): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/sys/devices/pci:00/:00:02.0/config" pid=15901 comm="firefox" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [22157.769407] audit: type=1400 audit(1683153441.070:2588): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/proc/15898/oom_score_adj" pid=15898 comm="firefox" requested_mask="w" 
denied_mask="w" fsuid=1000 ouid=1000
  [22157.773042] audit: type=1400 audit(1683153441.074:2589): apparmor="DENIED" 
operation="file_mmap" class="file" profile="firefox//lsb_release" 
name="/usr/bin/dash" pid=15934 comm="lsb_release" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  [22157.974718] audit: type=1400 audit(1683153441.274:2590): apparm

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2024-01-02 Thread Georgia Garcia 
Hi Gerard

Brave does not work currently because we only added support to Chromium, 
Firefox and Opera as you can see in the current snap_browsers abstraction [1]. 
I'm adding Brave support as well [2].
While that change is not applied to the apparmor package, as a workaround, you 
could apply the same changes from [2] in 
/etc/apparmor.d/abstractions/snap_browsers and reload the evince profile
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince


In regards to #include, it is not commented out. The apparmor policy allows the 
"include" keyword to be preceded by # or not. That said, #include is now being 
deprecated due to this exact confusion and we recommend using it without #.


[1] 
https://gitlab.com/apparmor/apparmor/-/blob/31c9cf6845cb78cca59a753d7c5b27312d579be8/profiles/apparmor.d/abstractions/snap_browsers
[2] https://gitlab.com/apparmor/apparmor/-/merge_requests/1137

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Released
Status in evince source package in Jammy:
  Fix Released
Status in apparmor source package in Lunar:
  Fix Released
Status in evince source package in Lunar:
  Fix Released
Status in apparmor package in Debian:
  Fix Released
Status in evince package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2046477] [NEW] Enable unprivileged user namespace restrictions by default

2023-12-14 Thread Georgia Garcia 
Public bug reported:

As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-
restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user
namespace restrictions for Ubuntu 23.10 are to be enabled by default via
a sysctl.d conf file in apparmor, and for that to happen, the
restrictions need to be enabled for 24.04

When the unprivileged user namespace restrictions are enabled, various
applications within and outside the Ubuntu archive fail to function, as
they use unprivileged user namespaces as part of their normal operation.

A search of the Ubuntu archive for the 23.10 release was performed
looking for all applications that make legitimate use of the
CLONE_NEWUSER argument, the details of which can be seen in
https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502

For each package identified in that list, an investigation was made to
determine if the application actually used this as an unprivileged user,
and if so which of the binaries within the package were affected.

The full investigation can be seen in
https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
private) but is summarised to the following list of Ubuntu source
packages, as well as some out-of-archive applications that are known to
use unprivileged user namespaces.

For each of these binaries, an apparmor profile is required so that the
binary can be granted use of unprivileged user namespaces - an example
profile for the ch-run binary within the charliecloud package is shown:

$ cat /etc/apparmor.d/ch-run
abi ,

include 

profile ch-run /usr/bin/ch-run flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists 
}

However, in a few select cases, it has been decided not to ship an apparmor 
profile, since this would effectively allow this mitigation to be bypassed. In 
particular, the unshare and setns binaries within the util-linux package are 
installed on every Ubuntu system, and allow an unprivileged user the ability to 
launch an arbitrary application within a new user namespace. Any malicious 
application then that wished to exploit an unprivileged user namespace to 
conduct an attack on the kernel would simply need to spawn itself via `unshare 
-U` or similar to be granted this permission. Therefore, due to the ubiquitous 
nature of the unshare (and setns) binaries, profiles are not planned to be 
provided for these by default. 
Similarly, the bwrap binary within bubblewrap is also installed by default on 
Ubuntu Desktop 24.04 and can also be used to launch arbitrary binaries within a 
new user namespace and so no profile is planned to be provided for this either.

In Bug 2035315 new apparmor profiles were added to the apparmor package
for various applications which require unprivileged user namespaces,
using a new unconfined profile mode. They were also added in the
AppArmor upstream project.

As well as enabling the sysctl via the sysctl.d conf file, it is
proposed to add logic into the apparmor.service systemd unit to check
that the kernel supports the unconfined profile mode and that it is
enabled - and if not then to force disable the userns restrictions
sysctl via the following logic:

userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns)
unconfined_userns=$([ -f 
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] 
&& cat 
/sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || 
echo 0)
if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then
  if [ "$unconfined_userns" -eq 0 ]; then
# userns restrictions rely on unconfined userns to be supported
echo "disabling unprivileged userns restrictions since unconfined userns is 
not supported / enabled"
sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
  fi
fi

This allows a local admin to disable the sysctl via the regular sysctl.d
conf approach, but to also make sure we don't inadvertently enable it
when it is not supported by the kernel.

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046477

Title:
  Enable unprivileged user namespace restrictions by default

Status in apparmor package in Ubuntu:
  New

Bug description:
  As per https://discourse.ubuntu.com/t/spec-unprivileged-user-
  namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626,
  unprivileged user namespace restrictions for Ubuntu 23.10 are to be
  enabled by default via a sysctl.d conf file in apparmor, and for that
  to happen, the restrictions need to be enabled for 24.04

  When the unprivileged user namespace restrictions are enabled, various
  applications within and outside the Ubuntu archive fail to function,
  as they use unprivileged user namespac

[Touch-packages] [Bug 2044604] Re: package apparmor 2.12-4ubuntu5.3+esm1 installed the 20.04 release, with words, "mer/upgrade: new apparmor package pre-installation script subprocess returned error e

2023-11-29 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851

Hi Herb!

The fix is already on the way and should be available to you soon. Meanwhile, 
as a workaround, you can remove the /etc/apparmor.d/cache/e10c1cf9.0 directory 
with
rm -r /etc/apparmor.d/cache/e10c1cf9.0
and try the upgrade again.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2044604

Title:
  package apparmor 2.12-4ubuntu5.3+esm1 installed the 20.04 release,
  with words, "mer/upgrade: new apparmor package pre-installation script
  subprocess returned error exit status 1

Status in apparmor package in Ubuntu:
  New

Bug description:
  rors occurred" did manual reboot. But system just logged out and back in 
quickly. I pressed start button to reboot, and the system took a half hout to 
connect until I right clicked the start-page. Then the log-in page appeared and 
the system came up.
  h94b@h94b-HP-EliteBook-8460p:~$ dpkg -1 | grep linux-image
  dpkg: error: unknown option -1

  Type dpkg --help for help about installing and deinstalling packages [*];
  Use 'apt' or 'aptitude' for user-friendly package management;
  Type dpkg -Dhelp for a list of dpkg debug flag values;
  Type dpkg --force-help for a list of forcing options;
  Type dpkg-deb --help for help about manipulating *.deb files;

  Options marked [*] produce a lot of output - pipe it through 'less' or 'more' 
!
  h94b@h94b-HP-EliteBook-8460p:~$ cat /etc/lsb-release
  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=20.04
  DISTRIB_CODENAME=focal
  DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"
  h94b@h94b-HP-EliteBook-8460p:~$ 

  thank You

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.12-4ubuntu5.3+esm1
  ProcVersionSignature: Ubuntu 5.4.0-167.184~18.04.1-generic 5.4.252
  Uname: Linux 5.4.0-167-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.9-0ubuntu7.29
  Architecture: amd64
  Date: Sat Nov 25 04:39:23 2023
  DuplicateSignature:
   package:apparmor:2.12-4ubuntu5.3+esm1
   Preparing to unpack .../09-apparmor_2.13.3-7ubuntu5.2_amd64.deb ...
   rm: cannot remove '/etc/apparmor.d/cache/e10c1cf9.0': Is a directory
   dpkg: error processing archive 
/tmp/apt-dpkg-install-x2AWLZ/09-apparmor_2.13.3-7ubuntu5.2_amd64.deb (--unpack):
new apparmor package pre-installation script subprocess returned error exit 
status 1
  ErrorMessage: new apparmor package pre-installation script subprocess 
returned error exit status 1
  InstallationDate: Installed on 2023-11-24 (0 days ago)
  InstallationMedia: Ubuntu 18.04.6 LTS "Bionic Beaver" - Release amd64 
(20210915)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.4.0-167-generic 
root=UUID=4bc5fd69-6854-4ec0-b0bb-a914ce15ecce ro quiet splash vt.handoff=1
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3.2
   apt  2.0.10
  SourcePackage: apparmor
  Title: package apparmor 2.12-4ubuntu5.3+esm1 failed to install/upgrade: new 
apparmor package pre-installation script subprocess returned error exit status 1
  UpgradeStatus: Upgraded to focal on 2023-11-25 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2044604/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2044604] Re: package apparmor 2.12-4ubuntu5.3+esm1 installed the 20.04 release, with words, "mer/upgrade: new apparmor package pre-installation script subprocess returned error e

2023-11-28 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851

** This bug has been marked a duplicate of bug 2032851
   package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor 
package pre-installation script subprocess returned error exit status 1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2044604

Title:
  package apparmor 2.12-4ubuntu5.3+esm1 installed the 20.04 release,
  with words, "mer/upgrade: new apparmor package pre-installation script
  subprocess returned error exit status 1

Status in apparmor package in Ubuntu:
  New

Bug description:
  rors occurred" did manual reboot. But system just logged out and back in 
quickly. I pressed start button to reboot, and the system took a half hout to 
connect until I right clicked the start-page. Then the log-in page appeared and 
the system came up.
  h94b@h94b-HP-EliteBook-8460p:~$ dpkg -1 | grep linux-image
  dpkg: error: unknown option -1

  Type dpkg --help for help about installing and deinstalling packages [*];
  Use 'apt' or 'aptitude' for user-friendly package management;
  Type dpkg -Dhelp for a list of dpkg debug flag values;
  Type dpkg --force-help for a list of forcing options;
  Type dpkg-deb --help for help about manipulating *.deb files;

  Options marked [*] produce a lot of output - pipe it through 'less' or 'more' 
!
  h94b@h94b-HP-EliteBook-8460p:~$ cat /etc/lsb-release
  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=20.04
  DISTRIB_CODENAME=focal
  DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"
  h94b@h94b-HP-EliteBook-8460p:~$ 

  thank You

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.12-4ubuntu5.3+esm1
  ProcVersionSignature: Ubuntu 5.4.0-167.184~18.04.1-generic 5.4.252
  Uname: Linux 5.4.0-167-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.9-0ubuntu7.29
  Architecture: amd64
  Date: Sat Nov 25 04:39:23 2023
  DuplicateSignature:
   package:apparmor:2.12-4ubuntu5.3+esm1
   Preparing to unpack .../09-apparmor_2.13.3-7ubuntu5.2_amd64.deb ...
   rm: cannot remove '/etc/apparmor.d/cache/e10c1cf9.0': Is a directory
   dpkg: error processing archive 
/tmp/apt-dpkg-install-x2AWLZ/09-apparmor_2.13.3-7ubuntu5.2_amd64.deb (--unpack):
new apparmor package pre-installation script subprocess returned error exit 
status 1
  ErrorMessage: new apparmor package pre-installation script subprocess 
returned error exit status 1
  InstallationDate: Installed on 2023-11-24 (0 days ago)
  InstallationMedia: Ubuntu 18.04.6 LTS "Bionic Beaver" - Release amd64 
(20210915)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.4.0-167-generic 
root=UUID=4bc5fd69-6854-4ec0-b0bb-a914ce15ecce ro quiet splash vt.handoff=1
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3.2
   apt  2.0.10
  SourcePackage: apparmor
  Title: package apparmor 2.12-4ubuntu5.3+esm1 failed to install/upgrade: new 
apparmor package pre-installation script subprocess returned error exit status 1
  UpgradeStatus: Upgraded to focal on 2023-11-25 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2044604/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2023-11-21 Thread Georgia Garcia 
The autopkgtests for apparmor failed for the evince update because the
test requires the apparmor update which is also in proposed
https://launchpad.net/ubuntu/+source/apparmor/3.0.4-2ubuntu2.3 but it is
not a regression.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Committed
Status in evince source package in Jammy:
  Fix Committed
Status in apparmor source package in Lunar:
  Fix Released
Status in evince source package in Lunar:
  Fix Released
Status in apparmor package in Debian:
  Fix Released
Status in evince package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2043869] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor package pre-installation script subprocess returned error exit status 1

2023-11-20 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851

** This bug has been marked a duplicate of bug 2032851
   package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor 
package pre-installation script subprocess returned error exit status 1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2043869

Title:
  package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new
  apparmor package pre-installation script subprocess returned error
  exit status 1

Status in apparmor package in Ubuntu:
  New

Bug description:
  dont know

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.12-4ubuntu5.3
  ProcVersionSignature: Ubuntu 4.15.0-219.230~16.04.1-generic 4.15.18
  Uname: Linux 4.15.0-219-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.27
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Fri Nov 17 18:49:22 2023
  DuplicateSignature:
   package:apparmor:2.12-4ubuntu5.3
   Preparing to unpack .../06-apparmor_2.13.3-7ubuntu5.2_amd64.deb ...
   rm: cannot remove '/etc/apparmor.d/cache/bf9d6da9.0': Is a directory
   dpkg: error processing archive 
/tmp/apt-dpkg-install-MWiOD0/06-apparmor_2.13.3-7ubuntu5.2_amd64.deb (--unpack):
new apparmor package pre-installation script subprocess returned error exit 
status 1
  ErrorMessage: new apparmor package pre-installation script subprocess 
returned error exit status 1
  InstallationDate: Installed on 2017-09-05 (2265 days ago)
  InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 
(20170801)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-219-generic 
root=UUID=e90319c7-172e-4d34-bd93-9a8d38a0672e ro quiet splash vt.handoff=1
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3.2
   apt  2.0.10
  SourcePackage: apparmor
  Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new 
apparmor package pre-installation script subprocess returned error exit status 1
  UpgradeStatus: Upgraded to focal on 2023-11-18 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2043869/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2032851] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor package pre-installation script subprocess returned error exit status 1

2023-11-17 Thread Georgia Garcia 
Verification from proposed was successful:

georgia@sec-bionic-amd64:~$ sudo bash -c "cat  deb http://archive.ubuntu.com/ubuntu/ focal-proposed restricted main 
> multiverse universe
> EOF"
georgia@sec-bionic-amd64:~$ sudo bash -c "cat  Package: *
> Pin: release a=focal-proposed
> Pin-Priority: 400
> EOF"
georgia@sec-bionic-amd64:~$ sudo apt update
...

georgia@sec-bionic-amd64:~$ sudo mkdir /etc/apparmor.d/cache/test
georgia@sec-bionic-amd64:~$ sudo apt-get install apparmor/focal-proposed
Reading package lists... Done
Building dependency tree   
Reading state information... Done
Selected version '2.13.3-7ubuntu5.3' (Ubuntu:20.04/focal-proposed [amd64]) for 
'apparmor'
The following packages were automatically installed and are no longer required:
  gir1.2-goa-1.0 gir1.2-snapd-1
Use 'sudo apt autoremove' to remove them.
Suggested packages:
  apparmor-profiles-extra apparmor-utils
The following packages will be upgraded:
  apparmor
1 upgraded, 0 newly installed, 0 to remove and 154 not upgraded.
Need to get 502 kB of archives.
After this operation, 125 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apparmor amd64 
2.13.3-7ubuntu5.3 [502 kB]
Fetched 502 kB in 1s (375 kB/s)
Preconfiguring packages ...
(Reading database ... 183583 files and directories currently installed.)
Preparing to unpack .../apparmor_2.13.3-7ubuntu5.3_amd64.deb ...
Unpacking apparmor (2.13.3-7ubuntu5.3) over (2.12-4ubuntu5.3) ...
Setting up apparmor (2.13.3-7ubuntu5.3) ...
Installing new version of config file /etc/apparmor.d/abstractions/X ...
Installing new version of config file 
/etc/apparmor.d/abstractions/apache2-common ...
Installing new version of config file 
/etc/apparmor.d/abstractions/apparmor_api/is_enabled ...
Installing new version of config file /etc/apparmor.d/abstractions/audio ...
Installing new version of config file /etc/apparmor.d/abstractions/base ...
Installing new version of config file 
/etc/apparmor.d/abstractions/dovecot-common ...
Installing new version of config file /etc/apparmor.d/abstractions/fonts ...
Installing new version of config file 
/etc/apparmor.d/abstractions/freedesktop.org ...
Installing new version of config file /etc/apparmor.d/abstractions/gnome ...
Installing new version of config file /etc/apparmor.d/abstractions/ibus ...
Installing new version of config file /etc/apparmor.d/abstractions/kde ...
Installing new version of config file 
/etc/apparmor.d/abstractions/kerberosclient ...
Installing new version of config file /etc/apparmor.d/abstractions/ldapclient 
...
Installing new version of config file /etc/apparmor.d/abstractions/mdns ...
Installing new version of config file /etc/apparmor.d/abstractions/nameservice 
...
Installing new version of config file /etc/apparmor.d/abstractions/nvidia ...
Installing new version of config file /etc/apparmor.d/abstractions/php ...
Installing new version of config file 
/etc/apparmor.d/abstractions/postfix-common ...
Installing new version of config file 
/etc/apparmor.d/abstractions/private-files ...
Installing new version of config file 
/etc/apparmor.d/abstractions/private-files-strict ...
Installing new version of config file /etc/apparmor.d/abstractions/python ...
Installing new version of config file /etc/apparmor.d/abstractions/samba ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ...
Installing new version of config file 
/etc/apparmor.d/abstractions/ubuntu-browsers ...
Installing new version of config file 
/etc/apparmor.d/abstractions/ubuntu-browsers.d/java ...
Installing new version of config file 
/etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-email 
...
Installing new version of config file 
/etc/apparmor.d/abstractions/ubuntu-helpers ...
Installing new version of config file /etc/apparmor.d/abstractions/video ...
Installing new version of config file /etc/apparmor.d/tunables/global ...
Installing new version of config file /etc/apparmor.d/tunables/kernelvars ...
Installing new version of config file /etc/apparmor.d/tunables/securityfs ...
Installing new version of config file /etc/apparmor.d/tunables/sys ...
Installing new version of config file /etc/apparmor/parser.conf ...
Installing new version of config file /etc/init.d/apparmor ...
Removing obsolete conffile /etc/apparmor.d/abstractions/launchpad-integration 
...
Removing obsolete conffile /etc/apparmor/subdomain.conf ...
Reloading AppArmor profiles 
Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (237-3ubuntu10.56) ...


*

[Touch-packages] [Bug 2043326] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: »neues apparmor-Skript des Paketes pre-installation«-Unterprozess gab den Fehlerwert 1 zurück

2023-11-16 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851

Hello! Thanks for the report. I noticed that it is a duplicate of Bug 2032851 
which already has a fix on its way.
Meanwhile, as a workaround, you could fix the upgrade issue by running
rm -r /etc/apparmor.d/cache/87595f25.0 /etc/apparmor.d/cache/bf9d6da9.0 
/etc/apparmor.d/cache/e10c1cf9.0
and try apt --fix-broken install again

Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2043326

Title:
  package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: »neues
  apparmor-Skript des Paketes pre-installation«-Unterprozess gab den
  Fehlerwert 1 zurück

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Nach dem upgrade auf 20.04 kann ich nicht mehr die libre office dateien 
öffnen.Die Fehlermeldung war "BrokenCount>0" Ich habe alle möglichen >apt-get> 
Befehle probiert ohne Erfolg.
  Kann man das letzte upgrade rückgängig machen und neu aktualisieren? 

  1. erste Installierung von ubuntu mittels der linux DVD von
  Computerwissen.

