[Touch-packages] [Bug 1957024] Re: pam-mkhomedir does not honor private home directories
@pponnuvel - I am in the middle of uploading this for plucky :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1957024 Title: pam-mkhomedir does not honor private home directories Status in pam package in Ubuntu: In Progress Bug description: As reported in https://discourse.ubuntu.com/t/private-home- directories-for-ubuntu-21-04-onwards/19533/13: A common situation is to have a central set of users (e.g. in LDAP) and use pam_mkhomedir.so to create the home directory when the user first logs in. These changes do not cover this situation. The default configuration of pam_mkhomedir.so will result in a home directory created with 0755 permissions. To make pam_mkhomedir.so create a home directory by default with permissions consistent with the other tools then a umask argument can be added to the pam_mkhomedir.so module in the file /usr/share/pam- configs/mkhomedir. I believe this would have to be done before enabling the module. The file is part of the libpam-modules package. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1957024/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2075246] Re: Apparmor is preventing konsole from running many commands
It looks like you are using the snap version of konsole - which seems to have strict confinement in place so its not surprising you are seeing such issues. I see there is a version with classic confinement in the candidate channel - can you please try the following and see if it fixes the issue: sudo snap refresh konsole --candidate --classic (Note you will have to do this from a different terminal application than konsole since it will be blocked from running that itself). I suggest you report this issue to the maintainers of the konsole snap as per the contact info listed at https://snapcraft.io/konsole -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2075246 Title: Apparmor is preventing konsole from running many commands Status in apparmor package in Ubuntu: Invalid Bug description: When using konsole I can no longer sudo in a terminal window nor can I run w or who. It also doesn't appear to run logon scripts because the environment isn't set correctly any more. 2024-07-30T12:38:10.211624-04:00 lin-cr kernel: audit: type=1400 audit(1722357490.209:358): apparmor="DENIED" operation="exec" class="file" profile="snap.konsole.konsole" name="/usr/bin/sudo" pid=11565 comm="bash" requested_mask="x" denied_mask="x" fsuid=1002 ouid=0 2024-07-30T12:38:10.211667-04:00 lin-cr kernel: audit: type=1400 audit(1722357490.209:359): apparmor="DENIED" operation="open" class="file" profile="snap.konsole.konsole" name="/usr/bin/sudo" pid=11565 comm="bash" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0 2024-07-30T12:38:10.211624-04:00 lin-cr kernel: audit: type=1400 audit(1722357490.209:358): apparmor="DENIED" operation="exec" class="file" profile="snap.konsole.konsole" name="/usr/bin/sudo" pid=11565 comm="bash" requested_mask="x" denied_mask="x" fsuid=1002 ouid=0 2024-07-30T12:38:10.211667-04:00 lin-cr kernel: audit: type=1400 audit(1722357490.209:359): apparmor="DENIED" operation="open" class="file" profile="snap.konsole.konsole" name="/usr/bin/sudo" pid=11565 comm="bash" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2075246/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2075246] Re: Apparmor is preventing konsole from running many commands
This is not an issue in apparmor itself, so I am closing this bug as invalid since it is an issue in the konsole snap in the snap store. ** Changed in: apparmor (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2075246 Title: Apparmor is preventing konsole from running many commands Status in apparmor package in Ubuntu: Invalid Bug description: When using konsole I can no longer sudo in a terminal window nor can I run w or who. It also doesn't appear to run logon scripts because the environment isn't set correctly any more. 2024-07-30T12:38:10.211624-04:00 lin-cr kernel: audit: type=1400 audit(1722357490.209:358): apparmor="DENIED" operation="exec" class="file" profile="snap.konsole.konsole" name="/usr/bin/sudo" pid=11565 comm="bash" requested_mask="x" denied_mask="x" fsuid=1002 ouid=0 2024-07-30T12:38:10.211667-04:00 lin-cr kernel: audit: type=1400 audit(1722357490.209:359): apparmor="DENIED" operation="open" class="file" profile="snap.konsole.konsole" name="/usr/bin/sudo" pid=11565 comm="bash" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0 2024-07-30T12:38:10.211624-04:00 lin-cr kernel: audit: type=1400 audit(1722357490.209:358): apparmor="DENIED" operation="exec" class="file" profile="snap.konsole.konsole" name="/usr/bin/sudo" pid=11565 comm="bash" requested_mask="x" denied_mask="x" fsuid=1002 ouid=0 2024-07-30T12:38:10.211667-04:00 lin-cr kernel: audit: type=1400 audit(1722357490.209:359): apparmor="DENIED" operation="open" class="file" profile="snap.konsole.konsole" name="/usr/bin/sudo" pid=11565 comm="bash" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2075246/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2083435] Re: AppArmor 4.1.0-beta1 contains an ABI break for aa_log_record
I typod the magic LP bug reference in the changelog but this was upload to oracular earlier and just moved into -proposed: apparmor (4.1.0~beta1-0ubuntu3) oracular; urgency=medium * Add patch from upstream to fix unintentional ABI break (LP :#2083435) - d/p/u/fix-abi-break-record-for-aa-log-record.patch https://launchpad.net/ubuntu/+source/apparmor/4.1.0~beta1-0ubuntu3 ** Changed in: apparmor (Ubuntu Oracular) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2083435 Title: AppArmor 4.1.0-beta1 contains an ABI break for aa_log_record Status in AppArmor: New Status in apparmor package in Ubuntu: Fix Committed Status in apparmor source package in Oracular: Fix Committed Bug description: Commit 3c825eb001d33bb6f2480c4f78df03aee4c40396 in the Gitlab upstream adds a field called `execpath` to the `aa_log_record` struct. This field was added in the middle of the struct instead of the end, causing an ABI break in libapparmor without a corresponding major version number bump. This commit landed between v4.0.3 and v4.1.0-beta1, and unfortunately, Oracular currently packages v4.1.0-beta1. Thus, we need to land a bugfix patch to move the `execpath` field to the end of the struct ASAP to prevent an ABI break from making it into the Oracular release. The patch is attached below and is available as commit c86c87e8868c72e5ab2084b5bf783cd5ca800a9b in the Gitlab repo. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2083435/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2073169] Re: w command shows incorrect idle time for all users
** Description changed: user1 10.19.2.1Fri163:05m 0.00s 0.08s sshd: user1 [priv] user1 10.19.2.22 07:173:05m 0.00s 0.02s sshd: user2 [priv] user3 10.19.2.103 14:253:05m 0.00s 0.01s sshd: user3 [priv] user4 10.19.3.35 15:413:05m 0.00s ?sshd: user4 [priv] user5 10.19.2.71 16:193:05m 0.00s ?sshd: user5 [priv] Notice that all have identical idle times, which is the bug. Idle times should be very different between users. This appears to be only on 24.04LTS, previous versions do no do this ie: 20.04, 22.04, 23.10. DISTRIB_ID=Ubuntu DISTRIB_RELEASE=24.04 DISTRIB_CODENAME=noble DISTRIB_DESCRIPTION="Ubuntu 24.04 LTS w command is in procps libprocps8/now 2:3.3.17-6ubuntu2.1 amd64 [installed,local] procps/noble,now 2:4.0.4-4ubuntu3 amd64 [installed,automatic] ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: procps 2:4.0.4-4ubuntu3 ProcVersionSignature: Ubuntu 6.8.0-35.35-generic 6.8.4 Uname: Linux 6.8.0-35-generic x86_64 ApportVersion: 2.28.