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.12-4ubuntu5.3
  ProcVersionSignature: Ubuntu 5.4.0-166.183-generic 5.4.252
  Uname: Linux 5.4.0-166-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.27
  AptOrdering:
   apparmor:amd64: Install
   libreoffice-common:amd64: Install
   NULL: ConfigurePending
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Sun Nov 12 17:39:51 2023
  ErrorMessage: »neues apparmor-Skript des Paketes 
pre-installation«-Unterprozess gab den Fehlerwert 1 zurück
  InstallationDate: Installed on 2023-05-31 (165 days ago)
  InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 
(20160719)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.4.0-166-generic 
root=UUID=66ff54a3-a945-458b-9c63-7675499cd872 ro quiet splash vt.handoff=7
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3.2
   apt  2.0.9
  SourcePackage: apparmor
  Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: »neues 
apparmor-Skript des Paketes pre-installation«-Unterprozess gab den Fehlerwert 1 
zurück
  UpgradeStatus: Upgraded to focal on 2023-11-02 (10 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2043326/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2043326] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: »neues apparmor-Skript des Paketes pre-installation«-Unterprozess gab den Fehlerwert 1 zurück

2023-11-16 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851

** This bug has been marked a duplicate of bug 2032851
   package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor 
package pre-installation script subprocess returned error exit status 1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2043326

Title:
  package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: »neues
  apparmor-Skript des Paketes pre-installation«-Unterprozess gab den
  Fehlerwert 1 zurück

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Nach dem upgrade auf 20.04 kann ich nicht mehr die libre office dateien 
öffnen.Die Fehlermeldung war "BrokenCount>0" Ich habe alle möglichen >apt-get> 
Befehle probiert ohne Erfolg.
  Kann man das letzte upgrade rückgängig machen und neu aktualisieren? 

  1. erste Installierung von ubuntu mittels der linux DVD von
  Computerwissen.

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.12-4ubuntu5.3
  ProcVersionSignature: Ubuntu 5.4.0-166.183-generic 5.4.252
  Uname: Linux 5.4.0-166-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.27
  AptOrdering:
   apparmor:amd64: Install
   libreoffice-common:amd64: Install
   NULL: ConfigurePending
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Sun Nov 12 17:39:51 2023
  ErrorMessage: »neues apparmor-Skript des Paketes 
pre-installation«-Unterprozess gab den Fehlerwert 1 zurück
  InstallationDate: Installed on 2023-05-31 (165 days ago)
  InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 
(20160719)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.4.0-166-generic 
root=UUID=66ff54a3-a945-458b-9c63-7675499cd872 ro quiet splash vt.handoff=7
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3.2
   apt  2.0.9
  SourcePackage: apparmor
  Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: »neues 
apparmor-Skript des Paketes pre-installation«-Unterprozess gab den Fehlerwert 1 
zurück
  UpgradeStatus: Upgraded to focal on 2023-11-02 (10 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2043326/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2023-10-20 Thread Georgia Garcia 
Reuploading because I had a conflicting version with what was rejected
in -proposed

** Patch added: "evince_42.3-0ubuntu3.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5711859/+files/evince_42.3-0ubuntu3.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Committed
Status in evince source package in Jammy:
  In Progress
Status in apparmor source package in Lunar:
  Fix Released
Status in evince source package in Lunar:
  Fix Released
Status in apparmor package in Debian:
  Fix Released
Status in evince package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2023-10-20 Thread Georgia Garcia 
** Patch removed: "evince_42.3-0ubuntu3.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5711419/+files/evince_42.3-0ubuntu3.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Committed
Status in evince source package in Jammy:
  In Progress
Status in apparmor source package in Lunar:
  Fix Released
Status in evince source package in Lunar:
  Fix Released
Status in apparmor package in Debian:
  Fix Released
Status in evince package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2023-10-19 Thread Georgia Garcia 
Hi! You're right, I forgot to request a sponsorship.

I uploaded the patch for evince/jammy, could you take a look and sponsor
if possible? Thanks

** Patch added: "evince_42.3-0ubuntu3.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5711419/+files/evince_42.3-0ubuntu3.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Committed
Status in evince source package in Jammy:
  In Progress
Status in apparmor source package in Lunar:
  Fix Released
Status in evince source package in Lunar:
  Fix Released
Status in apparmor package in Debian:
  Fix Released
Status in evince package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2039242] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor package pre-installation script subprocess returned error exit status 1

2023-10-16 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851

** This bug has been marked a duplicate of bug 2032851
   package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor 
package pre-installation script subprocess returned error exit status 1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2039242

Title:
  package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new
  apparmor package pre-installation script subprocess returned error
  exit status 1

Status in apparmor package in Ubuntu:
  New

Bug description:
  I do not know. I am rookie.

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.13.3-7ubuntu5.2
  ProcVersionSignature: Ubuntu 5.4.0-150.167~18.04.1-generic 5.4.233
  Uname: Linux 5.4.0-150-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.11-0ubuntu27.27
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Fri Oct 13 08:25:02 2023
  DuplicateSignature:
   package:apparmor:2.12-4ubuntu5.3
   Preparing to unpack .../09-apparmor_2.13.3-7ubuntu5.2_amd64.deb ...
   rm: cannot remove '/etc/apparmor.d/cache/e10c1cf9.0': Is a directory
   dpkg: error processing archive 
/tmp/apt-dpkg-install-indEZB/09-apparmor_2.13.3-7ubuntu5.2_amd64.deb (--unpack):
new apparmor package pre-installation script subprocess returned error exit 
status 1
  ErrorMessage: new apparmor package pre-installation script subprocess 
returned error exit status 1
  InstallationDate: Installed on 2021-10-31 (711 days ago)
  InstallationMedia: Ubuntu 18.04.6 LTS "Bionic Beaver" - Release amd64 
(20210915)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.4.0-150-generic 
root=UUID=e0b6f6e2-1185-4897-92c0-3bbde798fa08 ro quiet splash vt.handoff=1
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3.2
   apt  2.0.9
  SourcePackage: apparmor
  Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new 
apparmor package pre-installation script subprocess returned error exit status 1
  UpgradeStatus: Upgraded to focal on 2023-10-13 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039242/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2032851] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor package pre-installation script subprocess returned error exit status 1

2023-10-10 Thread Georgia Garcia 
** Changed in: apparmor (Ubuntu)
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2032851

Title:
  package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new
  apparmor package pre-installation script subprocess returned error
  exit status 1

Status in apparmor package in Ubuntu:
  In Progress

Bug description:
  [ Impact ]

   * During an apparmor package upgrade, the cache files were
 deleted, but there could also be directories under
 /etc/apparmor.d/cache/ which the pre installation scripts did
 not account for. The upgrade would then fail with the
 following error message because it would not be able to remove
 the directories:

   package:apparmor:2.12-4ubuntu5.3
   Preparing to unpack .../16-apparmor_2.13.3-7ubuntu5.2_amd64.deb ...
   rm: cannot remove '/etc/apparmor.d/cache/bf9d6da9.0': Is a directory
   dpkg: error processing archive 
/tmp/apt-dpkg-install-InP0fz/16-apparmor_2.13.3-7ubuntu5.2_amd64.deb (--unpack):
new apparmor package pre-installation script subprocess returned error exit 
status 1
  ErrorMessage: new apparmor package pre-installation script subprocess 
returned error exit status 1

  [ Test Plan ]

   * On a bionic machine, create a directory under
  /etc/apparmor.d/cache

  sudo mkdir /etc/apparmor.d/cache/test

   * To simulate a system upgrade to focal, you can run the following
  steps

  1. Add the focal archive

  sudo bash -c "cat

[Touch-packages] [Bug 2032851] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor package pre-installation script subprocess returned error exit status 1

2023-10-10 Thread Georgia Garcia 
s enabled
-  Aug 24 02:06:04 adminn-Lenovo-V110-15ISK dbus-daemon[1506]: [session 
uid=1000 pid=1506] AppArmor D-Bus mediation is enabled
-  Aug 24 03:39:11 adminn-Lenovo-V110-15ISK dbus-daemon[9963]: [session uid=0 
pid=9956] AppArmor D-Bus mediation is enabled
+  Aug 24 02:04:25 adminn-Lenovo-V110-15ISK dbus-daemon[4678]: [session 
uid=1000 pid=4678] AppArmor D-Bus mediation is enabled
+  Aug 24 02:05:26 adminn-Lenovo-V110-15ISK dbus-daemon[856]: [system] AppArmor 
D-Bus mediation is enabled
+  Aug 24 02:05:31 adminn-Lenovo-V110-15ISK dbus-daemon[1021]: [session uid=124 
pid=1021] AppArmor D-Bus mediation is enabled
+  Aug 24 02:06:04 adminn-Lenovo-V110-15ISK dbus-daemon[1506]: [session 
uid=1000 pid=1506] AppArmor D-Bus mediation is enabled
+  Aug 24 03:39:11 adminn-Lenovo-V110-15ISK dbus-daemon[9963]: [session uid=0 
pid=9956] AppArmor D-Bus mediation is enabled
  Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new 
apparmor package pre-installation script subprocess returned error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)

** Patch added: "apparmor_2.13.3-7ubuntu5.3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032851/+attachment/5708296/+files/apparmor_2.13.3-7ubuntu5.3.debdiff

** Changed in: apparmor (Ubuntu)
 Assignee: (unassigned) => Georgia Garcia (georgiag)

** Changed in: apparmor (Ubuntu)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2032851

Title:
  package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new
  apparmor package pre-installation script subprocess returned error
  exit status 1

Status in apparmor package in Ubuntu:
  In Progress

Bug description:
  [ Impact ]

   * During an apparmor package upgrade, the cache files were
 deleted, but there could also be directories under
 /etc/apparmor.d/cache/ which the pre installation scripts did
 not account for. The upgrade would then fail with the
 following error message because it would not be able to remove
 the directories:

   package:apparmor:2.12-4ubuntu5.3
   Preparing to unpack .../16-apparmor_2.13.3-7ubuntu5.2_amd64.deb ...
   rm: cannot remove '/etc/apparmor.d/cache/bf9d6da9.0': Is a directory
   dpkg: error processing archive 
/tmp/apt-dpkg-install-InP0fz/16-apparmor_2.13.3-7ubuntu5.2_amd64.deb (--unpack):
new apparmor package pre-installation script subprocess returned error exit 
status 1
  ErrorMessage: new apparmor package pre-installation script subprocess 
returned error exit status 1

  [ Test Plan ]

   * On a bionic machine, create a directory under
  /etc/apparmor.d/cache

  sudo mkdir /etc/apparmor.d/cache/test

   * To simulate a system upgrade to focal, you can run the following
  steps

  1. Add the focal archive

  sudo bash -c "cat </etc/apt/sources.list.d/apparmor-focal.list
  deb http://archive.ubuntu.com/ubuntu/ focal restricted main multiverse 
universe
  EOF"

  2. Set up preferences so not all packages are upgraded from focal

  sudo bash -c "cat </etc/apt/preferences.d/apparmor-focal
  Package: *
  Pin: release a=focal
  Pin-Priority: 400
  EOF"

  3. Install only apparmor from focal

  sudo apt-get install apparmor/focal

  4. Notice that the error occurs:

  The following packages will be upgraded:
apparmor
  1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
  Need to get 0 B/494 kB of archives.
  After this operation, 99.3 kB of additional disk space will be used.
  Preconfiguring packages ...
  (Reading database ... 220084 files and directories currently installed.)
  Preparing to unpack .../apparmor_2.13.3-7ubuntu5_amd64.deb ...
  rm: cannot remove '/etc/apparmor.d/cache/test': Is a directory
  dpkg: error processing archive 
/var/cache/apt/archives/apparmor_2.13.3-7ubuntu5_amd64.deb (--unpack):
   new apparmor package pre-installation script subprocess returned error exit 
status 1
  Errors were encountered while processing:
   /var/cache/apt/archives/apparmor_2.13.3-7ubuntu5_amd64.deb
  E: Sub-process /usr/bin/dpkg returned an error code (1)

  [ Where problems could occur ]

   * Since the cache files are being removed, they will have to be
 recreated next time apparmor runs.


  
  -
  Original bug description
  -

  
  package install error

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.12-4ubuntu5.3
  ProcVersionSignature: Ubuntu 4.15.0-213.224-generic 4.15.18
  Uname: Linux 4.15.0-213-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.27
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Thu Aug 24 02:35:35 2023
  DuplicateSignature:
   package:apparmor:2.12-4ubuntu5.3
   Preparing to unpack ..

[Touch-packages] [Bug 2038740] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: o subprocesso do pacote apparmor, novo script pre-installation retornou erro do status de saída 1

2023-10-10 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851

** This bug has been marked a duplicate of bug 2032851
   package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor 
package pre-installation script subprocess returned error exit status 1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2038740

Title:
  package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: o
  subprocesso do pacote apparmor, novo script pre-installation retornou
  erro do status de saída 1

Status in apparmor package in Ubuntu:
  New

Bug description:
  Diversos problemas nos programas do libreoffice

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.12-4ubuntu5.3
  ProcVersionSignature: Ubuntu 5.4.0-163.180-generic 5.4.246
  Uname: Linux 5.4.0-163-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.27
  AptOrdering:
   apparmor:amd64: Install
   libreoffice-common:amd64: Install
   NULL: ConfigurePending
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Sat Oct  7 20:19:20 2023
  DpkgHistoryLog:
   Start-Date: 2023-10-07  20:19:11
   Commandline: packagekit role='install-files'
   Requested-By: ubuntu (1000)
   Upgrade: libreoffice-common:amd64 (1:6.0.7-0ubuntu0.18.04.13, 
1:6.4.7-0ubuntu0.20.04.8), apparmor:amd64 (2.12-4ubuntu5.3, 2.13.3-7ubuntu5.2)
  DpkgTerminalLog:
   A preparar para desempacotar .../apparmor_2.13.3-7ubuntu5.2_amd64.deb ...
   rm: não foi possível remover '/etc/apparmor.d/cache/e10c1cf9.0': É um 
diretório
   dpkg: erro ao processar o arquivo 
/var/cache/apt/archives/apparmor_2.13.3-7ubuntu5.2_amd64.deb (--unpack):
o subprocesso do pacote apparmor, novo script pre-installation retornou 
erro do status de saída 1
  ErrorMessage: o subprocesso do pacote apparmor, novo script pre-installation 
retornou erro do status de saída 1
  InstallationDate: Installed on 2023-09-01 (36 days ago)
  InstallationMedia: Ubuntu 18.04.6 LTS "Bionic Beaver" - Release amd64 
(20210915)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.4.0-163-generic 
root=UUID=8a1d548e-ad1e-40f1-ab36-082b4bd2d1e4 ro quiet splash vt.handoff=7
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3.2
   apt  2.0.9
  SourcePackage: apparmor
  Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: o 
subprocesso do pacote apparmor, novo script pre-installation retornou erro do 
status de saída 1
  UpgradeStatus: Upgraded to focal on 2023-09-23 (13 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2038740/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2038443] Re: mantic:linux: ubuntu_qrt_apparmor: ApparmorTestsuites.test_regression_testsuiteattach_disconnected.

2023-10-06 Thread Georgia Garcia 
Hi!

Could you share the kernel and apparmor version?
I tested on mantic with the configuration below and I wasn't able to reproduce 
the failure for this specific test.
I did see an unrelated dbus issue with the test suite and proposed a fixed on 
https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/453056


georgia@sec-mantic-amd64:~/qrt-test-apparmor$ sudo ./test-apparmor.py 
ApparmorTestsuites.test_regression_testsuite
[sudo] password for georgia: 
Skipping private tests

  preparing apparmor_4.0.0~alpha2-0ubuntu5.dsc...  done

 (disabling ptrace for this test)
.
--
Ran 1 test in 574.715s

OK
georgia@sec-mantic-amd64:~/qrt-test-apparmor$ uname -a
Linux sec-mantic-amd64 6.5.0-7-generic #7-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 29 
09:14:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-mantic-amd64:~/qrt-test-apparmor$ apt-cache policy apparmor
apparmor:
  Installed: 4.0.0~alpha2-0ubuntu5
  Candidate: 4.0.0~alpha2-0ubuntu5
  Version table:
 *** 4.0.0~alpha2-0ubuntu5 500
500 http://archive.ubuntu.com/ubuntu mantic/main amd64 Packages
100 /var/lib/dpkg/status
georgia@sec-mantic-amd64:~/qrt-test-apparmor$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu Mantic Minotaur (development branch)
Release:23.10
Codename:   mantic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2038443

Title:
  mantic:linux: ubuntu_qrt_apparmor:
  ApparmorTestsuites.test_regression_testsuiteattach_disconnected.

Status in apparmor package in Ubuntu:
  New
Status in linux package in Ubuntu:
  Confirmed
Status in apparmor source package in Mantic:
  New
Status in linux source package in Mantic:
  Confirmed

Bug description:
  This might be apparmor, the test case, kernel or anything in between:

  7720s   running attach_disconnected
  7720s   Fatal Error (unix_fd_server): Unable to run test sub-executable

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2038443/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2034100] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor package pre-installation script subprocess returned error exit status 1

2023-09-05 Thread Georgia Garcia 
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851

** Information type changed from Private Security to Public

** This bug has been marked a duplicate of bug 2032851
   package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor 
package pre-installation script subprocess returned error exit status 1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2034100

Title:
  package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new
  apparmor package pre-installation script subprocess returned error
  exit status 1

Status in apparmor package in Ubuntu:
  New

Bug description:
  zdvgsdf

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.12-4ubuntu5.3
  ProcVersionSignature: Ubuntu 5.4.0-159.176-generic 5.4.241
  Uname: Linux 5.4.0-159-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.27
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Mon Sep  4 12:07:44 2023
  DuplicateSignature:
   package:apparmor:2.12-4ubuntu5.3
   Preparing to unpack .../09-apparmor_2.13.3-7ubuntu5.2_amd64.deb ...
   rm: cannot remove '/etc/apparmor.d/cache/e10c1cf9.0': Is a directory
   dpkg: error processing archive 
/tmp/apt-dpkg-install-RP1aSv/09-apparmor_2.13.3-7ubuntu5.2_amd64.deb (--unpack):
new apparmor package pre-installation script subprocess returned error exit 
status 1
  ErrorMessage: new apparmor package pre-installation script subprocess 
returned error exit status 1
  InstallationDate: Installed on 2023-03-14 (174 days ago)
  InstallationMedia: Ubuntu 18.04.6 LTS "Bionic Beaver" - Release amd64 
(20210915)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.4.0-159-generic 
root=UUID=213e3ed9-7e53-4ef8-885d-7e58e7fd651f ro quiet splash vt.handoff=7
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3.2
   apt  2.0.9
  SourcePackage: apparmor
  Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new 
apparmor package pre-installation script subprocess returned error exit status 1
  UpgradeStatus: Upgraded to focal on 2023-09-04 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2034100/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2023-07-06 Thread Georgia Garcia 
Andreas, Jeremy, you are correct. The worst that could happen is the
same behavior we have currently: when we click a URL the browser does
not open, we get a denied log and evince prints "Permission denied".

My previous statement that profile loading could fail if apparmor did
not find "snap_browsers" was a mistake. Evince installs successfully and
apparmor loads the evince policy correctly. The apparmor service also
does not fail if restarted.

I updated the evince package for jammy removing the "Recommends" in the ppa I 
shared previously if needed:
https://launchpad.net/~georgiag/+archive/ubuntu/lp1794064/+packages

Thank you all and I'm sorry for the confusion.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Committed
Status in evince source package in Jammy:
  In Progress
Status in apparmor source package in Lunar:
  Fix Released
Status in evince source package in Lunar:
  Fix Committed
Status in apparmor package in Debian:
  New
Status in evince package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2023-06-28 Thread Georgia Garcia 
I have verified on lunar with both apparmor and evince packages updated
from the proposed pocket, it works as expected.