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Mon Jul 15 17:16:33 2024 InstallationDate: Installed on 2021-12-01 (957 days ago) InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64 (20210824) ProcEnviron: - LANG=en_US.UTF-8 - PATH=(custom, no user) - SHELL=/bin/bash - TERM=xterm + LANG=en_US.UTF-8 + PATH=(custom, no user) + SHELL=/bin/bash + TERM=xterm RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: procps UpgradeStatus: Upgraded to noble on 2024-06-13 (33 days ago) mtime.conffile..etc.init.d.apport: 2024-04-23T07:30:10 mtime.conffile..etc.sysctl.conf: 2024-06-12T11:15:22.641079 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/2073169 Title: w command shows incorrect idle time for all users Status in procps package in Ubuntu: Confirmed Bug description: user1 10.19.2.1Fri163:05m 0.00s 0.08s sshd: user1 [priv] user1 10.19.2.22 07:173:05m 0.00s 0.02s sshd: user2 [priv] user3 10.19.2.103 14:253:05m 0.00s 0.01s sshd: user3 [priv] user4 10.19.3.35 15:413:05m 0.00s ?sshd: user4 [priv] user5 10.19.2.71 16:193:05m 0.00s ?sshd: user5 [priv] Notice that all have identical idle times, which is the bug. Idle times should be very different between users. This appears to be only on 24.04LTS, previous versions do no do this ie: 20.04, 22.04, 23.10. DISTRIB_ID=Ubuntu DISTRIB_RELEASE=24.04 DISTRIB_CODENAME=noble DISTRIB_DESCRIPTION="Ubuntu 24.04 LTS w command is in procps libprocps8/now 2:3.3.17-6ubuntu2.1 amd64 [installed,local] procps/noble,now 2:4.0.4-4ubuntu3 amd64 [installed,automatic] ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: procps 2:4.0.4-4ubuntu3 ProcVersionSignature: Ubuntu 6.8.0-35.35-generic 6.8.4 Uname: Linux 6.8.0-35-generic x86_64 ApportVersion: 2.28.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Mon Jul 15 17:16:33 2024 InstallationDate: Installed on 2021-12-01 (957 days ago) InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64 (20210824) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: procps UpgradeStatus: Upgraded to noble on 2024-06-13 (33 days ago) mtime.conffile..etc.init.d.apport: 2024-04-23T07:30:10 mtime.conffile..etc.sysctl.conf: 2024-06-12T11:15:22.641079 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/2073169/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056555] Re: Allow bitbake to create user namespace
FWIW I don't think this proposed profile should be shipped upstream or
in Ubuntu for bitbake - it allows any file anywhere on the filesystem
under a path bitbake/bin/bitbake to use unprivileged user namespaces -
ie. if I was a malware author I would have my malware create a second
stage malware file called $HOME/bitbake/bin/bitbake it it would then be
granted the use of userns by this profile (and hence could take
advantage of userns as part of further exploitation). The specified
attachment path regex is too broad.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056555
Title:
Allow bitbake to create user namespace
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
Occurs since an update around March 2 Ubuntu 24.04.
Bitbake is broken due to file permission problem.
Traceback (most recent call last):
File "/home/hains/openpli-oe-core/bitbake/bin/bitbake-worker", line 268, in
child
bb.utils.disable_network(uid, gid)
File "/home/hains/openpli-oe-core/bitbake/lib/bb/utils.py", line 1653, in
disable_network
with open("/proc/self/uid_map", "w") as f:
PermissionError: [Errno 1] Operation not permitted
Test code
with open("/proc/self/uid_map", "w") as f:
f.write("%s %s 1" % (1000, 1000))
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: dash 0.5.12-6ubuntu4
ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4
Uname: Linux 6.8.0-11-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.28.0-0ubuntu1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Fri Mar 8 14:34:08 2024
InstallationDate: Installed on 2023-03-24 (350 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
SourcePackage: dash
UpgradeStatus: Upgraded to noble on 2024-01-10 (58 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
** Changed in: snapd Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: Fix Released Status in apparmor package in Ubuntu: Invalid Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap), but it's definitely worth mentioning. An example of one of Thunderbird's fallback notifications is attached as a screenshot
[Touch-packages] [Bug 2063271] Re: Illegal opcode in libssl
Thanks for reporting this issue - but it is strange since this update has been published since 2024-02-27 and this is the first such report of any issues. Also given this update has been available for nearly 2 months it is surprising you are seeing errors from it so much later - I wonder if instead whether the on-disk binary has been corrupted? Can you please try reinstalling libssl3 and see if that resolves the issue: sudo apt install --reinstall libssl3 If this does resolve the issue, it might be worth checking whether you have any failing hardware / disks etc that may have led to this problem. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2063271 Title: Illegal opcode in libssl Status in openssh package in Ubuntu: New Bug description: Many programs using openssl now fail, typically with messages such as Illegal instruction (core dumped) This seems to be a serious error, since it affects, for example, update-manager. Since this makes it harder to get security updates, I would also consider it a security vulnerability. The issue seems to be that openssl seems to be an attempt to use an illegal opcode. A few sample entries in /var/log/syslog are: Apr 21 19:16:39 einstein kernel: [495465.431588] traps: update-manager[396881] trap invalid opcode ip:740964b8ac6b sp:7409552125b0 error:0 in libssl.so.3[740964b7a000+5b000] Apr 21 19:16:55 einstein kernel: [495482.104658] traps: python3[396949] trap invalid opcode ip:73607be8ac6b sp:736074d8d5b0 error:0 in libssl.so.3[73607be7a000+5b000] Apr 21 19:40:05 einstein kernel: [496871.653271] traps: chrome-gnome-sh[397293] trap invalid opcode ip:79432ffa7c6b sp:7ffd6bc03e70 error:0 in libssl.so.3[79432ff97000+5b000] Apr 22 16:23:08 einstein kernel: [501744.765118] traps: check-new-relea[400397] trap invalid opcode ip:797c7cc8ac6b sp:797c6cace5b0 error:0 in libssl.so.3[797c7cc7a000+5b000] Apr 23 15:08:03 einstein kernel: [518701.050526] traps: wget[443588] trap invalid opcode ip:73a8b2eb4c6b sp:7ffc04918740 error:0 in libssl.so.3[73a8b2ea4000+5b000] Apr 23 15:12:55 einstein kernel: [518992.493020] traps: curl[443851] trap invalid opcode ip:7e4e3951dc6b sp:7ffc804d2ed0 error:0 in libssl.so.3[7e4e3950d000+5b000] Apr 23 15:13:32 einstein kernel: [519029.181422] traps: apport-gtk[04] trap invalid opcode ip:7039180f5c6b sp:703902bfaad0 error:0 in libssl.so.3[7039180e5000+5b000] This bug report itself had to be submitted manually since ubuntu-bug now itself fails. lsb_release -rd reports: Description:Ubuntu 22.04.4 LTS Release:22.04 apt-cache policy openssl reports: openssl: Installed: 3.0.2-0ubuntu1.15 Candidate: 3.0.2-0ubuntu1.15 Version table: *** 3.0.2-0ubuntu1.15 500 500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 3.0.2-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages /proc/version for my computer gives Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 /proc/cpuinfo for my computer starts processor : 0 vendor_id : GenuineIntel cpu family: 6 model : 78 model name: Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz stepping : 3 microcode : 0xf0 cpu MHz : 500.018 cache size: 4096 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 2 apicid: 0 initial apicid: 0 fpu : yes fpu_exception : yes cpuid level : 22 wp: yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_stale_data retbleed gds bogomips : 5199.98 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48 b
[Touch-packages] [Bug 2061191]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Tags added: community-security ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to qtwebkit-opensource-src in Ubuntu. https://bugs.launchpad.net/bugs/2061191 Title: Probably stone-age old and insecure version with remote code execution Status in qtwebkit-opensource-src package in Ubuntu: New Bug description: Hi, Ubuntu 24.04 beta still uses libqt5webkit5. It is not obvious, where it comes from, but the version is still an alpha4, and the link in the README seems to suggest, that it still comes from https://github.com/annulen/webkit, which redirects to https://github.com/qtwebkit/qtwebkit , where the alpha4 tag is over 4 years old. There, the latest README tells: Code in this repository is obsolete. If you are looking for up-to-date QtWebKit use this fork: https://github.com/movableink/webkit https://github.com/movableink/webkit seems to be still maintained – more or less. And calls itself "inofficial mirror" Have a look at https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/ which calls qtwebkit insecure, poorly maintained, and cites CVEs about remote code execution (some of them would have to be fixed in the fork, but probably not in the version here in ubuntu). The problem is, that tools like wkhtmltopdf do use this library and are typically used to pull contents from a given URL, i.e. from foreign websites. Processing foreign HTML and Javascript code in conjunction with vulnerabilities to remote code execution, this is highly dangerous. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: libqt5webkit5 5.212.0~alpha4-34ubuntu4 ProcVersionSignature: Ubuntu 6.8.0-22.22-generic 6.8.1 Uname: Linux 6.8.0-22-generic x86_64 ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Fri Apr 12 23:31:43 2024 InstallationDate: Installed on 2024-04-12 (0 days ago) InstallationMedia: Kubuntu 24.04 LTS "Noble Numbat" - Beta amd64 (20240411.2) SourcePackage: qtwebkit-opensource-src UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtwebkit-opensource-src/+bug/2061191/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061856]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Your bug report is more likely to get attention if it is made in English, since this is the language understood by the majority of Ubuntu developers. Additionally, please only mark a bug as "security" if it shows evidence of allowing attackers to cross privilege boundaries or to directly cause loss of data/privacy. Please feel free to report any other bugs you may find. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2061856 Title: gnome terminal Status in xorg package in Ubuntu: Incomplete Bug description: Ola Bomdia Eu estou com um problema no terminal shell do ubuntu ele esta fechando assim que clico para abrir elefecha automaticamente ja tentetei usar outro terminal e tambem faz a mesma coisa eu tenho o fish instalado tambem mas esta fazendo a mesma coisa fechando automaticamente, o unico que funciona e o terminal do vscode. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: xorg 1:7.7+19ubuntu7.1 ProcVersionSignature: Ubuntu 4.15.0-213.224-generic 4.15.18 Uname: Linux 4.15.0-213-generic i686 .tmp.unity_support_test.0: ApportVersion: 2.20.9-0ubuntu7.29 Architecture: i386 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None Date: Tue Apr 16 12:04:00 2024 DistUpgraded: Fresh install DistroCodename: bionic DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation Core Processor Integrated Graphics Controller [8086:0042] (rev 12) (prog-if 00 [VGA controller]) Subsystem: Elitegroup Computer Systems Core Processor Integrated Graphics Controller [1019:1324] InstallationDate: Installed on 2023-07-23 (267 days ago) InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release i386 (20170215.2) Lsusb: Bus 002 Device 006: ID 04f3:0210 Elan Microelectronics Corp. Optical Mouse Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: MEGAWARE H55H-CM ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-213-generic root=UUID=3cfdb2f5-e8ec-4728-844a-29c984321037 ro quiet splash vt.handoff=1 Renderer: Software SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/18/2010 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 080015 dmi.board.asset.tag: To Be Filled By O.E.M. dmi.board.name: MW-H55H-CM dmi.board.vendor: MEGAWARE dmi.board.version: 1.0 dmi.chassis.asset.tag: M0418501001 dmi.chassis.type: 3 dmi.chassis.vendor: MEGAWARE dmi.chassis.version: 1.0 dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080015:bd05/18/2010:svnMEGAWARE:pnH55H-CM:pvrMEGAWARE:rvnMEGAWARE:rnMW-H55H-CM:rvr1.0:cvnMEGAWARE:ct3:cvr1.0: dmi.product.family: To Be Filled By O.E.M. dmi.product.name: H55H-CM dmi.product.version: MEGAWARE dmi.sys.vendor: MEGAWARE version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1 version.libdrm2: libdrm2 2.4.101-2~18.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 20.0.8-0ubuntu1~18.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx 20.0.8-0ubuntu1~18.04.1 version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.15 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1 version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20171229-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2 xserver.bootTime: Thu Apr 4 13:22:01 2024 xserver.configfile: default xserver.devices: inputPower Button KEYBOARD, id 6 inputPower Button KEYBOARD, id 7 inputPS/2+USB Mouse MOUSE, id 8 inputAT Translated Set 2 keyboard KEYBOARD, id 9 xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2061856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061856] Re: gnome terminal
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public ** Changed in: xorg (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2061856 Title: gnome terminal Status in xorg package in Ubuntu: Incomplete Bug description: Ola Bomdia Eu estou com um problema no terminal shell do ubuntu ele esta fechando assim que clico para abrir elefecha automaticamente ja tentetei usar outro terminal e tambem faz a mesma coisa eu tenho o fish instalado tambem mas esta fazendo a mesma coisa fechando automaticamente, o unico que funciona e o terminal do vscode. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: xorg 1:7.7+19ubuntu7.1 ProcVersionSignature: Ubuntu 4.15.0-213.224-generic 4.15.18 Uname: Linux 4.15.0-213-generic i686 .tmp.unity_support_test.0: ApportVersion: 2.20.9-0ubuntu7.29 Architecture: i386 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None Date: Tue Apr 16 12:04:00 2024 DistUpgraded: Fresh install DistroCodename: bionic DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation Core Processor Integrated Graphics Controller [8086:0042] (rev 12) (prog-if 00 [VGA controller]) Subsystem: Elitegroup Computer Systems Core Processor Integrated Graphics Controller [1019:1324] InstallationDate: Installed on 2023-07-23 (267 days ago) InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release i386 (20170215.2) Lsusb: Bus 002 Device 006: ID 04f3:0210 Elan Microelectronics Corp. Optical Mouse Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: MEGAWARE H55H-CM ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-213-generic root=UUID=3cfdb2f5-e8ec-4728-844a-29c984321037 ro quiet splash vt.handoff=1 Renderer: Software SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/18/2010 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 080015 dmi.board.asset.tag: To Be Filled By O.E.M. dmi.board.name: MW-H55H-CM dmi.board.vendor: MEGAWARE dmi.board.version: 1.0 dmi.chassis.asset.tag: M0418501001 dmi.chassis.type: 3 dmi.chassis.vendor: MEGAWARE dmi.chassis.version: 1.0 dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080015:bd05/18/2010:svnMEGAWARE:pnH55H-CM:pvrMEGAWARE:rvnMEGAWARE:rnMW-H55H-CM:rvr1.0:cvnMEGAWARE:ct3:cvr1.0: dmi.product.family: To Be Filled By O.E.M. dmi.product.name: H55H-CM dmi.product.version: MEGAWARE dmi.sys.vendor: MEGAWARE version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1 version.libdrm2: libdrm2 2.4.101-2~18.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 20.0.8-0ubuntu1~18.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx 20.0.8-0ubuntu1~18.04.1 version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.15 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1 version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20171229-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2 xserver.bootTime: Thu Apr 4 13:22:01 2024 xserver.configfile: default xserver.devices: inputPower Button KEYBOARD, id 6 inputPower Button KEYBOARD, id 7 inputPS/2+USB Mouse MOUSE, id 8 inputAT Translated Set 2 keyboard KEYBOARD, id 9 xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2061856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062440] Re: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone.