** Tags removed: verification-needed-lunar
** Tags added: verification-done-lunar

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Committed
Status in evince source package in Jammy:
  In Progress
Status in apparmor source package in Lunar:
  Fix Committed
Status in evince source package in Lunar:
  Fix Committed
Status in evince package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2023-06-20 Thread Georgia Garcia 
Steve, the snap_browsers abstractions needed an update because the
abstraction had not been updated in an year and the snap browsers now
required read and lock permissions to the file
/var/lib/snapd/inhibit/{browser-name}.lock, but this was also submitted,
approved and merged upstream:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1045

Regarding the patch for evince, I kept the "Recommends" because, yes, the 
include if exists checks if the abstraction is present and it only includes in 
the case it is, but the actual rule which references the snap_browsers profile 
could fail for apparmor versions for which snap_browsers does not exist.
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers,

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Committed
Status in evince source package in Jammy:
  In Progress
Status in apparmor source package in Lunar:
  Incomplete
Status in evince source package in Lunar:
  Fix Committed
Status in evince package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2023-06-09 Thread Georgia Garcia 
Hi Steve.
I updated the patches containing the requested changes and uploaded them to 
https://launchpad.net/~georgiag/+archive/ubuntu/lp1794064/+packages
Please let me know if you prefer I attached the debdiffs here.

I'm resubscribing ~ubuntu-sponsors. Thanks

** Patch removed: "evince_42.1-3ubuntu1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581877/+files/evince_42.1-3ubuntu1.debdiff

** Patch removed: "evince_40.4-2ubuntu0.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581878/+files/evince_40.4-2ubuntu0.1.debdiff

** Patch removed: "evince_3.36.10-0ubuntu1.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581879/+files/evince_3.36.10-0ubuntu1.1.debdiff

** Patch removed: "evince_3.28.4-0ubuntu1.3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581880/+files/evince_3.28.4-0ubuntu1.3.debdiff

** Patch removed: "apparmor_3.0.4-2ubuntu3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581881/+files/apparmor_3.0.4-2ubuntu3.debdiff

** Patch removed: "apparmor_3.0.3-0ubuntu1.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581882/+files/apparmor_3.0.3-0ubuntu1.1.debdiff

** Patch removed: "apparmor_2.13.3-7ubuntu5.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581884/+files/apparmor_2.13.3-7ubuntu5.2.debdiff

** Patch removed: "apparmor_2.12-4ubuntu5.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581885/+files/apparmor_2.12-4ubuntu5.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Incomplete
Status in apparmor source package in Jammy:
  Confirmed
Status in evince source package in Jammy:
  Incomplete
Status in evince package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2018439] Re: Apparmor crashes GPU acceleration

2023-05-04 Thread Georgia Garcia 
Hi Daniel. Thanks for the report!

Could you try the following commands and let me know if they fix the
issue?

sudo sh -c "echo 'include ' >> 
/etc/apparmor.d/local/usr.bin.firefox"
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2018439

Title:
  Apparmor crashes GPU acceleration

Status in apparmor package in Ubuntu:
  New
Status in firefox package in Ubuntu:
  New

Bug description:
  Apparmor crashes GPU acceleration

  Firefox GPU acceleration started crashing after updating from Ubuntu
  22.10 to 23.04.

  $ lsb_release -rd
  No LSB modules are available.
  Description:Ubuntu 23.04
  Release:23.04

  $ apt-cache policy firefox
  firefox:
Installed: 113.0+build1-0ubuntu0.23.04.1~mt1
Candidate: 113.0+build1-0ubuntu0.23.04.1~mt1
Version table:
   1:1snap1-0ubuntu3 500
  500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu lunar/main 
amd64 Packages
   *** 113.0+build1-0ubuntu0.23.04.1~mt1 999
  500 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu 
lunar/main amd64 Packages
  100 /var/lib/dpkg/status

  $ apt-cache policy libglx-mesa0 
  libglx-mesa0:
Installed: 23.0.3~kisak1~k
Candidate: 23.0.3~kisak1~k
Version table:
   *** 23.0.3~kisak1~k 500
  500 https://ppa.launchpadcontent.net/kisak/kisak-mesa/ubuntu 
kinetic/main amd64 Packages
  100 /var/lib/dpkg/status
   23.0.2-1ubuntu1 500
  500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu lunar/main 
amd64 Packages

  $ apt-cache policy apparmor
  apparmor:
Installed: 3.0.8-1ubuntu2
Candidate: 3.0.8-1ubuntu2
Version table:
   *** 3.0.8-1ubuntu2 500
  500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu lunar/main 
amd64 Packages
  100 /var/lib/dpkg/status

  # Expected behavior

  Firefox should not crash in WebGL aquarium and continue to work
  properly like on 22.10. It should successfully use my GPU to make
  scrolling smooths and save battery when watching videos.

  # Actual behavior

  1. Startup takes a second or two longer than usual
  2. Typing in the address bar is slow
  3. Scrolling takes 400% CPU usage
  4. Scrolling stutters
  5. VAAPI on https://www.w3schools.com/html/html5_video.asp is no longer used 
as shown in intel_gpu_top
  6. Fans start spinning and battery goes down fast
  7. glxtest failures had to be manually deleted in about:config
  8. Only a few fish in WebGL aquarium 
(https://webglsamples.org/aquarium/aquarium.html) load before Firefox 
force-closes with the message: "Mozilla Crash Reporter Firefox had a problem 
and crashed. Unfortunately, the crash reporter is unable to submit a crash 
report. Details: The application did not leave a crash dump file. Close"
  9. The following lines are relevant in dmesg after clearing it:

  [22157.695580] kauditd_printk_skb: 6 callbacks suppressed
  [22157.695582] audit: type=1400 audit(1683153440.994:2583): apparmor="DENIED" 
operation="capable" class="cap" profile="firefox" pid=15898 comm="firefox" 
capability=21  capname="sys_admin"
  [22157.739641] audit: type=1400 audit(1683153441.038:2584): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/sys/devices/pci:00/:00:02.0/revision" pid=15901 comm="firefox" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [22157.739647] audit: type=1400 audit(1683153441.038:2585): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/sys/devices/pci:00/:00:02.0/config" pid=15901 comm="firefox" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [22157.739719] audit: type=1400 audit(1683153441.038:2586): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/sys/devices/pci:00/:00:02.0/revision" pid=15901 comm="firefox" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [22157.739729] audit: type=1400 audit(1683153441.038:2587): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/sys/devices/pci:00/:00:02.0/config" pid=15901 comm="firefox" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [22157.769407] audit: type=1400 audit(1683153441.070:2588): apparmor="DENIED" 
operation="open" class="file" profile="firefox" 
name="/proc/15898/oom_score_adj" pid=15898 comm="firefox" requested_mask="w" 
denied_mask="w" fsuid=1000 ouid=1000
  [22157.773042] audit: type=1400 audit(1683153441.074:2589): apparmor="DENIED" 
operation="file_mmap" class="file" profile="firefox//lsb_release" 
name="/usr/bin/dash" pid=15934 comm="lsb_release" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  [22157.974718] audit: type=1400 audit(1683153441.274:2590): apparmor="DENIED" 
operation="open" class="file" profile="firefox" name="/proc/15898/cgroup" 
pid=15898 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=100

[Touch-packages] [Bug 2009230] Re: AppArmor denials for rsyslog

2023-03-24 Thread Georgia Garcia 
I added the consoles abstraction to the rsyslog AppArmor profile and I
also had to add syslog to the tty group, otherwise rsyslog would not
have been able to write to /dev/console due to file permissions (bug
1890177).

I added the proposed changes to this PPA
https://launchpad.net/~georgiag/+archive/ubuntu/rsyslog-console

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2009230

Title:
  AppArmor denials for rsyslog

Status in gce-compute-image-packages package in Ubuntu:
  New
Status in rsyslog package in Ubuntu:
  New
Status in gce-compute-image-packages source package in Lunar:
  New
Status in rsyslog source package in Lunar:
  New

Bug description:
  The AppArmor profile for rsyslog, which had been disabled on previous
  Ubuntu versions, was enabled in lunar.

  The package google-compute-engine added a config file to rsyslog which
  requires rw access to /dev/console

  google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
  # Google Compute Engine default console logging.
  #
  # daemon: logging from Google provided daemons.
  # kern: logging information in case of an unexpected crash during boot.
  #
  daemon,kern.* /dev/console

  google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
  google-compute-engine: /etc/rsyslog.d/90-google.conf

  So in gce cloud images, we are getting the following denials:

  [ 1500.302082] audit: type=1400 audit(1677876883.728:495):
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
  requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0

  To fix it, we just need to add
    /dev/console rw,
  to /etc/apparmor.d/usr.sbin.rsyslogd

  or the same permission should be added to a file in
  /etc/apparmor.d/rsyslog.d/ by the google-compute-engine package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/2009230/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2009317] Re: All Snaps Broken After Release Upgrade

2023-03-21 Thread Georgia Garcia 
I think /var/log/syslog and /var/log/kern.log will be sufficient.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2009317

Title:
  All Snaps Broken After Release Upgrade

Status in apparmor package in Ubuntu:
  Confirmed
Status in ubuntu-release-upgrader package in Ubuntu:
  Incomplete
Status in apparmor source package in Jammy:
  Confirmed
Status in ubuntu-release-upgrader source package in Jammy:
  Incomplete
Status in apparmor source package in Kinetic:
  Confirmed
Status in ubuntu-release-upgrader source package in Kinetic:
  Incomplete

Bug description:
  isa~ lsb_release -rd
  No LSB modules are available.
  Description:  Ubuntu Lunar Lobster (development branch)
  Release:  23.04

  Expected behavior:
  ==
  Installed snaps worked before do-release-upgrade (from Kinetic to Lunar), 
they should also work after.

  Actual behavior:
  ==
  Snaps worked before do-release-upgrade, NONE work after. Printed warning is 
useless. Debugging requires secondary device. This should be a trivial fix 
(re-enable apparmor service at the end of do-release-upgrade).

  isa~ firefox
  snap-confine has elevated permissions and is not confined but should be. 
Refusing to continue to avoid permission escalation attacks
  Please make sure that the snapd.apparmor service is enabled and started.
  isa~ systemctl status snapd.apparmor
  ● snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
   Loaded: loaded (/lib/systemd/system/snapd.apparmor.service; enabled; 
preset: enabled)
   Active: active (exited) since Sun 2023-03-05 18:27:10 MST; 10min ago
     Main PID: 826 (code=exited, status=0/SUCCESS)
  CPU: 43.722s

  Mar 05 18:27:10 isa systemd[1]: Finished Load AppArmor profiles managed 
internally by snapd.
  Notice: journal has been rotated since unit was started, output may be 
incomplete.

  It looks like during the release upgrade apparmor was disabled and
  needs to be re-enabled.

  isa~ systemctl status apparmor
  ○ apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; disabled; preset: 
enabled)
   Active: inactive (dead)
     Docs: man:apparmor(7)
   https://gitlab.com/apparmor/apparmor/wikis/home/
  isa~ systemctl start apparmor

  Notes:
  ==
  This is a reoccurring bug, I hit it when upgrading to Kinetic as well on the 
same device. This does NOT happen on all devices (my other device didn't hit 
this issue when upgrading Jammy->Kinetic->Lunar). This is a bad user experience 
- debugging requires a secondary device because Ubuntu browsers are snap-based.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2009317/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2009317] Re: All Snaps Broken After Release Upgrade

2023-03-16 Thread Georgia Garcia 
Hi! Could you upload some system logs of when this happens?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2009317

Title:
  All Snaps Broken After Release Upgrade

Status in apparmor package in Ubuntu:
  Confirmed
Status in ubuntu-release-upgrader package in Ubuntu:
  Incomplete
Status in apparmor source package in Jammy:
  Confirmed
Status in ubuntu-release-upgrader source package in Jammy:
  Incomplete
Status in apparmor source package in Kinetic:
  Confirmed
Status in ubuntu-release-upgrader source package in Kinetic:
  Incomplete

Bug description:
  isa~ lsb_release -rd
  No LSB modules are available.
  Description:  Ubuntu Lunar Lobster (development branch)
  Release:  23.04

  Expected behavior:
  ==
  Installed snaps worked before do-release-upgrade (from Kinetic to Lunar), 
they should also work after.

  Actual behavior:
  ==
  Snaps worked before do-release-upgrade, NONE work after. Printed warning is 
useless. Debugging requires secondary device. This should be a trivial fix 
(re-enable apparmor service at the end of do-release-upgrade).

  isa~ firefox
  snap-confine has elevated permissions and is not confined but should be. 
Refusing to continue to avoid permission escalation attacks
  Please make sure that the snapd.apparmor service is enabled and started.
  isa~ systemctl status snapd.apparmor
  ● snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
   Loaded: loaded (/lib/systemd/system/snapd.apparmor.service; enabled; 
preset: enabled)
   Active: active (exited) since Sun 2023-03-05 18:27:10 MST; 10min ago
     Main PID: 826 (code=exited, status=0/SUCCESS)
  CPU: 43.722s

  Mar 05 18:27:10 isa systemd[1]: Finished Load AppArmor profiles managed 
internally by snapd.
  Notice: journal has been rotated since unit was started, output may be 
incomplete.

  It looks like during the release upgrade apparmor was disabled and
  needs to be re-enabled.

  isa~ systemctl status apparmor
  ○ apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; disabled; preset: 
enabled)
   Active: inactive (dead)
     Docs: man:apparmor(7)
   https://gitlab.com/apparmor/apparmor/wikis/home/
  isa~ systemctl start apparmor

  Notes:
  ==
  This is a reoccurring bug, I hit it when upgrading to Kinetic as well on the 
same device. This does NOT happen on all devices (my other device didn't hit 
this issue when upgrading Jammy->Kinetic->Lunar). This is a bad user experience 
- debugging requires a secondary device because Ubuntu browsers are snap-based.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2009317/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2009230] Re: AppArmor denials for rsyslog

2023-03-07 Thread Georgia Garcia 
Hi Chlo!

I was just testing a fix that I did myself: 
https://launchpad.net/~georgiag/+archive/ubuntu/lp2009230/+packages
and it seemed to work as expected.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2009230

Title:
  AppArmor denials for rsyslog

Status in gce-compute-image-packages package in Ubuntu:
  New
Status in rsyslog package in Ubuntu:
  New
Status in gce-compute-image-packages source package in Lunar:
  New
Status in rsyslog source package in Lunar:
  New

Bug description:
  The AppArmor profile for rsyslog, which had been disabled on previous
  Ubuntu versions, was enabled in lunar.

  The package google-compute-engine added a config file to rsyslog which
  requires rw access to /dev/console

  google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
  # Google Compute Engine default console logging.
  #
  # daemon: logging from Google provided daemons.
  # kern: logging information in case of an unexpected crash during boot.
  #
  daemon,kern.* /dev/console

  google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
  google-compute-engine: /etc/rsyslog.d/90-google.conf

  So in gce cloud images, we are getting the following denials:

  [ 1500.302082] audit: type=1400 audit(1677876883.728:495):
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
  requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0

  To fix it, we just need to add
    /dev/console rw,
  to /etc/apparmor.d/usr.sbin.rsyslogd

  or the same permission should be added to a file in
  /etc/apparmor.d/rsyslog.d/ by the google-compute-engine package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/2009230/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2009230] Re: AppArmor denials for rsyslog

2023-03-03 Thread Georgia Garcia 
** Also affects: gce-compute-image-packages (Ubuntu)
   Importance: Undecided
   Status: New

** Description changed:

  The AppArmor profile for rsyslog, which had been disabled on previous
  Ubuntu versions, was enabled in lunar.
  
  The package google-compute-engine added a config file to rsyslog which
  requires rw access to /dev/console
  
  google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
  # Google Compute Engine default console logging.
  #
  # daemon: logging from Google provided daemons.
  # kern: logging information in case of an unexpected crash during boot.
  #
  daemon,kern.* /dev/console
  
  google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
  google-compute-engine: /etc/rsyslog.d/90-google.conf
  
  So in gce cloud images, we are getting the following denials:
  
  [ 1500.302082] audit: type=1400 audit(1677876883.728:495):
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
  requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0
  
+ To fix it, we just need to add
+   /dev/console rw,
+ to /etc/apparmor.d/usr.sbin.rsyslogd
  
- To fix it, we just need to add 
-   /dev/console rw,
- to /etc/apparmor.d/usr.sbin.rsyslogd
+ or the same permission should be added to a file in
+ /etc/apparmor.d/rsyslog.d/ by the google-compute-engine package

** Also affects: rsyslog (Ubuntu Lunar)
   Importance: Undecided
   Status: New

** Also affects: gce-compute-image-packages (Ubuntu Lunar)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2009230

Title:
  AppArmor denials for rsyslog

Status in gce-compute-image-packages package in Ubuntu:
  New
Status in rsyslog package in Ubuntu:
  New
Status in gce-compute-image-packages source package in Lunar:
  New
Status in rsyslog source package in Lunar:
  New

Bug description:
  The AppArmor profile for rsyslog, which had been disabled on previous
  Ubuntu versions, was enabled in lunar.

  The package google-compute-engine added a config file to rsyslog which
  requires rw access to /dev/console

  google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
  # Google Compute Engine default console logging.
  #
  # daemon: logging from Google provided daemons.
  # kern: logging information in case of an unexpected crash during boot.
  #
  daemon,kern.* /dev/console

  google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
  google-compute-engine: /etc/rsyslog.d/90-google.conf

  So in gce cloud images, we are getting the following denials:

  [ 1500.302082] audit: type=1400 audit(1677876883.728:495):
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
  requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0

  To fix it, we just need to add
    /dev/console rw,
  to /etc/apparmor.d/usr.sbin.rsyslogd

  or the same permission should be added to a file in
  /etc/apparmor.d/rsyslog.d/ by the google-compute-engine package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/2009230/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2009230] [NEW] AppArmor denials for rsyslog

2023-03-03 Thread Georgia Garcia 
Public bug reported:

The AppArmor profile for rsyslog, which had been disabled on previous
Ubuntu versions, was enabled in lunar.

The package google-compute-engine added a config file to rsyslog which
requires rw access to /dev/console

google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
# Google Compute Engine default console logging.
#
# daemon: logging from Google provided daemons.
# kern: logging information in case of an unexpected crash during boot.
#
daemon,kern.* /dev/console

google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
google-compute-engine: /etc/rsyslog.d/90-google.conf

So in gce cloud images, we are getting the following denials:

[ 1500.302082] audit: type=1400 audit(1677876883.728:495):
apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0


To fix it, we just need to add 
  /dev/console rw,
to /etc/apparmor.d/usr.sbin.rsyslogd

** Affects: gce-compute-image-packages (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: rsyslog (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2009230

Title:
  AppArmor denials for rsyslog

Status in gce-compute-image-packages package in Ubuntu:
  New
Status in rsyslog package in Ubuntu:
  New

Bug description:
  The AppArmor profile for rsyslog, which had been disabled on previous
  Ubuntu versions, was enabled in lunar.

  The package google-compute-engine added a config file to rsyslog which
  requires rw access to /dev/console

  google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
  # Google Compute Engine default console logging.
  #
  # daemon: logging from Google provided daemons.
  # kern: logging information in case of an unexpected crash during boot.
  #
  daemon,kern.* /dev/console

  google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
  google-compute-engine: /etc/rsyslog.d/90-google.conf

  So in gce cloud images, we are getting the following denials:

  [ 1500.302082] audit: type=1400 audit(1677876883.728:495):
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
  requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0

  
  To fix it, we just need to add 
/dev/console rw,
  to /etc/apparmor.d/usr.sbin.rsyslogd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/2009230/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2003383] Re: LXC ignores lxc.rootfs.options on container reboot

2023-02-16 Thread Georgia Garcia 
** Also affects: lxc
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2003383

Title:
  LXC ignores lxc.rootfs.options on container reboot

Status in lxc:
  New
Status in apparmor package in Ubuntu:
  New

Bug description:
  When I issue a `systemctl reboot` within the container, instead of
  rebooting, it stops with an error.