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tzdata in Ubuntu. https://bugs.launchpad.net/bugs/2062440 Title: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone. Status in tzdata package in Ubuntu: New Bug description: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone. root@lmobile4dcda1:/etc# apt reinstall tzdata Reading package lists... Done Building dependency tree... Done Reading state information... Done 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded. Need to get 348 kB of archives. After this operation, 0 B of additional disk space will be used. Get:1 https://mirror.mia.velocihost.net/ubuntu jammy-updates/main amd64 tzdata all 2024a-0ubuntu0.22.04 [348 kB] Fetched 348 kB in 6s (61,9 kB/s) Preconfiguring packages ... (Reading database ... 244685 files and directories currently installed.) Preparing to unpack .../tzdata_2024a-0ubuntu0.22.04_all.deb ... Unpacking tzdata (2024a-0ubuntu0.22.04) over (2024a-0ubuntu0.22.04) ... Setting up tzdata (2024a-0ubuntu0.22.04) ... Current default time zone: 'America/Caracas' Local time is now: jue 18 abr 2024 17:11:26 -04. Universal Time is now: Thu Apr 18 21:11:26 UTC 2024. Run 'dpkg-reconfigure tzdata' if you wish to change it. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: tzdata 2024a-0ubuntu0.22.04 ProcVersionSignature: Ubuntu 6.5.0-27.28~22.04.1-generic 6.5.13 Uname: Linux 6.5.0-27-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: GNOME Date: Thu Apr 18 16:52:36 2024 InstallationDate: Installed on 2023-11-18 (151 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) PackageArchitecture: all SourcePackage: tzdata UpgradeStatus: Upgraded to jammy on 2024-01-06 (103 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/2062440/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2058691] Re: No sound card detected on the Dell xps 16 2024 (9640)
Nevermind, that turned out to be a red herring, using the latest linux release candidate along with some bleeding edge versions of packages solves both the audio and the microphone! https://github.com/thesofproject/linux/issues/4879 ** Bug watch added: github.com/thesofproject/linux/issues #4879 https://github.com/thesofproject/linux/issues/4879 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-driver in Ubuntu. https://bugs.launchpad.net/bugs/2058691 Title: No sound card detected on the Dell xps 16 2024 (9640) Status in alsa-driver package in Ubuntu: New Bug description: The sound card is not detected on the Dell XPS 16 2024 (9640). A Cirrus Logic CS42L43 card is used which apparently got support in Linux 6.6 https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.phoronix.com/forums/forum/software/general- linux-open-source/1408193-linux-6-6-lands-support-for-the-cirrus- logic-cs42l43-audio-codec&ved=2ahUKEwiukq-ZroaFAxUWhf0HHe- jCngQFnoECA8QAQ&usg=AOvVaw3VW5hROJFzdJPUaIX-3igC https://www.reddit.com/r/DellXPS/comments/1ax1i4t/support_for_xps_16_9640_documentation/ No LSB modules are available. Description: Ubuntu Noble Numbat (development branch) Release: 24.04 ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: alsa-base 1.0.25+dfsg-0ubuntu7 ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4 Uname: Linux 6.8.0-11-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Thu Mar 21 23:00:06 2024 InstallationDate: Installed on 2024-03-19 (2 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Daily amd64 (20240319) MachineType: Dell Inc. XPS 16 9640 PackageArchitecture: all ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: alsa-driver Symptom: audio UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 01/15/2024 dmi.bios.release: 1.1 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.1.0 dmi.board.name: 0YFT36 dmi.board.vendor: Dell Inc. dmi.board.version: A00 dmi.chassis.type: 10 dmi.chassis.vendor: Dell Inc. dmi.ec.firmware.release: 1.2 dmi.modalias: dmi:bvnDellInc.:bvr1.1.0:bd01/15/2024:br1.1:efr1.2:svnDellInc.:pnXPS169640:pvr:rvnDellInc.:rn0YFT36:rvrA00:cvnDellInc.:ct10:cvr:sku0C62: dmi.product.family: XPS dmi.product.name: XPS 16 9640 dmi.product.sku: 0C62 dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/2058691/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059417] Re: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)
Given this has been reverted in Debian, it should not be synced into Ubuntu. ** Changed in: xz-utils (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xz-utils in Ubuntu. https://bugs.launchpad.net/bugs/2059417 Title: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Status in xz-utils package in Ubuntu: Won't Fix Bug description: Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1 was recently released and uploaded to Debian as a bugfix only release. Notably, this fixes a bug that causes Valgrind to issue a warning on any application dynamically linked with liblzma. This includes a lot of important applications. This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass. Additionally, this fixes a small typo for the man pages translations for Brazilian Portuguese, German, French, Korean, Romanian, and Ukrainian, and removes the need for patches applied for version 5.6.0-0.2. The other bugfixes in this release have no impact on Ubuntu. They involve building with CMake or when building on a system without Landlock system calls defined (these are defined in Ubuntu). Changelog entries since current noble version 5.6.0-0.2: xz-utils (5.6.1-1) unstable; urgency=medium * Non-maintainer upload. * Import 5.6.1 (Closes: #1067708). * Takeover maintenance of the package. -- Sebastian Andrzej Siewior Wed, 27 Mar 2024 22:53:21 +0100 Excerpt from the NEWS entry from upstream: 5.6.1 (2024-03-09) * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC) with GCC. The more serious bug caused a program linked with liblzma to crash on start up if the flag -fprofile-generate was used to build liblzma. The second bug caused liblzma to falsely report an invalid write to Valgrind when loading liblzma. * xz: Changed the messages for thread reduction due to memory constraints to only appear under the highest verbosity level. * Build: - Fixed a build issue when the header file was present on the system but the Landlock system calls were not defined in . - The CMake build now warns and disables NLS if both gettext tools and pre-created .gmo files are missing. Previously, this caused the CMake build to fail. * Minor improvements to man pages. * Minor improvements to tests. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Confirming that with snapd from edge (revision 21508), both the notifications and apptray denials are resolved for me. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: In Progress Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap), but it's definitely worth mentioning. An example of one of Thunderbir
[Touch-packages] [Bug 2058691] Re: No sound card detected on the Dell xps 16 2024 (9640)
I think sof-mtl-rt711-4ch.tplg and sof-mtl-rt711.tplg aren't the same thing. I'm guessing the former is for devices with four audio channels? I'm on arch with a sof-mtl-rt711-4ch.tplg and another file beginning with "sof-mtl-rt711", but no "sof-mtl-rt711.tplg". Renaming either of them to sof-mtl-rt711 produces the same error. Also, googling "sof-mtl- rt711" reveals an internal Intel document mentioning the existence of this file, so I'd imagine Intel hasn't released the file yet. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-driver in Ubuntu. https://bugs.launchpad.net/bugs/2058691 Title: No sound card detected on the Dell xps 16 2024 (9640) Status in alsa-driver package in Ubuntu: New Bug description: The sound card is not detected on the Dell XPS 16 2024 (9640). A Cirrus Logic CS42L43 card is used which apparently got support in Linux 6.6 https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.phoronix.com/forums/forum/software/general- linux-open-source/1408193-linux-6-6-lands-support-for-the-cirrus- logic-cs42l43-audio-codec&ved=2ahUKEwiukq-ZroaFAxUWhf0HHe- jCngQFnoECA8QAQ&usg=AOvVaw3VW5hROJFzdJPUaIX-3igC https://www.reddit.com/r/DellXPS/comments/1ax1i4t/support_for_xps_16_9640_documentation/ No LSB modules are available. Description: Ubuntu Noble Numbat (development branch) Release: 24.04 ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: alsa-base 1.0.25+dfsg-0ubuntu7 ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4 Uname: Linux 6.8.0-11-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Thu Mar 21 23:00:06 2024 InstallationDate: Installed on 2024-03-19 (2 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Daily amd64 (20240319) MachineType: Dell Inc. XPS 16 9640 PackageArchitecture: all ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: alsa-driver Symptom: audio UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 01/15/2024 dmi.bios.release: 1.1 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.1.0 dmi.board.name: 0YFT36 dmi.board.vendor: Dell Inc. dmi.board.version: A00 dmi.chassis.type: 10 dmi.chassis.vendor: Dell Inc. dmi.ec.firmware.release: 1.2 dmi.modalias: dmi:bvnDellInc.:bvr1.1.0:bd01/15/2024:br1.1:efr1.2:svnDellInc.:pnXPS169640:pvr:rvnDellInc.:rn0YFT36:rvrA00:cvnDellInc.:ct10:cvr:sku0C62: dmi.product.family: XPS dmi.product.name: XPS 16 9640 dmi.product.sku: 0C62 dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/2058691/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Ok whilst I still can't see the /StatusNotifierItem object listed via d-feet I can reproduce the denials when launching element-desktop so I have added some additional changes to the aforementioned PR which resolve these as well. With all the changes from that PR in place all of these mentioned denials are resolved. ** Changed in: snapd Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: In Progress Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
The subsequent error is: Main script file /usr/lib/x86_64-linux- gnu/calamares/modules/automirror/main.py for python job automirror raised an exception. Is there any way I can debug this further? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap),
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Ah although it seems I can reboot the VM at this point and whilst Calamares appeared to run again again in the rebooted vm if I choose Install Calamares closes and I see the installed kubuntu environment - weird Anyway I think I will be able to use this to debug the original issue further - will continue and let you know what I find. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to m
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Yes I hit that exact issue in Calamares but after fixing it I then hit another similar crash in a different script in calamares - will see if I can reproduce and provide you with details. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap), but it's de
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
So I installed kubuntu-desktop on an up-to-date noble VM and then after logging into the kubuntu session I was able to reproduce the issue for Notifications but I couldn't see anything owning the /StatusNotifierItem dbus path. For notifications I submitted https://github.com/snapcore/snapd/pull/13737 to snapd which should resolve that but if anyone can help me reproduce the issue for the status notifier item that would be great. FWIW I have attached a screenshot of d-feet showing the various dbus paths owned by plasmashell and /StatusNotifierItem is not listed. Am I perhaps missing some other package that doesn't get pulled in by the standard kubuntu-desktop metapackage? ** Attachment added: "Pasted image.png" https://bugs.launchpad.net/snapd/+bug/2056696/+attachment/5757409/+files/Pasted%20image.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, howeve
[Touch-packages] [Bug 2058329] [NEW] Update apparmor to 4.0.0-beta3 in noble
Public bug reported: Latest upstream release https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0-beta3 Contains only bug fixes since 4.0.0-beta2 which is currently in noble- proposed thus does not require a FFe. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058329 Title: Update apparmor to 4.0.0-beta3 in noble Status in apparmor package in Ubuntu: New Bug description: Latest upstream release https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0-beta3 Contains only bug fixes since 4.0.0-beta2 which is currently in noble- proposed thus does not require a FFe. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058329/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" This is provided by the system-observe interface in snapd - currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this. > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" > mask="send" name="org.kde.kwalletd5" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=1762 > peer_label="unconfined" > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" > mask="send" name="org.kde.kwalletd5" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=1762 > peer_label="unconfined" These are provided by the password-manager-service interface in snapd - again currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this as well. Finally, for the last two > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" > member="GetAll" name=":1.45" mask="receive" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=2394 > peer_label="plasmashell" > Log: apparmor="DENIED" operation="dbus_signal" bus="session" > path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" > member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=2394 > peer_label="plasmashell" Yes this is due to the peer_label mismatch - previously plasmashell would run without an AppArmor profile and so was "unconfined" - the most recent apparmor release in Noble contains a new profile for plasmashell in /etc/apparmor.d/plasmashell with the label "plasmashell" - and so now the peer_label doesn't match. This likely needs to be fixed on the snapd side (or we figure out a way in apparmor to not ship this profile). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.elemen
[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
Uploaded to noble-proposed yesterday https://launchpad.net/ubuntu/+source/apparmor/4.0.0~beta2-0ubuntu3 ** Changed in: apparmor (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble Status in apparmor package in Ubuntu: Fix Committed Bug description: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below Ran 62 tests in 811.542s OK (skipped=3) apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of March 7) noble systems. Boot/Reboot and regression tests have been done, against different kernel versions. 6.8.0-11-generic #11-Ubuntu 6.5.0-14-generic #14-Ubuntu 6.7.0 (upstream custom build) 6.8-rc3 (upstream custom build) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2054924] Re: color emoji are broken with fontconfig 2.15
As per https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/409#note_2298588 this can also be fixed by adding an additional rule to /etc/fonts/conf.d/70-no-bitmaps.conf of the form: false ** Bug watch added: gitlab.freedesktop.org/fontconfig/fontconfig/-/issues #409 https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/409 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to fontconfig in Ubuntu. https://bugs.launchpad.net/bugs/2054924 Title: color emoji are broken with fontconfig 2.15 Status in Fontconfig: Fix Released Status in fontconfig package in Ubuntu: Triaged Status in fonts-noto-color-emoji package in Ubuntu: Triaged Status in fontconfig package in Debian: Confirmed Bug description: The Noto Color Emoji font is no longer used to show emoji. Many emoji no longer show and the few that do are not in color. To manage notifications about this bug go to: https://bugs.launchpad.net/fontconfig/+bug/2054924/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2055270] [NEW] Buy Tramadol Online At Lowest Prices
*** This bug is a security vulnerability *** Public security bug reported: Buy Tramadol Online 100mg USA Overnight ➤Order here: https://t.ly/N0hN9 ➤Shop Here: https://t.ly/N0hN9 Tramadol 100mg may interact with other medications, including certain antidepressants, antipsychotics, and medications that affect serotonin levels. It's important to inform your healthcare provider about all medications you are taking, including prescription, over-the-counter, and herbal supplements, to avoid potential interactions. Tramadol should not be used in combination with alcohol or other substances that depress the central nervous system, as this can increase the risk of respiratory depression and other serious side effects. People with a history of substance abuse or addiction should use tramadol with caution, as it has the potential for misuse, dependence, and addiction. Tramadol is not recommended for use in children under the age of 12, as its safety and efficacy in this population have not been established. Older adults may be more sensitive to the side effects of tramadol, particularly dizziness and drowsiness, and may require lower doses or closer monitoring. It's essential to follow your healthcare provider's instructions carefully when taking tramadol 100mg and to report any side effects or concerns promptly. Additionally, do not stop taking tramadol suddenly without consulting your doctor, as this can lead to withdrawal symptoms. If you have any questions or uncertainties about tramadol or its use, don't hesitate to discuss them with your healthcare provider. ** Affects: systemd (Ubuntu) Importance: Undecided Status: New ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2055270 Title: Buy Tramadol Online At Lowest Prices Status in systemd package in Ubuntu: New Bug description: Buy Tramadol Online 100mg USA Overnight ➤Order here: https://t.ly/N0hN9 ➤Shop Here: https://t.ly/N0hN9 Tramadol 100mg may interact with other medications, including certain antidepressants, antipsychotics, and medications that affect serotonin levels. It's important to inform your healthcare provider about all medications you are taking, including prescription, over-the-counter, and herbal supplements, to avoid potential interactions. Tramadol should not be used in combination with alcohol or other substances that depress the central nervous system, as this can increase the risk of respiratory depression and other serious side effects. People with a history of substance abuse or addiction should use tramadol with caution, as it has the potential for misuse, dependence, and addiction. Tramadol is not recommended for use in children under the age of 12, as its safety and efficacy in this population have not been established. Older adults may be more sensitive to the side effects of tramadol, particularly dizziness and drowsiness, and may require lower doses or closer monitoring. It's essential to follow your healthcare provider's instructions carefully when taking tramadol 100mg and to report any side effects or concerns promptly. Additionally, do not stop taking tramadol suddenly without consulting your doctor, as this can lead to withdrawal symptoms. If you have any questions or uncertainties about tramadol or its use, don't hesitate to discuss them with your healthcare provider. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2055270/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default
Both deb8 tests already declares a Depends on python3-distutils - and we
can see that the current test runs all used the 3.11 based
python3-distutils - do we need a no-change-rebuild of python3-stdlib-
extensions so that it builds against python 3.12?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/2051540
Title:
ufw ftbfs with Python 3.12 as default
Status in ufw:
Fix Committed
Status in ufw package in Ubuntu:
Confirmed
Status in ufw package in Debian:
Fix Released
Bug description:
==
ERROR: test_ufwcommand_parse
(tests.unit.test_parser.ParserTestCase.test_ufwcommand_parse)
Test UFWCommand.parse()
--
Traceback (most recent call last):
File "/<>/tests/unit/test_parser.py", line 88, in
test_ufwcommand_parse
self.assertEquals('status', pr.action, "%s != 'status'" % (pr.action))
^
AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did
you mean: 'assertEqual'?