  This is my config:

  # Template used to create this container: /usr/share/lxc/templates/lxc-debian
  # Parameters passed to the template: -r jessie
  # Template script checksum (SHA-1): 70e3d3a3adf290e12fc3522b2066039e079d8f1d

  # Common configuration
  lxc.include = /usr/share/lxc/config/ubuntu.common.conf

  lxc.net.0.type = veth
  lxc.net.0.hwaddr = 00:16:3e:9c:68:09
  lxc.net.0.flags = up
  lxc.net.0.link = br0
  lxc.rootfs.path = /dev/vmdata-vg/lxc-jessie
  lxc.rootfs.options = subvol=@
  lxc.mount.fstab = /var/lib/lxc/jessie/fstab
  lxc.tty.max = 4
  lxc.pty.max = 1024
  lxc.arch = amd64
  lxc.uts.name = jessie
  lxc.cap.drop = sys_module mac_admin mac_override sys_time

  I have a suspicion that it might ignore lxc.rootfs.options and tries
  to mount the root BTRFS volume directly and can't find /sbin/init
  there.

  I found the following lines of interest in the log.

  Correct mount on first boot (lxc-start):
  lxc-start jessie 20230119225558.271 DEBUGconf - 
conf.c:lxc_mount_rootfs:1436 - Mounted rootfs "/dev/vmdata-vg/lxc-jessie" onto 
"/usr/lib/x86_64-linux-gnu/lxc" with options "subvol=@"

  Here the container requests reboot:
  lxc-start jessie 20230119225946.800 INFO lxccontainer - 
lxccontainer.c:do_lxcapi_start:1128 - Container requested reboot

  After the reboot, the mount options are "(null)" instead of "subvol=@":
  lxc-start jessie 20230119225947.374 DEBUGconf - 
conf.c:lxc_mount_rootfs:1436 - Mounted rootfs "/dev/vmdata-vg/lxc-jessie" onto 
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)"

  LXC can't execute /sbin/init because the BTRFS root is mounted instead of the 
subvolume:
  lxc-start jessie 20230119225947.853 NOTICE   start - start.c:start:2161 - 
Exec'ing "/sbin/init"
  lxc-start jessie 20230119225947.853 ERRORstart - start.c:start:2164 - No 
such file or directory - Failed to exec "/sbin/init"

To manage notifications about this bug go to:
https://bugs.launchpad.net/lxc/+bug/2003383/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2006528] Re: LXD processes are not enforced in Ubuntu 20.04 HWE kernel

2023-02-16 Thread Georgia Garcia 
/proc is not usually shared between the host and the container, but I
can see how that can happen if you run the mount with hidepid=2 on the
host.

When it comes to processes, aa-status works by going through /proc and reading 
attr/apparmor/current. So if you remount /proc with hidepid=2, then the 
processes are hidden.
https://docs.kernel.org/filesystems/proc.html#mount-options

The main issue is that the processes shouldn't be hidden from root, and
you are running aa-status with root. So I need to investigate a bit
further.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2006528

Title:
  LXD processes are not enforced in Ubuntu 20.04 HWE kernel

Status in apparmor package in Ubuntu:
  New

Bug description:
  In Ubuntu 20.04 server with HWE kernel (5.15.0-58-generic) and LXD
  5.0.2, container processes are not in enforced mode as identified by
  aa-status

  Below are the output of aa-status in this environment.
  https://pastebin.ubuntu.com/p/kT3bHSS6w7/


  The problem does not occur in Ubuntu 18.04
  (https://pastebin.ubuntu.com/p/j4WcqWZRjH/)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2006528/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2006528] Re: LXD processes are not enforced in Ubuntu 20.04 HWE kernel

2023-02-16 Thread Georgia Garcia 
Could you also provide some kernel logs?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2006528

Title:
  LXD processes are not enforced in Ubuntu 20.04 HWE kernel

Status in apparmor package in Ubuntu:
  New

Bug description:
  In Ubuntu 20.04 server with HWE kernel (5.15.0-58-generic) and LXD
  5.0.2, container processes are not in enforced mode as identified by
  aa-status

  Below are the output of aa-status in this environment.
  https://pastebin.ubuntu.com/p/kT3bHSS6w7/


  The problem does not occur in Ubuntu 18.04
  (https://pastebin.ubuntu.com/p/j4WcqWZRjH/)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2006528/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1641236] Re: Confined processes inside container cannot fully access host pty device passed in by lxc exec

2023-02-10 Thread Georgia Garcia 
Thanks, Simon, I must have missed it. 
When I use --mode=non-interactive on lxc and -l on tcpdump, I don't see the 
issue at all.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641236

Title:
  Confined processes inside container cannot fully access host pty
  device passed in by lxc exec

Status in apparmor package in Ubuntu:
  Confirmed
Status in lxd package in Ubuntu:
  Invalid
Status in tcpdump package in Ubuntu:
  Confirmed

Bug description:
  Now that AppArmor policy namespaces and profile stacking is in place,
  I noticed odd stdout buffering behavior when running confined
  processes via lxc exec. Much more data stdout data is buffered before
  getting flushed when the program is confined by an AppArmor profile
  inside of the container.

  I see that lxd is calling openpty(3) in the host environment, using
  the returned fd as stdout, and then executing the command inside of
  the container. This results in an AppArmor denial because the file
  descriptor returned by openpty(3) originates outside of the namespace
  used by the container.

  The denial is likely from glibc calling fstat(), from inside the
  container, on the file descriptor associated with stdout to make a
  decision on how much buffering to use. The fstat() is denied by
  AppArmor and glibc ends up handling the buffering differently than it
  would if the fstat() would have been successful.

  Steps to reproduce (using an up-to-date 16.04 amd64 VM):

  Create a 16.04 container
  $ lxc launch ubuntu-daily:16.04 x

  Run tcpdump in one terminal and generate traffic in another terminal (wget 
google.com)
  $ lxc exec x -- tcpdump -i eth0
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
  
  47 packets captured
  48 packets received by filter
  1 packet dropped by kernel
  

  Note that everything above  was printed immediately
  because it was printed to stderr. , which is printed to
  stdout, was not printed until you pressed ctrl-c and the buffers were
  flushed thanks to the program terminating. Also, this AppArmor denial
  shows up in the logs:

  audit: type=1400 audit(1478902710.025:440): apparmor="DENIED"
  operation="getattr" info="Failed name lookup - disconnected path"
  error=-13 namespace="root//lxd-x_"
  profile="/usr/sbin/tcpdump" name="dev/pts/12" pid=15530 comm="tcpdump"
  requested_mask="r" denied_mask="r" fsuid=165536 ouid=165536

  Now run tcpdump unconfined and take note that  is printed 
immediately, before you terminate tcpdump. Also, there are no AppArmor denials.
  $ lxc exec x -- aa-exec -p unconfined -- tcpdump -i eth0
  ...

  Now run tcpdump confined but in lxc exec's non-interactive mode and note that 
 is printed immediately and no AppArmor denials are present. 
(Looking at the lxd code in lxd/container_exec.go, openpty(3) is only called in 
interactive mode)
  $ lxc exec x --mode=non-interactive -- tcpdump -i eth0
  ...

  Applications that manually call fflush(stdout) are not affected by
  this as manually flushing stdout works fine. The problem seems to be
  caused by glibc not being able to fstat() the /dev/pts/12 fd from the
  host's namespace.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1641236/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1667016] Re: tcpdump in lxd container: apparmor blocks writing to stdout/stderr

2023-02-10 Thread Georgia Garcia 
** Description changed:

+ [ Impact ]
+ 
+ Users that run tcpdump from an SSH session inside a container cannot
+ see the output because tcpdump tries to write to /dev/pts/, which is
+ not allowed by the AppArmor policy.
+ 
+ This upload fixes the bug by allowing read/write access to the devices
+ under /dev/pts/ in the AppArmor policy.
+ 
+ [ Test Plan ]
+ 
+ Create a lxd container. In this example we are using version 20.04,
+ but the issue is reproducible in all versions.
+ 
+ lxc launch ubuntu:20.04
+ 
+ SSH into the container and run the following command
+ 
+ tcpdump -i eth0 -nn not tcp port 22
+ 
+ In a different window, ping the IP of the container.  Notice that
+ there's no output on the tcpdump window, even after you press Ctrl+C.
+ 
+ Check the kernel logs and you will see a DENIED message like the one
+ below
+ 
+ [  575.438349] audit: type=1400 audit(1676055298.285:164):
+ apparmor="DENIED" operation="file_inherit" namespace="root//lxd-
+ peaceful-rattler_" profile="/usr/sbin/tcpdump"
+ name="/dev/pts/1" pid=7922 comm="tcpdump" requested_mask="wr"
+ denied_mask="wr" fsuid=100 ouid=100
+ 
+ [ Where problems could occur ]
+ 
+ The SRU broadens the AppArmor policy for tcpdump, so if there was
+ ever an exploit on tcpdump that allowed a malicious agent to
+ write to /dev/pts/*, this could be used to write to the
+ terminal. With that said, the risk of this hapenning is low.
+ 
+ [ Other Info ]
+  
+ The SRU for bionic, focal, jammy, kinetic and lunar can be found in
+ https://launchpad.net/~georgiag/+archive/ubuntu/lp1667016
+ 
+ Tcpdump from inside the container needs to be updated to use the
+ version with the fix in the AppArmor policy.
+ 
+ 
+ 
+ - ORIGINAL DESCRIPTION --
+ 
  [ubuntu 16.04, lxd 2.0.8 or 2.0.9, tcpdump 4.7.4 or 4.9.0]
  
  If you ssh into an lxd container as a normal user, and inside that
  container run "sudo tcpdump", the tcpdump process is blocked from
  writing to stdout/stderr.  This appears to be due to apparmor:
  disabling apparmor for tcpdump makes the problem go away.
  
- ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/
+ ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/
  
  Note: this is a different bug from #1641236. In that bug, the user did
  "lxc exec  bash" to get a shell in the container; the stdout
  fd was being passed from the outer host to the container.  But in this
  case, the pty is being created entirely inside the container by sshd.
  
  Details copied from https://github.com/lxc/lxd/issues/2930
  
  # Steps to reproduce
  
  1. Create two Ubuntu 16.04 lxd containers, one privileged, one not.
  2. ssh into each one, and then use `sudo -s` to get root. (Do not use `lxc 
exec` because of issue #1641236)
  3. Inside one run `tcpdump -i eth0 -nn not tcp port 22`, and ping from the 
other.
  
  tcpdump in the privileged container works just fine.
  
  tcpdump in the unprivileged container does not show any output. But if I
  run strace on it I see errors attempting to access stdout and stderr:
  
  ~~~
  ioctl(1, TCGETS, 0x7fff97c8d680)= -1 ENOTTY (Inappropriate ioctl for 
device)
  ...
  write(2, "tcpdump: verbose output suppress"..., 75) = -1 EACCES (Permission 
denied)
  write(2, "listening on eth0, link-type EN1"..., 74) = -1 EACCES (Permission 
denied)
  ~~~
  
  This is very weird.  Even more weird: the following command *does*
  capture packets:
  
  ~~~
  tcpdump -i eth0 -nn -w foo.pcap
  ~~~
  
  The file foo.pcap grows. This proves it's nothing to do with network
  capture perms.
  
  But the following command shows no output:
  
  ~~~
  tcpdump -r foo.pcap -nn
  ~~~
  
  And again it's because it can't write to stdout:
  
  ~~~
  fstat(1, 0x7ffe2fb5eb10)= -1 EACCES (Permission denied)
  read(3, "", 4096)   = 0
  write(1, "14:34:30.618180 IP6 fe80::c609:6"..., 1740) = -1 EACCES (Permission 
denied)
  ~~~
  
  I had originally thought this was to do with capabilities.  But if I run
  `capsh --print` inside both containers, they both have `cap_net_raw` and
  `cap_net_admin`.  In fact, the unprivileged container has two additional
  capabilities!  (`cap_mac_override` and `cap_mac_admin`)
  
  So now I suspect that apparmor is at fault.
  
   dmesg
  
  dmesg output generated by the following steps:
  
  * start tcpdump
  * wait 5 seconds
  * send 1 ping from other side
  * wait 5 seconds
  * stop tcpdump
  
  ~~~
  [429020.685987] audit: type=1400 audit(1487774339.708:3597): 
apparmor="DENIED" operation="file_inherit" 
namespace="root//lxd-srv2-campus1_" profile="/usr/sbin/tcpdump" 
name="/dev/pts/0" pid=12539 comm="tcpdump" requested_mask="wr" denied_mask="wr" 
fsuid=10 ouid=101001
  [429020.686000] audit: type=1400 audit(1487774339.708:3598): 
apparmor="DENIED" operation="file_inherit" 
namespace="root//lxd-srv2-campus1_" profile="/usr/sbin/tcpdump" 
name="/dev/pts/0" pid=12539 comm="tcpdump" requested_mask="wr

[Touch-packages] [Bug 1641236] Re: Confined processes inside container cannot fully access host pty device passed in by lxc exec

2023-02-10 Thread Georgia Garcia 
I tried reproducing the issue on a 22.04 VM with a 22.04 container and I
got some weird behavior, not consistent to what was reported in the
comments, so I appreciate if anyone can also take a look.

What I found is that I can only reproduce the issue when running tcpdump
in --mode=non-interactive, regardless of AppArmor - I also didn't see
any AppArmor denials in the logs when running the test.

I have pasted my steps in https://pastebin.canonical.com/p/8NZngJF6nm/

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641236

Title:
  Confined processes inside container cannot fully access host pty
  device passed in by lxc exec

Status in apparmor package in Ubuntu:
  Confirmed
Status in lxd package in Ubuntu:
  Invalid
Status in tcpdump package in Ubuntu:
  Confirmed

Bug description:
  Now that AppArmor policy namespaces and profile stacking is in place,
  I noticed odd stdout buffering behavior when running confined
  processes via lxc exec. Much more data stdout data is buffered before
  getting flushed when the program is confined by an AppArmor profile
  inside of the container.

  I see that lxd is calling openpty(3) in the host environment, using
  the returned fd as stdout, and then executing the command inside of
  the container. This results in an AppArmor denial because the file
  descriptor returned by openpty(3) originates outside of the namespace
  used by the container.

  The denial is likely from glibc calling fstat(), from inside the
  container, on the file descriptor associated with stdout to make a
  decision on how much buffering to use. The fstat() is denied by
  AppArmor and glibc ends up handling the buffering differently than it
  would if the fstat() would have been successful.

  Steps to reproduce (using an up-to-date 16.04 amd64 VM):

  Create a 16.04 container
  $ lxc launch ubuntu-daily:16.04 x

  Run tcpdump in one terminal and generate traffic in another terminal (wget 
google.com)
  $ lxc exec x -- tcpdump -i eth0
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
  
  47 packets captured
  48 packets received by filter
  1 packet dropped by kernel
  

  Note that everything above  was printed immediately
  because it was printed to stderr. , which is printed to
  stdout, was not printed until you pressed ctrl-c and the buffers were
  flushed thanks to the program terminating. Also, this AppArmor denial
  shows up in the logs:

  audit: type=1400 audit(1478902710.025:440): apparmor="DENIED"
  operation="getattr" info="Failed name lookup - disconnected path"
  error=-13 namespace="root//lxd-x_"
  profile="/usr/sbin/tcpdump" name="dev/pts/12" pid=15530 comm="tcpdump"
  requested_mask="r" denied_mask="r" fsuid=165536 ouid=165536

  Now run tcpdump unconfined and take note that  is printed 
immediately, before you terminate tcpdump. Also, there are no AppArmor denials.
  $ lxc exec x -- aa-exec -p unconfined -- tcpdump -i eth0
  ...

  Now run tcpdump confined but in lxc exec's non-interactive mode and note that 
 is printed immediately and no AppArmor denials are present. 
(Looking at the lxd code in lxd/container_exec.go, openpty(3) is only called in 
interactive mode)
  $ lxc exec x --mode=non-interactive -- tcpdump -i eth0
  ...

  Applications that manually call fflush(stdout) are not affected by
  this as manually flushing stdout works fine. The problem seems to be
  caused by glibc not being able to fstat() the /dev/pts/12 fd from the
  host's namespace.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1641236/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1667016] Re: tcpdump in lxd container: apparmor blocks writing to stdout/stderr

2023-02-09 Thread Georgia Garcia 
I agree that this issue is not a duplicate of Bug 1641236 and it can be
fixed by adding rw access to /dev/pts/*, which is not the case for the
other bug.

** This bug is no longer a duplicate of bug 1641236
   Confined processes inside container cannot fully access host pty device 
passed in by lxc exec

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1667016

Title:
  tcpdump in lxd container: apparmor blocks writing to stdout/stderr

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  [ubuntu 16.04, lxd 2.0.8 or 2.0.9, tcpdump 4.7.4 or 4.9.0]

  If you ssh into an lxd container as a normal user, and inside that
  container run "sudo tcpdump", the tcpdump process is blocked from
  writing to stdout/stderr.  This appears to be due to apparmor:
  disabling apparmor for tcpdump makes the problem go away.

  ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/

  Note: this is a different bug from #1641236. In that bug, the user did
  "lxc exec  bash" to get a shell in the container; the
  stdout fd was being passed from the outer host to the container.  But
  in this case, the pty is being created entirely inside the container
  by sshd.

  Details copied from https://github.com/lxc/lxd/issues/2930

  # Steps to reproduce

  1. Create two Ubuntu 16.04 lxd containers, one privileged, one not.
  2. ssh into each one, and then use `sudo -s` to get root. (Do not use `lxc 
exec` because of issue #1641236)
  3. Inside one run `tcpdump -i eth0 -nn not tcp port 22`, and ping from the 
other.

  tcpdump in the privileged container works just fine.

  tcpdump in the unprivileged container does not show any output. But if
  I run strace on it I see errors attempting to access stdout and
  stderr:

  ~~~
  ioctl(1, TCGETS, 0x7fff97c8d680)= -1 ENOTTY (Inappropriate ioctl for 
device)
  ...
  write(2, "tcpdump: verbose output suppress"..., 75) = -1 EACCES (Permission 
denied)
  write(2, "listening on eth0, link-type EN1"..., 74) = -1 EACCES (Permission 
denied)
  ~~~

  This is very weird.  Even more weird: the following command *does*
  capture packets:

  ~~~
  tcpdump -i eth0 -nn -w foo.pcap
  ~~~

  The file foo.pcap grows. This proves it's nothing to do with network
  capture perms.

  But the following command shows no output:

  ~~~
  tcpdump -r foo.pcap -nn
  ~~~

  And again it's because it can't write to stdout:

  ~~~
  fstat(1, 0x7ffe2fb5eb10)= -1 EACCES (Permission denied)
  read(3, "", 4096)   = 0
  write(1, "14:34:30.618180 IP6 fe80::c609:6"..., 1740) = -1 EACCES (Permission 
denied)
  ~~~

  I had originally thought this was to do with capabilities.  But if I
  run `capsh --print` inside both containers, they both have
  `cap_net_raw` and `cap_net_admin`.  In fact, the unprivileged
  container has two additional capabilities!  (`cap_mac_override` and
  `cap_mac_admin`)

  So now I suspect that apparmor is at fault.

   dmesg

  dmesg output generated by the following steps:

  * start tcpdump
  * wait 5 seconds
  * send 1 ping from other side
  * wait 5 seconds
  * stop tcpdump

  ~~~
  [429020.685987] audit: type=1400 audit(1487774339.708:3597): 
apparmor="DENIED" operation="file_inherit" 
namespace="root//lxd-srv2-campus1_" profile="/usr/sbin/tcpdump" 
name="/dev/pts/0" pid=12539 comm="tcpdump" requested_mask="wr" denied_mask="wr" 
fsuid=10 ouid=101001
  [429020.686000] audit: type=1400 audit(1487774339.708:3598): 
apparmor="DENIED" operation="file_inherit" 
namespace="root//lxd-srv2-campus1_" profile="/usr/sbin/tcpdump" 
name="/dev/pts/0" pid=12539 comm="tcpdump" requested_mask="wr" denied_mask="wr" 
fsuid=10 ouid=101001
  [429020.686013] audit: type=1400 audit(1487774339.708:3599): 
apparmor="DENIED" operation="file_inherit" 
namespace="root//lxd-srv2-campus1_" profile="/usr/sbin/tcpdump" 
name="/dev/pts/0" pid=12539 comm="tcpdump" requested_mask="wr" denied_mask="wr" 
fsuid=10 ouid=101001
  [429020.686022] audit: type=1400 audit(1487774339.708:3600): 
apparmor="DENIED" operation="file_inherit" 
namespace="root//lxd-srv2-campus1_" profile="/usr/sbin/tcpdump" 
name="/dev/pts/0" pid=12539 comm="tcpdump" requested_mask="wr" denied_mask="wr" 
fsuid=10 ouid=101001
  [429020.716725] device eth0 entered promiscuous mode
  [429020.741308] audit: type=1400 audit(1487774339.764:3601): 
apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected 
path" error=-13 namespace="root//lxd-srv2-campus1_" 
profile="/usr/sbin/tcpdump" name="apparmor/.null" pid=12539 comm="tcpdump" 
requested_mask="w" denied_mask="w" fsuid=10 ouid=0
  [429020.741330] audit: type=1400 audit(1487774339.764:3602): 
apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected 
path" error=-13 namespace="root//lxd-srv2-campus1_" 
profile="/usr/sbin/tcpdump" name="apparmor/.null" pid=12

[Touch-packages] [Bug 2003383] Re: LXC ignores lxc.rootfs.options on container reboot

2023-02-09 Thread Georgia Garcia 
Hello,

Looking at the lxc logs exclusively I couldn't figure out what's going on, or 
if it's related to AppArmor.
Could you also provide the kernel logs from the host and from the container?