==
ERROR: test_ufwcommand_rule_get_command
(tests.unit.test_parser.ParserTestCase.test_ufwcommand_rule_get_command)
Test UFWCommand(Route)Rule.get_command()
--
Traceback (most recent call last):
File "/<>/tests/unit/test_parser.py", line 375, in
test_ufwcommand_rule_get_command
self.assertEquals(len(errors), 0,
^
AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did
you mean: 'assertEqual'?
--
Ran 24 tests in 7.584s
FAILED (errors=9)
test_skeleton
test_example (tests.unit.test_skeleton.SkeletonTestCase.test_example)
Test example dummy test ... ok
--
Ran 1 test in 0.000s
OK
To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/2051540/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default
** Also affects: ufw
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/2051540
Title:
ufw ftbfs with Python 3.12 as default
Status in ufw:
New
Status in ufw package in Ubuntu:
Confirmed
Bug description:
==
ERROR: test_ufwcommand_parse
(tests.unit.test_parser.ParserTestCase.test_ufwcommand_parse)
Test UFWCommand.parse()
--
Traceback (most recent call last):
File "/<>/tests/unit/test_parser.py", line 88, in
test_ufwcommand_parse
self.assertEquals('status', pr.action, "%s != 'status'" % (pr.action))
^
AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did
you mean: 'assertEqual'?
==
ERROR: test_ufwcommand_rule_get_command
(tests.unit.test_parser.ParserTestCase.test_ufwcommand_rule_get_command)
Test UFWCommand(Route)Rule.get_command()
--
Traceback (most recent call last):
File "/<>/tests/unit/test_parser.py", line 375, in
test_ufwcommand_rule_get_command
self.assertEquals(len(errors), 0,
^
AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did
you mean: 'assertEqual'?
--
Ran 24 tests in 7.584s
FAILED (errors=9)
test_skeleton
test_example (tests.unit.test_skeleton.SkeletonTestCase.test_example)
Test example dummy test ... ok
--
Ran 1 test in 0.000s
OK
To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/2051540/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051594] [NEW] package libpam-modules 1.3.1-5ubuntu4.7 failed to install/upgrade: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2
Public bug reported: failed during upgrade ProblemType: Package DistroRelease: Ubuntu 20.04 Package: libpam-modules 1.3.1-5ubuntu4.7 ProcVersionSignature: Ubuntu 5.4.0-170.188-generic 5.4.257 Uname: Linux 5.4.0-170-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.27 Architecture: amd64 CasperMD5CheckResult: skip Date: Mon Jan 29 13:45:41 2024 ErrorMessage: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2 InstallationDate: Installed on 2017-09-02 (2340 days ago) InstallationMedia: Python3Details: /usr/bin/python3.10, Python 3.10.12, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RelatedPackageVersions: dpkg 1.21.1ubuntu2.2 apt 2.0.10 SourcePackage: pam Title: package libpam-modules 1.3.1-5ubuntu4.7 failed to install/upgrade: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2 UpgradeStatus: Upgraded to focal on 2024-01-29 (0 days ago) modified.conffile..etc.security.limits.conf: [modified] mtime.conffile..etc.security.limits.conf: 2017-09-01T17:53:53.083396 ** Affects: pam (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-package focal third-party-packages -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2051594 Title: package libpam-modules 1.3.1-5ubuntu4.7 failed to install/upgrade: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2 Status in pam package in Ubuntu: New Bug description: failed during upgrade ProblemType: Package DistroRelease: Ubuntu 20.04 Package: libpam-modules 1.3.1-5ubuntu4.7 ProcVersionSignature: Ubuntu 5.4.0-170.188-generic 5.4.257 Uname: Linux 5.4.0-170-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.27 Architecture: amd64 CasperMD5CheckResult: skip Date: Mon Jan 29 13:45:41 2024 ErrorMessage: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2 InstallationDate: Installed on 2017-09-02 (2340 days ago) InstallationMedia: Python3Details: /usr/bin/python3.10, Python 3.10.12, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RelatedPackageVersions: dpkg 1.21.1ubuntu2.2 apt 2.0.10 SourcePackage: pam Title: package libpam-modules 1.3.1-5ubuntu4.7 failed to install/upgrade: new libpam-modules:amd64 package pre-installation script subprocess returned error exit status 2 UpgradeStatus: Upgraded to focal on 2024-01-29 (0 days ago) modified.conffile..etc.security.limits.conf: [modified] mtime.conffile..etc.security.limits.conf: 2017-09-01T17:53:53.083396 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2051594/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)
@Seth I just want to say that I am that person! I signed up specifically to thank @Chuan and you for getting to the bottom of this. I had the exact same error and setting `ProtectHome=false` solved the issue, thank you! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/2020838 Title: [regression][jammy] augenrules Error sending add rule data request (No such file or directory) Status in audit package in Ubuntu: New Bug description: The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged' can not be loaded during system boot up. # lsb_release -rc Release: 22.04 Codename: jammy # dpkg -l|grep audit ii auditd 1:3.0.7-1build1 amd64User space tools for security auditing ii libaudit-common 1:3.0.7-1build1 all Dynamic library for security auditing - common files ii libaudit1:amd64 1:3.0.7-1build1 amd64Dynamic library for security auditing ii libauparse0:amd64 1:3.0.7-1build1 amd64Dynamic library for parsing security auditing # cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$ -D -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -b 8192 --backlog_wait_time 6 -f 1 # ls -l /home/ubuntu/test.sh -rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/test.sh # cat /home/ubuntu/test.sh #!/bin/bash echo 1 # >/etc/audit/audit.rules reboot the system, no rule can be loaded # auditctl -l No rules syslog: May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule data request (No such file or directory) May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in line 5 of /etc/audit/audit.rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 # cat /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts --backlog_wait_time 6 But I can manually load the rule file. Seems this issue only happen during system boot up. # auditctl -R /etc/audit/audit.rules No rules enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 14 backlog_wait_time 6 backlog_wait_time_actual 0 # auditctl -l -a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh /usr/bin/test.sh, then I can not reproduce the issue. Additionally, I have ruled out AppArmor as a factor. I have already disabled the AppArmor service and append "apparmor=0" into the kernel command line before rebooting. Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6) There are 2 issues here, I think 1) If the rules can be
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
Actually I just got it working - no need to send PoC @kerneldude - I made my own. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
So I managed to create a tar file with an extended attribute name of length of ~ 36 bytes long (the largest I can do without exceeding the existing check on maximum extended header lengths it seems) but this is not able to trigger the vuln - so if you are able to share your PoC that would be great. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
@kerneldude - any chance you could share your poc (perhaps email it to
secur...@ubuntu.com rather than post it publicly here)? I have tried
creating one via the following but I hit the CLI args limit before I can
get an xattr key long enough:
touch bar
tar --pax-option SCHILY.xattr.user.$(python3 -c "print('a'*131048)"):=test -cf
poc-crafted.tar bar
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/2029464
Title:
A stack overflow in GNU Tar
Status in tar package in Ubuntu:
New
Bug description:
A stack overflow vulnerability exists in GNU Tar up to including v1.34, as
far as I can see, Ubuntu is using v1.3.