Thank you

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2003383

Title:
  LXC ignores lxc.rootfs.options on container reboot

Status in apparmor package in Ubuntu:
  New

Bug description:
  When I issue a `systemctl reboot` within the container, instead of
  rebooting, it stops with an error.

  This is my config:

  # Template used to create this container: /usr/share/lxc/templates/lxc-debian
  # Parameters passed to the template: -r jessie
  # Template script checksum (SHA-1): 70e3d3a3adf290e12fc3522b2066039e079d8f1d

  # Common configuration
  lxc.include = /usr/share/lxc/config/ubuntu.common.conf

  lxc.net.0.type = veth
  lxc.net.0.hwaddr = 00:16:3e:9c:68:09
  lxc.net.0.flags = up
  lxc.net.0.link = br0
  lxc.rootfs.path = /dev/vmdata-vg/lxc-jessie
  lxc.rootfs.options = subvol=@
  lxc.mount.fstab = /var/lib/lxc/jessie/fstab
  lxc.tty.max = 4
  lxc.pty.max = 1024
  lxc.arch = amd64
  lxc.uts.name = jessie
  lxc.cap.drop = sys_module mac_admin mac_override sys_time

  I have a suspicion that it might ignore lxc.rootfs.options and tries
  to mount the root BTRFS volume directly and can't find /sbin/init
  there.

  I found the following lines of interest in the log.

  Correct mount on first boot (lxc-start):
  lxc-start jessie 20230119225558.271 DEBUGconf - 
conf.c:lxc_mount_rootfs:1436 - Mounted rootfs "/dev/vmdata-vg/lxc-jessie" onto 
"/usr/lib/x86_64-linux-gnu/lxc" with options "subvol=@"

  Here the container requests reboot:
  lxc-start jessie 20230119225946.800 INFO lxccontainer - 
lxccontainer.c:do_lxcapi_start:1128 - Container requested reboot

  After the reboot, the mount options are "(null)" instead of "subvol=@":
  lxc-start jessie 20230119225947.374 DEBUGconf - 
conf.c:lxc_mount_rootfs:1436 - Mounted rootfs "/dev/vmdata-vg/lxc-jessie" onto 
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)"

  LXC can't execute /sbin/init because the BTRFS root is mounted instead of the 
subvolume:
  lxc-start jessie 20230119225947.853 NOTICE   start - start.c:start:2161 - 
Exec'ing "/sbin/init"
  lxc-start jessie 20230119225947.853 ERRORstart - start.c:start:2164 - No 
such file or directory - Failed to exec "/sbin/init"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2003383/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2006528] Re: LXD processes are not enforced in Ubuntu 20.04 HWE kernel

2023-02-09 Thread Georgia Garcia 
Hello,

I wasn't able to reproduce the error
https://pastebin.canonical.com/p/VDkkkCx2HF/

Does the issue persist if you restart the container? Also, can you
please check if restarting the apparmor service fixes it?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2006528

Title:
  LXD processes are not enforced in Ubuntu 20.04 HWE kernel

Status in apparmor package in Ubuntu:
  New

Bug description:
  In Ubuntu 20.04 server with HWE kernel (5.15.0-58-generic) and LXD
  5.0.2, container processes are not in enforced mode as identified by
  aa-status

  Below are the output of aa-status in this environment.
  https://pastebin.ubuntu.com/p/kT3bHSS6w7/


  The problem does not occur in Ubuntu 18.04
  (https://pastebin.ubuntu.com/p/j4WcqWZRjH/)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2006528/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy

2023-02-08 Thread Georgia Garcia 
Tests for jammy worked as expected. The systemd autopkgtest on s390x
passed after the test was retriggered.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146

Title:
  [SRU] apparmor - Focal, Jammy

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Focal:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Committed

Bug description:
  [ Impact ]

  This is a SRU proposal for apparmor in Focal and Jammy.
  For focal, we want to SRU fixes for Bug 1964636 which introduces the
  capability upstream patches. We are also fixing Bug 1728130 and
  Bug 1993353 which are introducing full backport of abi from
  apparmor-3.0 and support for POSIX message queue rules, which are both
  a request from Honeywell.

  Note that specifically for message queue rules, we are overriding the
  abi behavior.
  Message queue mediation is not a part of the 2.13 abi we are
  pinning. Honeywell has a kernel that has message queue mediation,
  but their policy does not contain an abi specified, so when we pin the
  abi for a kernel that does not mediate message queue, it will break
  Honeywell's AppArmor policies. So we are making an exception: when abi
  is not specified in the policy, and the policy contain mqueue rules,
  we are enforcing mqueue rules. When the policy does not contain mqueue
  rules, then they are not being enforced. This is so we do not break
  Honeywell policies and we also are not breaking policies that were
  developed when there was no mqueue or abi support.

  For jammy, we are SRUing fixes for Bug 1993353 which adds message
  queue rules support. 

  
  [ Test Plan ]

  This has been extensively tested by using QA Regression Tests[1] for
  AppArmor. All tests have passed and demonstrated AppArmor to be
  working as expected. We are also adding regression tests for message
  queue rules[2] which guarantees it is working as expected.

  [1] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
  [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Where problems could occur ]

  The message queue rules support could cause issues for AppArmor
  policies that were developed before there was support for mqueues,
  that's why we are also backporting abi support and pinning the abi on
  parser.conf on focal. Jammy already has the abi pinned for a kernel
  that does not have support for mqueue mediation.

  [ Other Info ]

  The patches for both focal and jammy can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993353] Re: Add posix message queue IPC mediation

2023-02-08 Thread Georgia Garcia 
Tests for jammy worked as expected. The systemd autopkgtest on s390x
passed after the test was retriggered.

** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done verification-done-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993353

Title:
  Add posix message queue IPC mediation

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Focal:
  Fix Committed
Status in apparmor source package in Jammy:
  Fix Committed

Bug description:
  [ Impact ]

  We need to add IPC mediation support in the userspace tools, starting with 
posix message queue.
  This would improve security and lower the attack surface for applications
  There is already a proposal upstream:
  https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Test Plan ]

  In the merge request in the description there are several tests added.
  There are parser tests that can be run with "make -C parser check" in the 
project source tree.
  There are also tests for the python tools that can be run ith "make -C utils 
check" in the project source tree.
  There are also regression tests in tests/regression/apparmor. They run with 
the whole test suite when you run with "sudo make tests", but they can also be 
run individually with "sudo ./posix_mq.sh"

  [ Where problems could occur ]

  There could be problems related to Bug 1728130, where a policy was developed 
for a set of rules supported by a specific kernel, and if new mediation is 
available on newer kernels, then there will be some denied rules. Therefore we 
need to also prevent that from happening. This is already available in 
apparmor-3.+, but for older versions could be done by backporting the abi 
patches from
  apparmor-3.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993353/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy

2023-02-08 Thread Georgia Garcia 
** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done verification-done-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146

Title:
  [SRU] apparmor - Focal, Jammy

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Focal:
  Fix Released
Status in apparmor source package in Jammy:
  Fix Committed

Bug description:
  [ Impact ]

  This is a SRU proposal for apparmor in Focal and Jammy.
  For focal, we want to SRU fixes for Bug 1964636 which introduces the
  capability upstream patches. We are also fixing Bug 1728130 and
  Bug 1993353 which are introducing full backport of abi from
  apparmor-3.0 and support for POSIX message queue rules, which are both
  a request from Honeywell.

  Note that specifically for message queue rules, we are overriding the
  abi behavior.
  Message queue mediation is not a part of the 2.13 abi we are
  pinning. Honeywell has a kernel that has message queue mediation,
  but their policy does not contain an abi specified, so when we pin the
  abi for a kernel that does not mediate message queue, it will break
  Honeywell's AppArmor policies. So we are making an exception: when abi
  is not specified in the policy, and the policy contain mqueue rules,
  we are enforcing mqueue rules. When the policy does not contain mqueue
  rules, then they are not being enforced. This is so we do not break
  Honeywell policies and we also are not breaking policies that were
  developed when there was no mqueue or abi support.

  For jammy, we are SRUing fixes for Bug 1993353 which adds message
  queue rules support. 

  
  [ Test Plan ]

  This has been extensively tested by using QA Regression Tests[1] for
  AppArmor. All tests have passed and demonstrated AppArmor to be
  working as expected. We are also adding regression tests for message
  queue rules[2] which guarantees it is working as expected.

  [1] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
  [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Where problems could occur ]

  The message queue rules support could cause issues for AppArmor
  policies that were developed before there was support for mqueues,
  that's why we are also backporting abi support and pinning the abi on
  parser.conf on focal. Jammy already has the abi pinned for a kernel
  that does not have support for mqueue mediation.

  [ Other Info ]

  The patches for both focal and jammy can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied

2023-01-31 Thread Georgia Garcia 
Thank you for validating the test, Heather.

In addition to the ABI validation, I also ran the AppArmor tests using
the QA Regression Test suite (https://git.launchpad.net/qa-regression-
testing/tree/scripts/test-apparmor.py). It includes tests for
LibAppArmor, the parser, and all regression tests. They all worked as
expected.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130

Title:
  Policy needs improved feature versioning to ensure it is correctly
  being applied

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Focal:
  Fix Committed

Bug description:
  [ Impact ]

  Currently allows pinning a single feature abi or running in a
  developer mode where the full abi available of the current kernel is
  enforced.

  However this can result in breaking applications in undesirable ways.

  If an application is shipped with its own policy, that policy might be
  different than the pinned feature abi, which can either result in
  denials because features the policy was not developed for are being
  enforced.

  If the feature version is not pinned then the most recent kernel abi
  is taken and applied to policy, which has not been updated. This can
  result in denials for userspace effectively breaking userspace. This
  is less than ideal for most users as it leads to a bad experience than
  they have not opted into and can lead to them disabling security
  protections.

  [ Test Plan ]

  The test can be done with several features. Here we are using mqueue as an 
example.
  Verify that the kernel that has mqueue mediation support:
  root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] 
&& echo "supports mqueue"
  supports mqueue

  cd /tmp
  pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
  cd apparmor-2.13.3/tests/regression/apparmor/
  USE_SYSTEM=1 make

  Using the parser from the mqueue-sru PPA, load the profile.
  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include 
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
  }
  " | apparmor_parser -q -r

  Run the test, which should fail.
  ./posix_mq_rcv -c ./posix_mq_snd
  FAIL - could not open mq: Permission denied

  Now use an abi that does not have mqueue. This simulates a scenario
  where a policy was developed before mqueue support was added, so posix
  message queues should be allowed by default.

  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include 
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
  }
  " | apparmor_parser -q -r

  Run the test again, it should pass.
  ./posix_mq_rcv -c ./posix_mq_snd
  PASS

  [ Where problems could occur ]

  ABI pinning forces policies that don't have abi specified in their
  profile to use the ABI pinned in parser.conf. When the ABI is pinned
  and the user is trying to use mediation that is not in the pinned ABI,
  they might be confused why it is always being allowed. This can be
  circumvented by specifying the correct abi in the profile.

  [ Other Info ]

  The patches for focal (apparmor-2.13) can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
  apparmor-3.0 already has this feature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2000359] Re: posix_ipc in test_regression_testsuite from ubuntu_qrt_apparmor failed on K-5.19 arm64 (Unable to run test sub-executable)

2023-01-03 Thread Georgia Garcia 
Thanks for reporting this issue. I created a MR upstream to fix it
https://gitlab.com/apparmor/apparmor/-/merge_requests/962

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2000359

Title:
  posix_ipc in test_regression_testsuite from ubuntu_qrt_apparmor failed
  on K-5.19 arm64 (Unable to run test sub-executable)

Status in ubuntu-kernel-tests:
  New
Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Kinetic:
  New

Bug description:
  Issue found on Kinetic 5.19 ARM64 systems,

  The ApparmorTestsuites.test_regression_testsuite in
  ubuntu_qrt_apparmor will fail with posix_ipc test:

  running posix_ipc
  Fatal Error (posix_mq_rcv): Unable to run test sub-executable

  It's a bit hard to find which one is failing, here is the test output
  of ApparmorTestsuites.test_regression_testsuite:

  == BEGIN OF TEST OUPTUT ==
  running aa_exec

  running access
  xfail: ACCESS file rx (r)
  xfail: ACCESS file rwx (r)
  xfail: ACCESS file r (wx)
  xfail: ACCESS file rx (wx)
  xfail: ACCESS file rwx (wx)
  xfail: ACCESS dir rwx (r)
  xfail: ACCESS dir r (wx)
  xfail: ACCESS dir rx (wx)
  xfail: ACCESS dir rwx (wx)

  running at_secure

  running introspect

  running capabilities
  (ptrace)
  (sethostname)
  (setdomainname)
  (setpriority)
  (setscheduler)
  (reboot)
  (chroot)
  (mlockall)
  (net_raw)

  running changeprofile

  running onexec

  running changehat

  running changehat_fork

  running changehat_misc

  *** A 'Killed' message from bash is expected for the following test
  
/tmp/testlibxbcgpuwp/source/kinetic/apparmor-3.0.7/tests/regression/apparmor/prologue.inc:
 line 264: 309514 Killed  $testexec "$@" > $outfile 2>&1

  *** A 'Killed' message from bash is expected for the following test
  
/tmp/testlibxbcgpuwp/source/kinetic/apparmor-3.0.7/tests/regression/apparmor/prologue.inc:
 line 264: 309547 Killed  $testexec "$@" > $outfile 2>&1

  running chdir

  running clone

  running coredump
  *** A 'Segmentation Fault' message from bash is expected for the following 
test
  
/tmp/testlibxbcgpuwp/source/kinetic/apparmor-3.0.7/tests/regression/apparmor/prologue.inc:
 line 264: 309797 Segmentation fault  (core dumped) $testexec "$@" > 
$outfile 2>&1

  *** A 'Segmentation Fault' message from bash is expected for the following 
test
  
/tmp/testlibxbcgpuwp/source/kinetic/apparmor-3.0.7/tests/regression/apparmor/prologue.inc:
 line 264: 309826 Segmentation fault  $testexec "$@" > $outfile 2>&1

  *** A 'Segmentation Fault' message from bash is expected for the following 
test
  
/tmp/testlibxbcgpuwp/source/kinetic/apparmor-3.0.7/tests/regression/apparmor/prologue.inc:
 line 264: 309861 Segmentation fault  $testexec "$@" > $outfile 2>&1

  *** A 'Segmentation Fault' message from bash is expected for the following 
test
  
/tmp/testlibxbcgpuwp/source/kinetic/apparmor-3.0.7/tests/regression/apparmor/prologue.inc:
 line 264: 309896 Segmentation fault  $testexec "$@" > $outfile 2>&1

  *** A 'Segmentation Fault' message from bash is expected for the following 
test
  
/tmp/testlibxbcgpuwp/source/kinetic/apparmor-3.0.7/tests/regression/apparmor/prologue.inc:
 line 264: 309931 Segmentation fault  $testexec "$@" > $outfile 2>&1
  XFAIL: Error: corefile present when not expected -- COREDUMP (ix confinement)

  running deleted

  running environ

  running exec

  running exec_qual

  running fchdir

  running fd_inheritance

  running fork

  running i18n

  running link

  running link_subset

  running mkdir

  running mmap

  running mount
  using mount rules ...

  running mult_mount

  running named_pipe

  running namespaces

  running net_raw

  running open

  running openat

  running pipe

  running pivot_root
   kernel does not support pivot_root domain transitions - skipping tests ...

  running posix_ipc
  Fatal Error (posix_mq_rcv): Unable to run test sub-executable

  running ptrace
     using ptrace v6 tests ...

  running pwrite

  running query_label

  running regex

  running rename

  running readdir

  running rw

  running socketpair

  running swap

  running sd_flags

  running setattr

  running symlink

  running syscall
   WARNING: syscall sysctl not supported by kernel headers, skipping tests ...

  running sysv_ipc
  Required feature 'ipc/sysv_mqueue' not available.. Skipping tests ...

  running tcp

  running unix_fd_server

  running unix_socket_pathname
  xpass: AF_UNIX pathname socket (dgram); confined server w/ access (rw)
  xpass: AF_UNIX pathname socket (dgram); confined client w/ access (rw)

  running unix_socket_abstract

  running unix_socket_unnamed
  xpass: AF_UNIX unnamed socket (dgram); confined server (peer label w/ 
implicit perms)
  xpass: AF_UNIX unnamed socket (dgram); confined server (pe

[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied

2022-12-12 Thread Georgia Garcia 
Verification done. The autopkgtest failure for libreoffice was a
temporary issue with the test infrastructure that passed when it was
retriggered.

** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130

Title:
  Policy needs improved feature versioning to ensure it is correctly
  being applied

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Focal:
  Fix Committed

Bug description:
  [ Impact ]

  Currently allows pinning a single feature abi or running in a
  developer mode where the full abi available of the current kernel is
  enforced.

  However this can result in breaking applications in undesirable ways.

  If an application is shipped with its own policy, that policy might be
  different than the pinned feature abi, which can either result in
  denials because features the policy was not developed for are being
  enforced.

  If the feature version is not pinned then the most recent kernel abi
  is taken and applied to policy, which has not been updated. This can
  result in denials for userspace effectively breaking userspace. This
  is less than ideal for most users as it leads to a bad experience than
  they have not opted into and can lead to them disabling security
  protections.

  [ Test Plan ]

  The test can be done with several features. Here we are using mqueue as an 
example.
  Verify that the kernel that has mqueue mediation support:
  root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] 
&& echo "supports mqueue"
  supports mqueue

  cd /tmp
  pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
  cd apparmor-2.13.3/tests/regression/apparmor/
  USE_SYSTEM=1 make

  Using the parser from the mqueue-sru PPA, load the profile.
  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include 
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
  }
  " | apparmor_parser -q -r

  Run the test, which should fail.
  ./posix_mq_rcv -c ./posix_mq_snd
  FAIL - could not open mq: Permission denied

  Now use an abi that does not have mqueue. This simulates a scenario
  where a policy was developed before mqueue support was added, so posix
  message queues should be allowed by default.

  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include 
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
  }
  " | apparmor_parser -q -r

  Run the test again, it should pass.
  ./posix_mq_rcv -c ./posix_mq_snd
  PASS

  [ Where problems could occur ]

  ABI pinning forces policies that don't have abi specified in their
  profile to use the ABI pinned in parser.conf. When the ABI is pinned
  and the user is trying to use mediation that is not in the pinned ABI,
  they might be confused why it is always being allowed. This can be
  circumvented by specifying the correct abi in the profile.

  [ Other Info ]

  The patches for focal (apparmor-2.13) can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
  apparmor-3.0 already has this feature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993353] Re: Add posix message queue IPC mediation

2022-12-12 Thread Georgia Garcia 
** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993353

Title:
  Add posix message queue IPC mediation

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Focal:
  Fix Committed
Status in apparmor source package in Jammy:
  Fix Committed

Bug description:
  [ Impact ]

  We need to add IPC mediation support in the userspace tools, starting with 
posix message queue.
  This would improve security and lower the attack surface for applications
  There is already a proposal upstream:
  https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Test Plan ]

  In the merge request in the description there are several tests added.
  There are parser tests that can be run with "make -C parser check" in the 
project source tree.
  There are also tests for the python tools that can be run ith "make -C utils 
check" in the project source tree.
  There are also regression tests in tests/regression/apparmor. They run with 
the whole test suite when you run with "sudo make tests", but they can also be 
run individually with "sudo ./posix_mq.sh"

  [ Where problems could occur ]

  There could be problems related to Bug 1728130, where a policy was developed 
for a set of rules supported by a specific kernel, and if new mediation is 
available on newer kernels, then there will be some denied rules. Therefore we 
need to also prevent that from happening. This is already available in 
apparmor-3.+, but for older versions could be done by backporting the abi 
patches from
  apparmor-3.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993353/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability

2022-12-12 Thread Georgia Garcia 
Verification done. The autopkgtest failure for libreoffice was a
temporary issue with the test infrastructure that passed when it was
retriggered.

** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1964636

Title:
  Incorrect handling of apparmor `bpf` capability

Status in apparmor package in Ubuntu:
  In Progress
Status in snapd package in Ubuntu:
  Incomplete
Status in apparmor source package in Focal:
  Fix Committed

Bug description:
  [ Impact ]

  The apparmor_parser before the 3.0 release would build its capability list 
from the installed kernel headers. The apparmor_parser was built against a 
kernel without support for cap 'bpf'
  This was fixed in 3.0 by having a static caps list (with full mapping info) 
and the dynamic auto-generated list (against the kernel headers) that is used 
to check that the static list has not become stale. In addition the parser can 
pull kernel supported caps straight from the apparmor kernel module (it will 
however be missing the mapping info).
  Backporting the patches from 3.0 fixes the issue.

  [ Test Plan ]

  Before the fix, the following profile fails loading:

  # echo "profile foo { capability bpf, }" | apparmor_parser -Q
  AppArmor parser error, in stdin line 1: Invalid capability bpf.
  # echo $?
  1

  After the fix, it works as expected:

  # echo "profile foo { capability bpf, }" | apparmor_parser -Q
  # echo $?
  0

  [ Where problems could occur ]

  With these changes, the parser can change its behavior based on a few things.
  1. the kernel its built against. This would not change behavior when run in a 
container vs at system level.

  2. If a feature-file is specified, via --features-file, --policy-
  features, or --kernel-features. This allows overriding the normal
  policy and kernel examination that the parser does when compiling
  policy.

  3. If /sys/kernel/security/apparmor/features is not available. The
  parser will fallback to an old set of features available in a kernel
  before the kernel module started exporting what the kernel module
  supports on the running kernel.

  [ Other Info ]

  The patches for focal (apparmor-2.13) can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
  As mentioned before, these patches are already running on apparmor-3.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964636/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy

2022-12-12 Thread Georgia Garcia 
** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146

Title:
  [SRU] apparmor - Focal, Jammy

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Focal:
  Fix Committed
Status in apparmor source package in Jammy:
  Fix Committed

Bug description:
  [ Impact ]

  This is a SRU proposal for apparmor in Focal and Jammy.
  For focal, we want to SRU fixes for Bug 1964636 which introduces the
  capability upstream patches. We are also fixing Bug 1728130 and
  Bug 1993353 which are introducing full backport of abi from
  apparmor-3.0 and support for POSIX message queue rules, which are both
  a request from Honeywell.

  Note that specifically for message queue rules, we are overriding the
  abi behavior.
  Message queue mediation is not a part of the 2.13 abi we are
  pinning. Honeywell has a kernel that has message queue mediation,
  but their policy does not contain an abi specified, so when we pin the
  abi for a kernel that does not mediate message queue, it will break
  Honeywell's AppArmor policies. So we are making an exception: when abi
  is not specified in the policy, and the policy contain mqueue rules,
  we are enforcing mqueue rules. When the policy does not contain mqueue
  rules, then they are not being enforced. This is so we do not break
  Honeywell policies and we also are not breaking policies that were
  developed when there was no mqueue or abi support.

  For jammy, we are SRUing fixes for Bug 1993353 which adds message
  queue rules support. 

  
  [ Test Plan ]

  This has been extensively tested by using QA Regression Tests[1] for
  AppArmor. All tests have passed and demonstrated AppArmor to be
  working as expected. We are also adding regression tests for message
  queue rules[2] which guarantees it is working as expected.

  [1] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
  [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Where problems could occur ]

  The message queue rules support could cause issues for AppArmor
  policies that were developed before there was support for mqueues,
  that's why we are also backporting abi support and pinning the abi on
  parser.conf on focal. Jammy already has the abi pinned for a kernel
  that does not have support for mqueue mediation.

  [ Other Info ]

  The patches for both focal and jammy can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy

2022-12-05 Thread Georgia Garcia 
Łukasz, the commits that are "missing" from the upstream merge request
had already been merged.

They are:
mqueue8-libapparmor-add-support-for-requested-and-denied-on-.patch
mqueue9-libapparmor-add-support-for-class-in-logparsing.patch

Corresponding commits upstream:
https://gitlab.com/apparmor/apparmor/-/commit/a05c9483f3b1176faf0b31786b12ca8fef750d22
https://gitlab.com/apparmor/apparmor/-/commit/5cc7a26e78326256ba6915cfba0a5751adddf7da

On the description of the MR I added that they were cherry-picked from the 
message queue merge request:
https://gitlab.com/apparmor/apparmor/-/merge_requests/939

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146

Title:
  [SRU] apparmor - Focal, Jammy

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Focal:
  In Progress
Status in apparmor source package in Jammy:
  Incomplete

Bug description:
  [ Impact ]

  This is a SRU proposal for apparmor in Focal and Jammy.
  For focal, we want to SRU fixes for Bug 1964636 which introduces the
  capability upstream patches. We are also fixing Bug 1728130 and
  Bug 1993353 which are introducing full backport of abi from
  apparmor-3.0 and support for POSIX message queue rules, which are both
  a request from Honeywell.

  Note that specifically for message queue rules, we are overriding the
  abi behavior.
  Message queue mediation is not a part of the 2.13 abi we are
  pinning. Honeywell has a kernel that has message queue mediation,
  but their policy does not contain an abi specified, so when we pin the
  abi for a kernel that does not mediate message queue, it will break
  Honeywell's AppArmor policies. So we are making an exception: when abi
  is not specified in the policy, and the policy contain mqueue rules,
  we are enforcing mqueue rules. When the policy does not contain mqueue
  rules, then they are not being enforced. This is so we do not break
  Honeywell policies and we also are not breaking policies that were
  developed when there was no mqueue or abi support.

  For jammy, we are SRUing fixes for Bug 1993353 which adds message
  queue rules support. 

  
  [ Test Plan ]

  This has been extensively tested by using QA Regression Tests[1] for
  AppArmor. All tests have passed and demonstrated AppArmor to be
  working as expected. We are also adding regression tests for message
  queue rules[2] which guarantees it is working as expected.

  [1] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
  [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Where problems could occur ]

  The message queue rules support could cause issues for AppArmor
  policies that were developed before there was support for mqueues,
  that's why we are also backporting abi support and pinning the abi on
  parser.conf on focal. Jammy already has the abi pinned for a kernel
  that does not have support for mqueue mediation.

  [ Other Info ]

  The patches for both focal and jammy can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy

2022-11-23 Thread Georgia Garcia 
Chris, I added the missing SRU information on the bugs that were
missing.

> The packaging itself looks sane, but my understanding is that this adds
> new classes of apparmor denials, and *particularly* it appears that this
> might cause existing apparmor profiles to deny application behaviour
> that is currently allowed (which is why the ABI patches are
> backported?). 

Exactly.

> There don't seem to be any explicit tests in the test
> cases to verify that existing behaviour is preserved, though? That would
> seem to be necessary.

I created this MR on QRT to add this test case: 
https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/433546
 
They are based on the Test Plan of Bug #1728130 
The test added passes.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146

Title:
  [SRU] apparmor - Focal, Jammy

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Focal:
  In Progress
Status in apparmor source package in Jammy:
  Incomplete

Bug description:
  [ Impact ]

  This is a SRU proposal for apparmor in Focal and Jammy.
  For focal, we want to SRU fixes for Bug 1964636 which introduces the
  capability upstream patches. We are also fixing Bug 1728130 and
  Bug 1993353 which are introducing full backport of abi from
  apparmor-3.0 and support for POSIX message queue rules, which are both
  a request from Honeywell.

  Note that specifically for message queue rules, we are overriding the
  abi behavior.
  Message queue mediation is not a part of the 2.13 abi we are
  pinning. Honeywell has a kernel that has message queue mediation,
  but their policy does not contain an abi specified, so when we pin the
  abi for a kernel that does not mediate message queue, it will break
  Honeywell's AppArmor policies. So we are making an exception: when abi
  is not specified in the policy, and the policy contain mqueue rules,
  we are enforcing mqueue rules. When the policy does not contain mqueue
  rules, then they are not being enforced. This is so we do not break
  Honeywell policies and we also are not breaking policies that were
  developed when there was no mqueue or abi support.

  For jammy, we are SRUing fixes for Bug 1993353 which adds message
  queue rules support. 

  
  [ Test Plan ]

  This has been extensively tested by using QA Regression Tests[1] for
  AppArmor. All tests have passed and demonstrated AppArmor to be
  working as expected. We are also adding regression tests for message
  queue rules[2] which guarantees it is working as expected.

  [1] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
  [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Where problems could occur ]

  The message queue rules support could cause issues for AppArmor
  policies that were developed before there was support for mqueues,
  that's why we are also backporting abi support and pinning the abi on
  parser.conf on focal. Jammy already has the abi pinned for a kernel
  that does not have support for mqueue mediation.

  [ Other Info ]

  The patches for both focal and jammy can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied

2022-11-23 Thread Georgia Garcia 
** Merge proposal linked:
   
https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/433546

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130

Title:
  Policy needs improved feature versioning to ensure it is correctly
  being applied

Status in apparmor package in Ubuntu:
  New

Bug description:
  [ Impact ]

  Currently allows pinning a single feature abi or running in a
  developer mode where the full abi available of the current kernel is
  enforced.

  However this can result in breaking applications in undesirable ways.

  If an application is shipped with its own policy, that policy might be
  different than the pinned feature abi, which can either result in
  denials because features the policy was not developed for are being
  enforced.

  If the feature version is not pinned then the most recent kernel abi
  is taken and applied to policy, which has not been updated. This can
  result in denials for userspace effectively breaking userspace. This
  is less than ideal for most users as it leads to a bad experience than
  they have not opted into and can lead to them disabling security
  protections.

  [ Test Plan ]

  The test can be done with several features. Here we are using mqueue as an 
example.
  Verify that the kernel that has mqueue mediation support:
  root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] 
&& echo "supports mqueue"
  supports mqueue

  cd /tmp
  pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
  cd apparmor-2.13.3/tests/regression/apparmor/
  USE_SYSTEM=1 make

  Using the parser from the mqueue-sru PPA, load the profile.
  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include 
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
  }
  " | apparmor_parser -q -r

  Run the test, which should fail.
  ./posix_mq_rcv -c ./posix_mq_snd
  FAIL - could not open mq: Permission denied

  Now use an abi that does not have mqueue. This simulates a scenario
  where a policy was developed before mqueue support was added, so posix
  message queues should be allowed by default.

  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include 
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
  }
  " | apparmor_parser -q -r

  Run the test again, it should pass.
  ./posix_mq_rcv -c ./posix_mq_snd
  PASS

  [ Where problems could occur ]

  ABI pinning forces policies that don't have abi specified in their
  profile to use the ABI pinned in parser.conf. When the ABI is pinned
  and the user is trying to use mediation that is not in the pinned ABI,
  they might be confused why it is always being allowed. This can be
  circumvented by specifying the correct abi in the profile.

  [ Other Info ]

  The patches for focal (apparmor-2.13) can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
  apparmor-3.0 already has this feature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability

2022-11-23 Thread Georgia Garcia 
Description updated with the SRU template information.

** Description changed:

- We've recently noticed a lot of the LXD CI jobs failing because of
- apparmor related snapd issues.
+ [ Impact ]
  
- The way this usually manifests is:
-  - lxc launch images:ubuntu/20.04 c1
-  - lxc exec c1 -- apt install snapd
-  - lxc exec c1 -- snap install distrobuilder --edge --classic
-  - lxc exec c1 -- distrobuilder
+ The apparmor_parser before the 3.0 release would build its capability list 
from the installed kernel headers. The apparmor_parser was built against a 
kernel without support for cap 'bpf'
+ This was fixed in 3.0 by having a static caps list (with full mapping info) 
and the dynamic auto-generated list (against the kernel headers) that is used 
to check that the static list has not become stale. In addition the parser can 
pull kernel supported caps straight from the apparmor kernel module (it will 
however be missing the mapping info).
+ Backporting the patches from 3.0 fixes the issue.
  
- This all works as expected, `systemctl --failed` is clean and 
`apparmor_status` gets me:
- ```
- 0 loaded units listed.
- root@v1:~# lxc exec c1 -- apparmor_status
- apparmor module is loaded.
- 11 profiles are loaded.
- 10 profiles are in enforce mode.
-/usr/lib/NetworkManager/nm-dhcp-client.action
-/usr/lib/NetworkManager/nm-dhcp-helper
-/usr/lib/connman/scripts/dhclient-script
-/usr/lib/snapd/snap-confine
-/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
-/{,usr/}sbin/dhclient
-lsb_release
-nvidia_modprobe
-nvidia_modprobe//kmod
-snap-update-ns.distrobuilder
- 1 profiles are in complain mode.
-snap.distrobuilder.distrobuilder
- 0 processes have profiles defined.
- 0 processes are in enforce mode.
- 0 processes are in complain mode.
- 0 processes are unconfined but have a profile defined.
- ```
+ [ Test Plan ]
  
- Now to break things:
-  - lxc restart c1
-  - lxc exec c1 -- distrobuilder
+ Before the fix, the following profile fails loading:
  
- ```
- root@v1:~# lxc exec c1 -- distrobuilder
- cannot change profile for the next exec call: No such file or directory
- ```
+ # echo "profile foo { capability bpf, }" | apparmor_parser -Q
+ AppArmor parser error, in stdin line 1: Invalid capability bpf.
+ # echo $?
+ 1
  
- Looking around, we see:
- ```
- root@c1:~# find /var/lib/snapd/apparmor/
- /var/lib/snapd/apparmor/
- /var/lib/snapd/apparmor/snap-confine
- /var/lib/snapd/apparmor/snap-confine/cap-bpf
- /var/lib/snapd/apparmor/profiles
- /var/lib/snapd/apparmor/profiles/snap.distrobuilder.distrobuilder
- /var/lib/snapd/apparmor/profiles/snap-update-ns.distrobuilder
- /var/lib/snapd/apparmor/profiles/snap-confine.snapd.14978
- root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
+ After the fix, it works as expected:
  
- capability bpf,
- root@c1:~# systemctl --failed
-   UNIT   LOAD   ACTIVE SUBDESCRIPTION 
  
- ● snapd.apparmor.service loaded failed failed Load AppArmor profiles managed 
internally by snapd
+ # echo "profile foo { capability bpf, }" | apparmor_parser -Q
+ # echo $?
+ 0
  
- LOAD   = Reflects whether the unit definition was properly loaded.
- ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
- SUB= The low-level unit activation state, values depend on unit type.
+ [ Where problems could occur ]
  
- 1 loaded units listed.
- ```
+ With these changes, the parser can change its behavior based on a few things.
+ 1. the kernel its built against. This would not change behavior when run in a 
container vs at system level.
  
- The error listed is:
- ```
- Mar 11 19:54:58 c1 systemd[1]: Starting Load AppArmor profiles managed 
internally by snapd...
- Mar 11 19:54:58 c1 snapd-apparmor[163]: /usr/lib/snapd/snapd-apparmor: 47: 
ns_stacked: not found
- Mar 11 19:54:58 c1 snapd-apparmor[163]: /usr/lib/snapd/snapd-apparmor: 48: 
ns_name: not found
- Mar 11 19:54:58 c1 snapd-apparmor[172]: AppArmor parser error for 
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.14978 in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
- Mar 11 19:54:58 c1 systemd[1]: snapd.apparmor.service: Main process exited, 
code=exited, st
- ```
+ 2. If a feature-file is specified, via --features-file, --policy-
+ features, or --kernel-features. This allows overriding the normal policy
+ and kernel examination that the parser does when compiling policy.
  
- One can workaround it with:
- ```
- > /var/lib/snapd/apparmor/snap-confine/cap-bpf
- systemctl restart snapd.apparmor.service
- ```
+ 3. If /sys/kernel/security/apparmor/features is not available. The
+ parser will fallback to an old set of features available in a kernel
+ before the kernel module started exporting what the kernel module
+ supports on the running kernel.
  
+ [ Other Info ]
  
- Now for the bits I didn't quite figure out:
-  - Why does snapd think that the parser supports `bpf` when

[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied

2022-11-23 Thread Georgia Garcia 
Chris, I updated the description with the SRU template information.

The test plan shows this does what we need:

1. feature is in kernel, abi set in policy is kernel, and policy does not have 
permission: execution fails with permission denied.
2. abi set in policy does not contain feature, and policy does not have 
permission: execution is allowed.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130

Title:
  Policy needs improved feature versioning to ensure it is correctly
  being applied

Status in apparmor package in Ubuntu:
  New

Bug description:
  [ Impact ]

  Currently allows pinning a single feature abi or running in a
  developer mode where the full abi available of the current kernel is
  enforced.

  However this can result in breaking applications in undesirable ways.

  If an application is shipped with its own policy, that policy might be
  different than the pinned feature abi, which can either result in
  denials because features the policy was not developed for are being
  enforced.