The bug exists in the function xattr_decoder() in xheader.c, where alloca()
is used and it may overflow the stack if a sufficiently long xattr key is used.
The vulnerability can be triggered when extracting a tar/pax archive that
contains such a long xattr key.
Vulnerable code:
https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723
PoC tar archive is attached in a zip archive to reduce the size.
I reported the vulnerability yesterday to GNU Tar maintainers and they
replied that the issue was fixed in the version that was released two
weeks ago:
"Sergey fixed that bug here:
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4
and the fix appears in tar 1.35, released July 18.
"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
Excellent - thanks for letting us know. So since a CVE has already been assigned then we won't assign an additional one. I'll add the details to our CVE tracker. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
@kerneldude - do you know if MITRE ever assigned a CVE for this? ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2044625] Re: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gdk-pixbuf in Ubuntu. https://bugs.launchpad.net/bugs/2044625 Title: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы Status in gdk-pixbuf package in Ubuntu: New Bug description: ubuntu update to lunar lobster version ProblemType: Package DistroRelease: Ubuntu 23.04 Package: libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 ProcVersionSignature: Ubuntu 5.15.0-89.99-generic 5.15.126 Uname: Linux 5.15.0-89-generic x86_64 ApportVersion: 2.26.1-0ubuntu2.1 Architecture: amd64 CasperMD5CheckResult: unknown Date: Sun Nov 26 02:02:30 2023 ErrorMessage: зацикливание триггеров, отмена работы InstallationDate: Installed on 2023-11-25 (0 days ago) InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316) Python3Details: /usr/bin/python3.11, Python 3.11.4, python3-minimal, 3.11.2-1 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.21ubuntu1 apt 2.6.0ubuntu0.1 SourcePackage: gdk-pixbuf Title: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы UpgradeStatus: Upgraded to lunar on 2023-11-25 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/2044625/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common
I am struggling to see the vulnerability here still - the path used in this case is /tmp/ubuntu-drivers-common.config.55GJ8b appears to have a randomly generated suffix and so couldn't have been guessed beforehand nor preseeded with other contents by a local attacker - so the only way then that I can see that this could be a vulnerability would be if this file was world-writable - but it is not clear that this is the case either. Assuming this file comes from debconf, from what I can see in its sources, it creates temporary files via the https://perldoc.perl.org/File::Temp package - which states that files are created with permissions 0600 by default too. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to perl in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common Status in perl package in Ubuntu: Invalid Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the 🔍 created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2043049] [NEW] logging out when screen goes blank
Public bug reported:
when the screen of my laptop goes blank, it will log me out. this
happens when I lock my laptop or put it to sleep. This only happens on
wayland.
ProblemType: Bug
DistroRelease: Ubuntu 23.10
Package: xorg 1:7.7+23ubuntu2
ProcVersionSignature: Ubuntu 6.5.0-10.10-generic 6.5.3
Uname: Linux 6.5.0-10-generic x86_64
ApportVersion: 2.27.0-0ubuntu5
Architecture: amd64
BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log'
CasperMD5CheckResult: pass
CompositorRunning: None
CurrentDesktop: ubuntu:GNOME
Date: Wed Nov 8 15:02:48 2023
DistUpgraded: 2023-11-02 23:55:54,921 DEBUG icon theme changed, re-reading
DistroCodename: mantic
DistroVariant: ubuntu
DkmsStatus:
openrazer-driver/3.4.0, 6.2.0-36-generic, x86_64: installed
openrazer-driver/3.4.0, 6.5.0-10-generic, x86_64: installed
ExtraDebuggingInterest: Yes, if not too technical
GraphicsCard:
Advanced Micro Devices, Inc. [AMD/ATI] Rembrandt [Radeon 680M] [1002:1681]
(rev d1) (prog-if 00 [VGA controller])
Subsystem: Lenovo Rembrandt [Radeon 680M] [17aa:50b6]
InstallationDate: Installed on 2022-12-03 (341 days ago)
InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64
(20220809.1)
MachineType: {report['dmi.sys.vendor']} {report['dmi.product.name']}
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
XDG_RUNTIME_DIR=
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.5.0-10-generic
root=UUID=32b06683-a98d-4585-81c7-edb51198f58c ro quiet splash vt.handoff=7
SourcePackage: xorg
Symptom: display
Title: Xorg crash
UpgradeStatus: Upgraded to mantic on 2023-11-03 (6 days ago)
dmi.bios.date: 08/08/2023
dmi.bios.release: 1.40
dmi.bios.vendor: LENOVO
dmi.bios.version: R23ET70W (1.40 )
dmi.board.asset.tag: Not Available
dmi.board.name: 21CH000GUS
dmi.board.vendor: LENOVO
dmi.board.version: SDK0T76530 WIN
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: None
dmi.ec.firmware.release: 1.30
dmi.modalias:
dmi:bvnLENOVO:bvrR23ET70W(1.40):bd08/08/2023:br1.40:efr1.30:svnLENOVO:pn21CH000GUS:pvrThinkPadT16Gen1:rvnLENOVO:rn21CH000GUS:rvrSDK0T76530WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_21CH_BU_Think_FM_ThinkPadT16Gen1:
dmi.product.family: ThinkPad T16 Gen 1
dmi.product.name: 21CH000GUS
dmi.product.sku: LENOVO_MT_21CH_BU_Think_FM_ThinkPad T16 Gen 1
dmi.product.version: ThinkPad T16 Gen 1
dmi.sys.vendor: LENOVO
version.compiz: compiz N/A
version.libdrm2: libdrm2 2.4.115-1
version.libgl1-mesa-dri: libgl1-mesa-dri 23.2.1-1ubuntu3
version.libgl1-mesa-glx: libgl1-mesa-glx 23.0.4-0ubuntu1~23.04.1
version.xserver-xorg-core: xserver-xorg-core 2:21.1.7-3ubuntu2.1
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-3
version.xserver-xorg-video-intel: xserver-xorg-video-intel
2:2.99.917+git20210115-1
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1
** Affects: xorg (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug crash mantic ubuntu wayland-session
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/2043049
Title:
logging out when screen goes blank
Status in xorg package in Ubuntu:
New
Bug description:
when the screen of my laptop goes blank, it will log me out. this
happens when I lock my laptop or put it to sleep. This only happens on
wayland.