  If the feature version is not pinned then the most recent kernel abi
  is taken and applied to policy, which has not been updated. This can
  result in denials for userspace effectively breaking userspace. This
  is less than ideal for most users as it leads to a bad experience than
  they have not opted into and can lead to them disabling security
  protections.

  [ Test Plan ]

  The test can be done with several features. Here we are using mqueue as an 
example.
  Verify that the kernel that has mqueue mediation support:
  root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] 
&& echo "supports mqueue"
  supports mqueue

  cd /tmp
  pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
  cd apparmor-2.13.3/tests/regression/apparmor/
  USE_SYSTEM=1 make

  Using the parser from the mqueue-sru PPA, load the profile.
  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include 
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
  }
  " | apparmor_parser -q -r

  Run the test, which should fail.
  ./posix_mq_rcv -c ./posix_mq_snd
  FAIL - could not open mq: Permission denied

  Now use an abi that does not have mqueue. This simulates a scenario
  where a policy was developed before mqueue support was added, so posix
  message queues should be allowed by default.

  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include 
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
  }
  " | apparmor_parser -q -r

  Run the test again, it should pass.
  ./posix_mq_rcv -c ./posix_mq_snd
  PASS

  [ Where problems could occur ]

  ABI pinning forces policies that don't have abi specified in their
  profile to use the ABI pinned in parser.conf. When the ABI is pinned
  and the user is trying to use mediation that is not in the pinned ABI,
  they might be confused why it is always being allowed. This can be
  circumvented by specifying the correct abi in the profile.

  [ Other Info ]

  The patches for focal (apparmor-2.13) can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
  apparmor-3.0 already has this feature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied

2022-11-23 Thread Georgia Garcia 
** Description changed:

+ [ Impact ]
+ 
  Currently allows pinning a single feature abi or running in a developer
  mode where the full abi available of the current kernel is enforced.
  
  However this can result in breaking applications in undesirable ways.
  
  If an application is shipped with its own policy, that policy might be
  different than the pinned feature abi, which can either result in
  denials because features the policy was not developed for are being
  enforced.
  
  If the feature version is not pinned then the most recent kernel abi is
  taken and applied to policy, which has not been updated. This can result
  in denials for userspace effectively breaking userspace. This is less
  than ideal for most users as it leads to a bad experience than they have
  not opted into and can lead to them disabling security protections.
+ 
+ [ Test Plan ]
+ 
+ The test can be done with several features. Here we are using mqueue as an 
example.
+ Verify that the kernel that has mqueue mediation support:
+ root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] 
&& echo "supports mqueue"
+ supports mqueue
+ 
+ cd /tmp
+ pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
+ cd apparmor-2.13.3/tests/regression/apparmor/
+ USE_SYSTEM=1 make
+ 
+ Using the parser from the mqueue-sru PPA, load the profile.
+ echo "
+ abi ,
+ include 
+ /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
+   include 
+   /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
+ }
+ " | apparmor_parser -q -r
+ 
+ Run the test, which should fail.
+ ./posix_mq_rcv -c ./posix_mq_snd
+ FAIL - could not open mq: Permission denied
+ 
+ Now use an abi that does not have mqueue. This simulates a scenario
+ where a policy was developed before mqueue support was added, so posix
+ message queues should be allowed by default.
+ 
+ echo "
+ abi ,
+ include 
+ /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
+   include 
+   /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
+ }
+ " | apparmor_parser -q -r
+ 
+ Run the test again, it should pass.
+ ./posix_mq_rcv -c ./posix_mq_snd
+ PASS
+ 
+ [ Where problems could occur ]
+ 
+ ABI pinning forces policies that don't have abi specified in their
+ profile to use the ABI pinned in parser.conf. When the ABI is pinned and
+ the user is trying to use mediation that is not in the pinned ABI, they
+ might be confused why it is always being allowed. This can be
+ circumvented by specifying the correct abi in the profile.
+ 
+ [ Other Info ]
+ 
+ The patches for focal (apparmor-2.13) can be found at:
+ https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
+ apparmor-3.0 already has this feature.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130

Title:
  Policy needs improved feature versioning to ensure it is correctly
  being applied

Status in apparmor package in Ubuntu:
  New

Bug description:
  [ Impact ]

  Currently allows pinning a single feature abi or running in a
  developer mode where the full abi available of the current kernel is
  enforced.

  However this can result in breaking applications in undesirable ways.

  If an application is shipped with its own policy, that policy might be
  different than the pinned feature abi, which can either result in
  denials because features the policy was not developed for are being
  enforced.

  If the feature version is not pinned then the most recent kernel abi
  is taken and applied to policy, which has not been updated. This can
  result in denials for userspace effectively breaking userspace. This
  is less than ideal for most users as it leads to a bad experience than
  they have not opted into and can lead to them disabling security
  protections.

  [ Test Plan ]

  The test can be done with several features. Here we are using mqueue as an 
example.
  Verify that the kernel that has mqueue mediation support:
  root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] 
&& echo "supports mqueue"
  supports mqueue

  cd /tmp
  pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
  cd apparmor-2.13.3/tests/regression/apparmor/
  USE_SYSTEM=1 make

  Using the parser from the mqueue-sru PPA, load the profile.
  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include 
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
  }
  " | apparmor_parser -q -r

  Run the test, which should fail.
  ./posix_mq_rcv -c ./posix_mq_snd
  FAIL - could not open mq: Permission denied

  Now use an abi that does not have mqueue. This simulates a scenario
  where a policy was developed before mqueue support was added, so posix
  message queues should be allowed by default.

  echo "
  abi ,
  include 
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
includ

[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy

2022-11-21 Thread Georgia Garcia 
Hi Steve Langasek, thanks for taking a look at the SRU.

> Is that not what this means, or is mqueue access actually denied by
> default and this refers only to how an unqualified 'mqueue' rule is
> interpreted?

Correct, this only refers to how an unqualified 'mqueue' rule is
interpreted.

> In that case how does introducing mqueue support in apparmor benefit
> users of jammy?

Users of jammy will now have the ability to mediate message queues in
their profile if they want, but they will have to opt-in. There is more
than one way to accomplish this, but they can for example add 'abi
,' to their profile when using a kernel that provides mqueue
mediation. That means that older policies that were developed when
mqueue mediation was not available will not be broken.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146

Title:
  [SRU] apparmor - Focal, Jammy

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Focal:
  In Progress
Status in apparmor source package in Jammy:
  Incomplete

Bug description:
  [ Impact ]

  This is a SRU proposal for apparmor in Focal and Jammy.
  For focal, we want to SRU fixes for Bug 1964636 which introduces the
  capability upstream patches. We are also fixing Bug 1728130 and
  Bug 1993353 which are introducing full backport of abi from
  apparmor-3.0 and support for POSIX message queue rules, which are both
  a request from Honeywell.

  Note that specifically for message queue rules, we are overriding the
  abi behavior.
  Message queue mediation is not a part of the 2.13 abi we are
  pinning. Honeywell has a kernel that has message queue mediation,
  but their policy does not contain an abi specified, so when we pin the
  abi for a kernel that does not mediate message queue, it will break
  Honeywell's AppArmor policies. So we are making an exception: when abi
  is not specified in the policy, and the policy contain mqueue rules,
  we are enforcing mqueue rules. When the policy does not contain mqueue
  rules, then they are not being enforced. This is so we do not break
  Honeywell policies and we also are not breaking policies that were
  developed when there was no mqueue or abi support.

  For jammy, we are SRUing fixes for Bug 1993353 which adds message
  queue rules support. 

  
  [ Test Plan ]

  This has been extensively tested by using QA Regression Tests[1] for
  AppArmor. All tests have passed and demonstrated AppArmor to be
  working as expected. We are also adding regression tests for message
  queue rules[2] which guarantees it is working as expected.

  [1] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
  [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Where problems could occur ]

  The message queue rules support could cause issues for AppArmor
  policies that were developed before there was support for mqueues,
  that's why we are also backporting abi support and pinning the abi on
  parser.conf on focal. Jammy already has the abi pinned for a kernel
  that does not have support for mqueue mediation.

  [ Other Info ]

  The patches for both focal and jammy can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1994146] [NEW] [SRU] apparmor - Focal, Jammy

2022-10-25 Thread Georgia Garcia 
Public bug reported:

[ Impact ]

This is a SRU proposal for apparmor in Focal and Jammy.
For focal, we want to SRU fixes for Bug 1964636 which introduces the
capability upstream patches. We are also fixing Bug 1728130 and
Bug 1993353 which are introducing full backport of abi from
apparmor-3.0 and support for POSIX message queue rules, which are both
a request from Honeywell.

Note that specifically for message queue rules, we are overriding the
abi behavior.
Message queue mediation is not a part of the 2.13 abi we are
pinning. Honeywell has a kernel that has message queue mediation,
but their policy does not contain an abi specified, so when we pin the
abi for a kernel that does not mediate message queue, it will break
Honeywell's AppArmor policies. So we are making an exception: when abi
is not specified in the policy, and the policy contain mqueue rules,
we are enforcing mqueue rules. When the policy does not contain mqueue
rules, then they are not being enforced. This is so we do not break
Honeywell policies and we also are not breaking policies that were
developed when there was no mqueue or abi support.

For jammy, we are SRUing fixes for Bug 1993353 which adds message
queue rules support. 


[ Test Plan ]

This has been extensively tested by using QA Regression Tests[1] for
AppArmor. All tests have passed and demonstrated AppArmor to be
working as expected. We are also adding regression tests for message
queue rules[2] which guarantees it is working as expected.

[1] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
[2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858

[ Where problems could occur ]

The message queue rules support could cause issues for AppArmor
policies that were developed before there was support for mqueues,
that's why we are also backporting abi support and pinning the abi on
parser.conf on focal. Jammy already has the abi pinned for a kernel
that does not have support for mqueue mediation.

[ Other Info ]

The patches for both focal and jammy can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: apparmor (Ubuntu Focal)
 Importance: Undecided
 Status: New

** Affects: apparmor (Ubuntu Jammy)
 Importance: Undecided
 Status: New

** Package changed: ubuntu-advantage-tools (Ubuntu) => apparmor (Ubuntu)

** Also affects: apparmor (Ubuntu Jammy)
   Importance: Undecided
   Status: New

** Also affects: apparmor (Ubuntu Focal)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146

Title:
  [SRU] apparmor - Focal, Jammy

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Focal:
  New
Status in apparmor source package in Jammy:
  New

Bug description:
  [ Impact ]

  This is a SRU proposal for apparmor in Focal and Jammy.
  For focal, we want to SRU fixes for Bug 1964636 which introduces the
  capability upstream patches. We are also fixing Bug 1728130 and
  Bug 1993353 which are introducing full backport of abi from
  apparmor-3.0 and support for POSIX message queue rules, which are both
  a request from Honeywell.

  Note that specifically for message queue rules, we are overriding the
  abi behavior.
  Message queue mediation is not a part of the 2.13 abi we are
  pinning. Honeywell has a kernel that has message queue mediation,
  but their policy does not contain an abi specified, so when we pin the
  abi for a kernel that does not mediate message queue, it will break
  Honeywell's AppArmor policies. So we are making an exception: when abi
  is not specified in the policy, and the policy contain mqueue rules,
  we are enforcing mqueue rules. When the policy does not contain mqueue
  rules, then they are not being enforced. This is so we do not break
  Honeywell policies and we also are not breaking policies that were
  developed when there was no mqueue or abi support.

  For jammy, we are SRUing fixes for Bug 1993353 which adds message
  queue rules support. 

  
  [ Test Plan ]

  This has been extensively tested by using QA Regression Tests[1] for
  AppArmor. All tests have passed and demonstrated AppArmor to be
  working as expected. We are also adding regression tests for message
  queue rules[2] which guarantees it is working as expected.

  [1] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
  [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Where problems could occur ]

  The message queue rules support could cause issues for AppArmor
  policies that were developed before there was support for mqueues,
  that's why we are also backporting abi support and pinning the abi on
  parser.conf on focal. Jammy already has the abi pinned for a kernel
  that d

[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied

2022-10-20 Thread Georgia Garcia 
This feature is required by Bug 1993353.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130

Title:
  Policy needs improved feature versioning to ensure it is correctly
  being applied

Status in apparmor package in Ubuntu:
  New

Bug description:
  Currently allows pinning a single feature abi or running in a
  developer mode where the full abi available of the current kernel is
  enforced.

  However this can result in breaking applications in undesirable ways.

  If an application is shipped with its own policy, that policy might be
  different than the pinned feature abi, which can either result in
  denials because features the policy was not developed for are being
  enforced.

  If the feature version is not pinned then the most recent kernel abi
  is taken and applied to policy, which has not been updated. This can
  result in denials for userspace effectively breaking userspace. This
  is less than ideal for most users as it leads to a bad experience than
  they have not opted into and can lead to them disabling security
  protections.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993353] Re: Add posix message queue IPC mediation

2022-10-20 Thread Georgia Garcia 
** Description changed:

  [ Impact ]
  
  We need to add IPC mediation support in the userspace tools, starting with 
posix message queue.
  This would improve security and lower the attack surface for applications
- There is already a proposal upstream: 
+ There is already a proposal upstream:
  https://gitlab.com/apparmor/apparmor/-/merge_requests/858
  
  [ Test Plan ]
  
  In the merge request in the description there are several tests added.
  There are parser tests that can be run with "make -C parser check" in the 
project source tree.
  There are also tests for the python tools that can be run ith "make -C utils 
check" in the project source tree.
  There are also regression tests in tests/regression/apparmor. They run with 
the whole test suite when you run with "sudo make tests", but they can also be 
run individually with "sudo ./posix_mq.sh"
  
  [ Where problems could occur ]
  
- There could be problems related to #1728130, where a policy was developed for 
a set of rules supported by a specific kernel, and if new mediation is 
available on newer kernels, then there will be some denied rules. Therefore we 
need to also prevent that from happening. This is already available in 
apparmor-3.+, but for older versions could be done by backporting the abi 
patches from 
+ There could be problems related to Bug 1728130, where a policy was developed 
for a set of rules supported by a specific kernel, and if new mediation is 
available on newer kernels, then there will be some denied rules. Therefore we 
need to also prevent that from happening. This is already available in 
apparmor-3.+, but for older versions could be done by backporting the abi 
patches from
  apparmor-3.0.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993353

Title:
  Add posix message queue IPC mediation

Status in apparmor package in Ubuntu:
  New

Bug description:
  [ Impact ]

  We need to add IPC mediation support in the userspace tools, starting with 
posix message queue.
  This would improve security and lower the attack surface for applications
  There is already a proposal upstream:
  https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Test Plan ]

  In the merge request in the description there are several tests added.
  There are parser tests that can be run with "make -C parser check" in the 
project source tree.
  There are also tests for the python tools that can be run ith "make -C utils 
check" in the project source tree.
  There are also regression tests in tests/regression/apparmor. They run with 
the whole test suite when you run with "sudo make tests", but they can also be 
run individually with "sudo ./posix_mq.sh"

  [ Where problems could occur ]

  There could be problems related to Bug 1728130, where a policy was developed 
for a set of rules supported by a specific kernel, and if new mediation is 
available on newer kernels, then there will be some denied rules. Therefore we 
need to also prevent that from happening. This is already available in 
apparmor-3.+, but for older versions could be done by backporting the abi 
patches from
  apparmor-3.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993353/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993353] [NEW] Add posix message queue IPC mediation

2022-10-18 Thread Georgia Garcia 
Public bug reported:

[ Impact ]

We need to add IPC mediation support in the userspace tools, starting with 
posix message queue.
This would improve security and lower the attack surface for applications
There is already a proposal upstream: 
https://gitlab.com/apparmor/apparmor/-/merge_requests/858

[ Test Plan ]

In the merge request in the description there are several tests added.
There are parser tests that can be run with "make -C parser check" in the 
project source tree.
There are also tests for the python tools that can be run ith "make -C utils 
check" in the project source tree.
There are also regression tests in tests/regression/apparmor. They run with the 
whole test suite when you run with "sudo make tests", but they can also be run 
individually with "sudo ./posix_mq.sh"

[ Where problems could occur ]

There could be problems related to #1728130, where a policy was developed for a 
set of rules supported by a specific kernel, and if new mediation is available 
on newer kernels, then there will be some denied rules. Therefore we need to 
also prevent that from happening. This is already available in apparmor-3.+, 
but for older versions could be done by backporting the abi patches from 
apparmor-3.0.

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993353

Title:
  Add posix message queue IPC mediation

Status in apparmor package in Ubuntu:
  New

Bug description:
  [ Impact ]

  We need to add IPC mediation support in the userspace tools, starting with 
posix message queue.
  This would improve security and lower the attack surface for applications
  There is already a proposal upstream: 
  https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Test Plan ]

  In the merge request in the description there are several tests added.
  There are parser tests that can be run with "make -C parser check" in the 
project source tree.
  There are also tests for the python tools that can be run ith "make -C utils 
check" in the project source tree.
  There are also regression tests in tests/regression/apparmor. They run with 
the whole test suite when you run with "sudo make tests", but they can also be 
run individually with "sudo ./posix_mq.sh"

  [ Where problems could occur ]

  There could be problems related to #1728130, where a policy was developed for 
a set of rules supported by a specific kernel, and if new mediation is 
available on newer kernels, then there will be some denied rules. Therefore we 
need to also prevent that from happening. This is already available in 
apparmor-3.+, but for older versions could be done by backporting the abi 
patches from 
  apparmor-3.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993353/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989309] Re: [FFe] new apparmor features for 3.0.7

2022-10-13 Thread Georgia Garcia 
** Changed in: apparmor (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989309

Title:
  [FFe] new apparmor features for 3.0.7

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  We propose two new features for 3.0.7 Apparmor:

  1. parser support for user namespace mediation.

  Since the last kernel update with commit 
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=30bce26855c9171f8dee74d93308fd506730c914
  Ubuntu 22.10 mediates user namespaces which allows for confined applications 
to have unprivileged user namespace creation, instead of disabling it 
completely.
  If we want applications to have this ability, then we need to add support on 
the parser, which is a feature we are introducing. Bug 1990064 is an example 
caused by this.

  2. userspace support for posix message queue mediation

  Kernel also has POSIX message queue mediation with commit
  https://git.launchpad.net/~ubuntu-
  kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-
  next&id=44f28e2ccee2000c7da971876dd003d38a8232d8 which indicates that
  if admins want to allow legitimate use of POSIX message queues, then
  they will need the support of userspace tools.

  We are also adding a fix for Bug 1990692 which will make the AppArmor
  profiles for samba to be up to date with upstream.

  TESTING

  This has been extensively tested by the security team - this includes
  following the documented Ubuntu merges test plan[1] for AppArmor and the
  extensive QA Regression Tests[2] for AppArmor as well. This ensures that
  the various applications that make heavy use of AppArmor (LXD, docker,
  lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions
  have been observed. All tests have passed and demonstrated both apparmor
  and the various applications that use it to be working as expected.

  BUILD LOGS

  This is currently uploaded to 
https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-kinetic-ffe, build 
logs can be found on
  Launchpad at:
  https://launchpad.net/~georgiag/+archive/ubuntu/test2/+build/24518253 for 
amd64

  DEBDIFF

  The debdiff can be found in the PPA:
  
https://launchpadlibrarian.net/626954017/apparmor_3.0.7-1ubuntu1_3.0.7-1ubuntu2.diff.gz

  INSTALL / UPGRADE LOG

  The apt upgrade log is attached in:
  
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5620824/+files/apparmor-3.0.7-1ubuntu2-apt-upgrade.log

  [1] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  [2] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989309] Re: [FFe] new apparmor features for 3.0.7

2022-10-03 Thread Georgia Garcia 
I updated the description and PPAs to reflect what we are hoping to
land: patches on top of 3.0.7 instead of a new 3.1.1 release.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989309

Title:
  [FFe] new apparmor features for 3.0.7

Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  We propose two new features for 3.0.7 Apparmor:

  1. parser support for user namespace mediation.

  Since the last kernel update with commit 
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=30bce26855c9171f8dee74d93308fd506730c914
  Ubuntu 22.10 mediates user namespaces which allows for confined applications 
to have unprivileged user namespace creation, instead of disabling it 
completely.
  If we want applications to have this ability, then we need to add support on 
the parser, which is a feature we are introducing. Bug 1990064 is an example 
caused by this.

  2. userspace support for posix message queue mediation

  Kernel also has POSIX message queue mediation with commit
  https://git.launchpad.net/~ubuntu-
  kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-
  next&id=44f28e2ccee2000c7da971876dd003d38a8232d8 which indicates that
  if admins want to allow legitimate use of POSIX message queues, then
  they will need the support of userspace tools.

  We are also adding a fix for Bug 1990692 which will make the AppArmor
  profiles for samba to be up to date with upstream.

  TESTING

  This has been extensively tested by the security team - this includes
  following the documented Ubuntu merges test plan[1] for AppArmor and the
  extensive QA Regression Tests[2] for AppArmor as well. This ensures that
  the various applications that make heavy use of AppArmor (LXD, docker,
  lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions
  have been observed. All tests have passed and demonstrated both apparmor
  and the various applications that use it to be working as expected.

  BUILD LOGS

  This is currently uploaded to 
https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-kinetic-ffe, build 
logs can be found on
  Launchpad at:
  https://launchpad.net/~georgiag/+archive/ubuntu/test2/+build/24518253 for 
amd64

  DEBDIFF

  The debdiff can be found in the PPA: 
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5620824/+files/apparmor-3.0.7-1ubuntu2-apt-upgrade.log
  INSTALL / UPGRADE LOG

  The apt upgrade log is attached in

  [1] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  [2] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989309] Re: [FFe] new apparmor features for 3.0.7

2022-10-03 Thread Georgia Garcia 
** Attachment added: "apparmor-3.0.7-1ubuntu2-apt-upgrade.log"
   
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5620824/+files/apparmor-3.0.7-1ubuntu2-apt-upgrade.log

** Description changed:

- AppArmor 3.1.1 is the latest upstream version of the apparmor userspace
- tooling.
+ We propose two new features for 3.0.7 Apparmor:
  
- This includes a large number of bug fixes since the 3.0.7 release which
- is currently in kinetic, as well as various cleanups and optimisations
- to the different tools to improve performance and maintainability.
+ 1. parser support for user namespace mediation.
  
- The full ChangeLog can be seen at [1]. Upstream does not provide a
- ChangeLog file, however I have generated one based on the git commit
- history of apparmor from the 3.0.7 tag to 3.1.1 as:
+ Since the last kernel update with commit 
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=30bce26855c9171f8dee74d93308fd506730c914
+ Ubuntu 22.10 mediates user namespaces which allows for confined applications 
to have unprivileged user namespace creation, instead of disabling it 
completely.
+ If we want applications to have this ability, then we need to add support on 
the parser, which is a feature we are introducing. Bug 1990064 is an example 
caused by this.
  
- $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git-
- log.log
+ 2. userspace support for posix message queue mediation
  
- This can be seen in the attached file
- 
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git-
- log.log
+ Kernel also has POSIX message queue mediation with commit
+ https://git.launchpad.net/~ubuntu-
+ kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-
+ next&id=44f28e2ccee2000c7da971876dd003d38a8232d8 which indicates that if
+ admins want to allow legitimate use of POSIX message queues, then they
+ will need the support of userspace tools.
+ 
+ We are also adding a fix for Bug 1990692 which will make the AppArmor
+ profiles for samba to be up to date with upstream.
  
  TESTING
  
  This has been extensively tested by the security team - this includes
- following the documented Ubuntu merges test plan[2] for AppArmor and the
- extensive QA Regression Tests[3] for AppArmor as well. This ensures that
+ following the documented Ubuntu merges test plan[1] for AppArmor and the
+ extensive QA Regression Tests[2] for AppArmor as well. This ensures that
  the various applications that make heavy use of AppArmor (LXD, docker,
  lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions
  have been observed. All tests have passed and demonstrated both apparmor
  and the various applications that use it to be working as expected.
  
  BUILD LOGS
  
- This is currently uploaded to 
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be 
found on
+ This is currently uploaded to 
https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-kinetic-ffe, build 
logs can be found on
  Launchpad at:
- https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 
for amd64 etc
+ https://launchpad.net/~georgiag/+archive/ubuntu/test2/+build/24518253 for 
amd64
  
  DEBDIFF
  
- The debdiff can be found in the PPA:
- 
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz
- 
+ The debdiff can be found in the PPA: 
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5620824/+files/apparmor-3.0.7-1ubuntu2-apt-upgrade.log
  INSTALL / UPGRADE LOG
  
  The apt upgrade log is attached in
- 
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt-
- upgrade.log
  
- [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1
- [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
- [3] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
+ [1] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
+ [2] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989309

Title:
  [FFe] new apparmor features for 3.0.7

Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  We propose two new features for 3.0.7 Apparmor:

  1. parser support for user namespace mediation.

  Since the last kernel update with commit 
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-next&id=30bce26855c9171f8dee74d93308fd506730c914
  Ubuntu 22.10 mediates user namespaces which allows for confined applications 
to have unprivileged user namespace creation, instead of disabling it 
completely.
  If we want applications to have this abi

[Touch-packages] [Bug 1989309] Re: [FFe] new apparmor features for 3.0.7

2022-10-03 Thread Georgia Garcia 
** Summary changed:

- [FFe] apparmor 3.1.1 upstream release
+ [FFe] new apparmor features for 3.0.7

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989309

Title:
  [FFe] new apparmor features for 3.0.7

Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  AppArmor 3.1.1 is the latest upstream version of the apparmor
  userspace tooling.

  This includes a large number of bug fixes since the 3.0.7 release
  which is currently in kinetic, as well as various cleanups and
  optimisations to the different tools to improve performance and
  maintainability.

  The full ChangeLog can be seen at [1]. Upstream does not provide a
  ChangeLog file, however I have generated one based on the git commit
  history of apparmor from the 3.0.7 tag to 3.1.1 as:

  $ git log v3.0.7...v3.1.1 -- >
  ~/Downloads/apparmor-3.0.7-to-3.1.1-git-log.log

  This can be seen in the attached file
  
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git-
  log.log

  TESTING

  This has been extensively tested by the security team - this includes
  following the documented Ubuntu merges test plan[2] for AppArmor and the
  extensive QA Regression Tests[3] for AppArmor as well. This ensures that
  the various applications that make heavy use of AppArmor (LXD, docker,
  lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions
  have been observed. All tests have passed and demonstrated both apparmor
  and the various applications that use it to be working as expected.

  BUILD LOGS

  This is currently uploaded to 
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be 
found on
  Launchpad at:
  https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 
for amd64 etc

  DEBDIFF

  The debdiff can be found in the PPA:
  
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz

  INSTALL / UPGRADE LOG

  The apt upgrade log is attached in
  
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt-
  upgrade.log

  [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1
  [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  [3] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2022-08-04 Thread Georgia Garcia 
Robie, thank you for taking a look at it. 
In this case, the user is impacted by noisy logs, since the dovecot profile is 
in complain mode. That means that AppArmor does not block actions, it only logs 
them, so that's probably the reason we are not getting more users reporting 
this.

I believe you are correct, perhaps an SRU is not worth it here, not
because the user can modify the policy, but because dovecot
functionality is not being affected.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  Fix Released
Status in apparmor package in Ubuntu:
  Expired
Status in dovecot package in Ubuntu:
  Fix Released
Status in apparmor source package in Bionic:
  Incomplete
Status in dovecot source package in Bionic:
  Fix Released

Bug description:
  [Impact]

  Users report that while running dovecot there are some issues reported
  by AppArmor, specifically regarding "file_inherit" operations:

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  This is likely caused by an anonymous socket communication channel
  between dovecot and anvil.

  A fix in the dovecot AppArmor policy was already merged upstream
  in commit 1ce8cd21, which is being backported in this SRU.
  There was a change upstream that renamed the dovecot profile, so it was
  necessary to make a small change on the backport to reference the
  correct profile name.

  [Test Plan]

  Clone the qa-regression-testing repo
  https://git.launchpad.net/qa-regression-testing
  Setup the machine according to the instructions in the README.multipurpose-vm 
- specifically the Email section.

  Run the dovecot tests from the qa-regression-testing repo:
  python3 ./script test-dovecot.py

  After running the tests, check dmesg for no DENIED messages:
  dmesg | grep DENIED

  [Where problems could occur]

  This update broadens the dovecot policy, so it won't to cause any
  issues regarding a behavior that was previously allowed and it is now
  denied.
  In addition, the dovecot policy is already in complain mode in
  bionic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2022-08-02 Thread Georgia Garcia 
** Description changed:

  [Impact]
  
  Users report that while running dovecot there are some issues reported
  by AppArmor, specifically regarding "file_inherit" operations:
  
  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"
  
  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"
  
  This is likely caused by an anonymous socket communication channel
  between dovecot and anvil.
  
  A fix in the dovecot AppArmor policy was already merged upstream
  in commit 1ce8cd21, which is being backported in this SRU.
  There was a change upstream that renamed the dovecot profile, so it was
  necessary to make a small change on the backport to reference the
  correct profile name.
  
  [Test Plan]
  
- The bug can be reproduced by setting up a multi-purpose VM according
- to the README file on QRT, and then running the QRT dovecot tests. 
+ Clone the qa-regression-testing repo
+ https://git.launchpad.net/qa-regression-testing
+ Setup the machine according to the instructions in the README.multipurpose-vm 
- specifically the Email section.
+ 
+ Run the dovecot tests from the qa-regression-testing repo:
+ python3 ./script test-dovecot.py
+ 
+ After running the tests, check dmesg for no DENIED messages:
+ dmesg | grep DENIED
  
  [Where problems could occur]
  
  This update broadens the dovecot policy, so it won't to cause any
  issues regarding a behavior that was previously allowed and it is now
  denied.
  In addition, the dovecot policy is already in complain mode in
  bionic.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  Fix Released
Status in apparmor package in Ubuntu:
  Expired
Status in dovecot package in Ubuntu:
  Fix Released
Status in apparmor source package in Bionic:
  New
Status in dovecot source package in Bionic:
  Fix Released

Bug description:
  [Impact]

  Users report that while running dovecot there are some issues reported
  by AppArmor, specifically regarding "file_inherit" operations:

  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"

  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"

  This is likely caused by an anonymous socket communication channel
  between dovecot and anvil.

  A fix in the dovecot AppArmor policy was already merged upstream
  in commit 1ce8cd21, which is being backported in this SRU.
  There was a change upstream that renamed the dovecot profile, so it was
  necessary to make a small change on the backport to reference the
  correct profile name.

  [Test Plan]

  Clone the qa-regression-testing repo
  https://git.launchpad.net/qa-regression-testing
  Setup the machine according to the instructions in the README.multipurpose-vm 
- specifically the Email section.

  Run the dovecot tests from the qa-regression-testing repo:
  python3 ./script test-dovecot.py

  After running the tests, check dmesg for no DENIED messages:
  dmesg | grep DENIED

  [Where problems could occur]

  This update broadens the dovecot policy, so it won't to cause any
  issues regarding a behavior that was previously allowed and it is now
  denied.
  In addition, the dovecot policy is already in complain mode in
  bionic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1703821/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1703821] Re: Dovecot and Apparmor complains at operation file_inherit

2022-08-01 Thread Georgia Garcia 
I have attached a debdiff for AppArmor containing the upstream fix.

** Description changed:

- My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0). Apparmor
- is still complaining about problems with file_inherit. I have put the
- profiles in complain-only mode, so I can continue, but still, it's a
- problem.
+ [Impact]
+ 
+ Users report that while running dovecot there are some issues reported
+ by AppArmor, specifically regarding "file_inherit" operations:
  
  Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400
  audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/sbin/dovecot"
  
  Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400
  audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit"
  profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none
  peer="/usr/lib/dovecot/anvil"
  
- My configuration of Dovecot has changed slightly:
+ This is likely caused by an anonymous socket communication channel
+ between dovecot and anvil.
  
- /etc/dovecot/dovecot-sql.conf.ext
-driver = mysql
-connect = host=localhost dbname=mail user=mail password=mailpassword
-default_pass_scheme = MD5-CRYPT
-password_query = ...
-user_query = ...
+ A fix in the dovecot AppArmor policy was already merged upstream
+ in commit 1ce8cd21, which is being backported in this SRU.
+ There was a change upstream that renamed the dovecot profile, so it was
+ necessary to make a small change on the backport to reference the
+ correct profile name.
  
- /etc/dovecot/conf.d/10-auth.conf
-disable_plaintext_auth = yes
-auth_mechanisms = plain login
-#!include auth-system.conf.ext
-!include auth-sql.conf.ext
+ [Test Plan]
  
- /etc/dovecot/conf.d/10-mail.conf
-mail_location = maildir:/var/vmail/%d/%n
-mail_uid = vmail
-mail_gid = mail
-first_valid_uid = 150
-last_valid_uid = 150
+ The bug can be reproduced by setting up a multi-purpose VM according
+ to the README file on QRT, and then running the QRT dovecot tests. 
  
- /etc/dovecot/conf.d/10-ssl.conf
-ssl = required
-ssl_cert = 
- 
- /usr/sbin/dovecot flags=(complain,attach_disconnected) {
-   #include 
-   #include 
-   #include 
-   #include 
-   #include 
-   #include 
-   #include 
- 
-   capability chown,
-   capability dac_override,
-   capability fsetid,
-   capability kill,
-   capability net_bind_service,
-   capability setuid,
-   capability sys_chroot,
-   capability sys_resource,
- 
-   /etc/dovecot/** r,
-   /etc/mtab r,
-   /etc/lsb-release r,
-   /etc/SuSE-release r,
-   @{PROC}/@{pid}/mounts r,
-   /usr/bin/doveconf rix,
-   /usr/lib/dovecot/anvil Px,
-   /usr/lib/dovecot/auth Px,
-   /usr/lib/dovecot/config Px,
-   /usr/lib/dovecot/dict Px,
-   /usr/lib/dovecot/dovecot-auth Pxmr,
-   /usr/lib/dovecot/imap Pxmr,
-   /usr/lib/dovecot/imap-login Pxmr,
-   /usr/lib/dovecot/lmtp Px,
-   /usr/lib/dovecot/log Px,
-   /usr/lib/dovecot/managesieve Px,
-   /usr/lib/dovecot/managesieve-login Pxmr,
-   /usr/lib/dovecot/pop3 Px,
-   /usr/lib/dovecot/pop3-login Pxmr,
-   /usr/lib/dovecot/ssl-build-param rix,
-   /usr/lib/dovecot/ssl-params Px,
-   /usr/sbin/dovecot mrix,
-   /usr/share/dovecot/protocols.d/   r,
-   /usr/share/dovecot/protocols.d/** r,
-   /var/lib/dovecot/ w,
-   /var/lib/dovecot/* rwkl,
-   /var/spool/postfix/private/auth w,
-   /var/spool/postfix/private/dovecot-lmtp w,
-   /{,var/}run/dovecot/ rw,
-   /{,var/}run/dovecot/** rw,
-   link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
- 
-   # Site-specific additions and overrides. See local/README for details.
-   #include 
- }
- 
- Profile usr.lib.dovecot.anvil:
- 
- #include 
- 
- /usr/lib/dovecot/anvil flags=(complain) {
-   #include 
-   #include 
- 
-   capability setuid,
-   capability sys_chroot,
- 
-   /usr/lib/dovecot/anvil mr,
- 
-   # Site-specific additions and overrides. See local/README for details.
-   #include 
- }
+ This update broadens the dovecot policy, so it won't to cause any
+ issues regarding a behavior that was previously allowed and it is now
+ denied.
+ In addition, the dovecot policy is already in complain mode in
+ bionic.

** Patch added: "apparmor_2.12-4ubuntu5.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1703821/+attachment/5606306/+files/apparmor_2.12-4ubuntu5.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1703821

Title:
  Dovecot and Apparmor complains at operation file_inherit

Status in AppArmor:
  Fix Released
Status in apparmor package in Ubuntu:
  Expired
Status in dovec

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2022-05-10 Thread Georgia Garcia 
@Sebastien, yes, I asked people from the security team to sponsor it but
we are still reviewing the snap_browsers abstraction. We are denying
access to /run/user/[0-9]*/gdm/Xauthority in the policy but if that was
the case, then the browser should not have been able to open, but it
does open so we are investigating if there's an issue.

Regarding the evince debdiff, even though it looks like the dependency
is on Build-Depends on the debdiff, it is actually under Depends. If we
don't set this dependency, then the snap_browsers abstraction might not
be available. So if the new evince is installed with an old apparmor,
then the evince apparmor policy will fail to load and evince will run
unconfined.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Triaged
Status in apparmor source package in Jammy:
  New
Status in evince source package in Jammy:
  New
Status in evince package in Debian:
  New

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2022-04-20 Thread Georgia Garcia 
** Patch added: "apparmor_2.12-4ubuntu5.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581885/+files/apparmor_2.12-4ubuntu5.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Triaged
Status in evince package in Debian:
  New

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2022-04-20 Thread Georgia Garcia 
@Sebastien, yes, just did. Thank you!

I also attached the debdiffs for evince and apparmor for bionic, focal, impish 
and jammy. They were also uploaded into the Security Proposed PPA:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=apparmor
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=evince

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Triaged
Status in evince package in Debian:
  New

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2022-04-20 Thread Georgia Garcia 
** Patch added: "apparmor_2.13.3-7ubuntu5.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581884/+files/apparmor_2.13.3-7ubuntu5.2.debdiff

** Patch removed: "apparmor_3.0.3-0ubuntu1.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581883/+files/apparmor_3.0.3-0ubuntu1.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Triaged
Status in evince package in Debian:
  New

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2022-04-20 Thread Georgia Garcia 
** Patch added: "apparmor_3.0.3-0ubuntu1.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581883/+files/apparmor_3.0.3-0ubuntu1.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Triaged
Status in evince package in Debian:
  New

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2022-04-20 Thread Georgia Garcia 
** Patch added: "apparmor_3.0.3-0ubuntu1.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581882/+files/apparmor_3.0.3-0ubuntu1.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Triaged
Status in evince package in Debian:
  New

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2022-04-20 Thread Georgia Garcia 
** Patch added: "evince_3.28.4-0ubuntu1.3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581880/+files/evince_3.28.4-0ubuntu1.3.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Triaged
Status in evince package in Debian:
  New

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

2022-04-20 Thread Georgia Garcia 
** Patch added: "apparmor_3.0.4-2ubuntu3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581881/+files/apparmor_3.0.4-2ubuntu3.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Triaged
Status in evince package in Debian:
  New

Bug description:
  [Impact]

   * Users cannot open a hyperlink in a PDF opened with evince when the default 
browser is a snap.
   * The fix creates a snap_browsers abstraction on AppArmor which can be used 
in a transition for when the browser is executed. The snap_browsers abstraction 
provides the minimal amount of permissions required to execute a browser 
provided through snaps. This is a workaround since AppArmor currently does not 
provide mediation/filtering on enhanced environment variables.

  [Test Plan]

   * Make sure the default browser is provided through the snap store.
   * Open a PDF that contains a hyperlink using evince and click on the URL.
   * The browser should open the requested URL. 

  [Where problems could occur]

   * If the browser or snap core update to have new requirements for
  opening a browser, then the current policy could become obsolete and
  will need to be updated again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

  1   2   >