ProblemType: Bug
DistroRelease: Ubuntu 23.10
Package: xorg 1:7.7+23ubuntu2
ProcVersionSignature: Ubuntu 6.5.0-10.10-generic 6.5.3
Uname: Linux 6.5.0-10-generic x86_64
ApportVersion: 2.27.0-0ubuntu5
Architecture: amd64
BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log'
CasperMD5CheckResult: pass
CompositorRunning: None
CurrentDesktop: ubuntu:GNOME
Date: Wed Nov 8 15:02:48 2023
DistUpgraded: 2023-11-02 23:55:54,921 DEBUG icon theme changed, re-reading
DistroCodename: mantic
DistroVariant: ubuntu
DkmsStatus:
openrazer-driver/3.4.0, 6.2.0-36-generic, x86_64: installed
openrazer-driver/3.4.0, 6.5.0-10-generic, x86_64: installed
ExtraDebuggingInterest: Yes, if not too technical
GraphicsCard:
Advanced Micro Devices, Inc. [AMD/ATI] Rembrandt [Radeon 680M] [1002:1681]
(rev d1) (prog-if 00 [VGA controller])
Subsystem: Lenovo Rembrandt [Radeon 680M] [17aa:50b6]
InstallationDate: Installed on 2022-12-03 (341 days ago)
InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64
(20220809.1)
MachineType: {report['dmi.sys.vendor']} {report['dmi.product.name']}
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
XDG_RUNTIME_DIR=
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.5.0-10-generic
root=UUID=32b06683-a98d-4585-81c7-edb51198f58c ro quiet splash vt.handoff=7
SourcePackage: xorg
Symptom: display
Title: Xorg crash
UpgradeStatus: Upgraded
[Touch-packages] [Bug 2032851] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor package pre-installation script subprocess returned error exit status 1
Hi there, I appreciate the great work to fix this issue. We have some AWS Ubuntu instance waiting for this release on Focal to upgrade from 18.04 to 20.04. Do you think there's an expected date that we can get the new AppArmor from the generic focal pocket instead of Proposed pocket? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2032851 Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor package pre-installation script subprocess returned error exit status 1 Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Focal: In Progress Bug description: [ Impact ] * During an apparmor package upgrade, the cache files were deleted, but there could also be directories under /etc/apparmor.d/cache/ which the pre installation scripts did not account for. The upgrade would then fail with the following error message because it would not be able to remove the directories: package:apparmor:2.12-4ubuntu5.3 Preparing to unpack .../16-apparmor_2.13.3-7ubuntu5.2_amd64.deb ... rm: cannot remove '/etc/apparmor.d/cache/bf9d6da9.0': Is a directory dpkg: error processing archive /tmp/apt-dpkg-install-InP0fz/16-apparmor_2.13.3-7ubuntu5.2_amd64.deb (--unpack): new apparmor package pre-installation script subprocess returned error exit status 1 ErrorMessage: new apparmor package pre-installation script subprocess returned error exit status 1 [ Test Plan ] * On a bionic machine, create a directory under /etc/apparmor.d/cache sudo mkdir /etc/apparmor.d/cache/test * To simulate a system upgrade to focal, you can run the following steps 1. Add the focal archive sudo bash -c "cat
[Touch-packages] [Bug 1739628] Re: sysconfig paths are incorrect
FWIW I can reproduce this on Ubuntu 18.04, 20.04, and 22.04 and on
multiple architectures (x86_64 and aarch64).
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1739628
Title:
sysconfig paths are incorrect
Status in python2.7 package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 17.10:
$ ls /usr/include/python2.7
abstract.h code.h funcobject.h marshal.h
pgenheaders.h pymem.h
$ ls /usr/local/include/python2.7
ls: cannot access '/usr/local/include/python2.7': No such file or directory
$ python -c "import sysconfig; print(sysconfig.get_path('include'))"
/usr/local/include/python2.7
Definitely wrong.
Python is such a massive pain to integrate with - I actually switched
from CMake's FindPythonLibs() which is heuristic-based and very
unreliable to sysconfig - "surely python itself knows where it is
installed?" I thought. Ha. Of course not. /rant
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1739628/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2040484] Re: ubuntu_seccomp pseudo-syscall fails on s390
Adding a task against libseccomp until we know more about where the bug lies. ** Also affects: libseccomp (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/2040484 Title: ubuntu_seccomp pseudo-syscall fails on s390 Status in ubuntu-kernel-tests: New Status in libseccomp package in Ubuntu: New Bug description: libseccomp upstream has changed the test code for 29-sim- pseudo_syscall.c, which has broken it for s390. Perhaps s390 has been broken since forever and the test change is just uncovering it. We need to investigate if the fix would be needed in the test, libseccomp or the kernel. This seems to affect at least 4.4 and 5.4 kernels, but may affect everything. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2040484/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2018996] Re: whoopsie uses 100% CPU indefinitely on chrome crash file
It is happening to me too. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/2018996 Title: whoopsie uses 100% CPU indefinitely on chrome crash file Status in whoopsie package in Ubuntu: New Bug description: $@ lsb_release -rd No LSB modules are available. Description:Ubuntu 23.04 Release:23.04 $@ apt-cache policy whoopsie whoopsie: Installed: 0.2.77 Candidate: 0.2.77 Version table: *** 0.2.77 500 500 http://jp.archive.ubuntu.com/ubuntu lunar/main amd64 Packages 100 /var/lib/dpkg/status TL;DR whoopsie will happily consume 100% for hours in what seems like a pretty futile attempt to deal with massive crash files. It should be more aware of what is a realistic crash to upload. This has happened a couple of times today, so I searched, found https://askubuntu.com/questions/1245078/woopsie-upload-all-process- consumes-cpu-100/1296481#1296481 which suggested looking in /var/crash/ where I found $@ ls -lh /var/crash/ total 8.3G -rw-r- 1 fergal whoopsie 8.3G May 8 23:03 _opt_google_chrome_chrome.1000.crash I don't know what whoopsie was doing but I doubt that was ever going to be productive and I cannot have a service that is going to occasionally use 100% CPU for hours. Here's what `top` had to say before I killed it 94802 root 20 0 11.7g 11.3g 58624 R 100.0 36.6 108:11.76 whoopsie-upload So it had been trying for 108 minutes and was using 11G of RAM. I would love to enable crash reporting but this is unacceptable. I've deleted the crash file and uninstalled whoopsie. I'll happily reinstall it if it gains some safeguards against this kind of thing. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/2018996/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039589] Re: Nwidia driver Ubuntu bug
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2039589 Title: Nwidia driver Ubuntu bug Status in xorg package in Ubuntu: New Bug description: Nvidia driver error 470: UFW main window not displayed properly and Help not displayed. The issue affects Ubuntu 22.04.3 LTS, Ubuntu 23.10 and Linux Mint. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-34.34~22.04.1-generic 6.2.16 Uname: Linux 6.2.0-34-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia .proc.driver.nvidia.capabilities.gpu0: Error: path was not a regular file. .proc.driver.nvidia.capabilities.mig: Error: path was not a regular file. .proc.driver.nvidia.gpus..01.00.0: Error: path was not a regular file. .proc.driver.nvidia.registry: Binary: "" .proc.driver.nvidia.suspend: suspend hibernate resume .proc.driver.nvidia.suspend_depth: default modeset uvm .proc.driver.nvidia.version: NVRM version: NVIDIA UNIX x86_64 Kernel Module 470.199.02 Thu May 11 11:46:56 UTC 2023 GCC version: ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Brak dostępu: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Tue Oct 17 18:13:32 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu GraphicsCard: NVIDIA Corporation GK107 [GeForce GTX 650] [10de:0fc6] (rev a1) (prog-if 00 [VGA controller]) Subsystem: CardExpert Technology GK107 [GeForce GTX 650] [10b0:0fc6] InstallationDate: Installed on 2023-10-16 (1 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) MachineType: Gigabyte Technology Co., Ltd. To be filled by O.E.M. ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=pl_PL.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.2.0-34-generic root=UUID=7faab2db-29fa-4024-ae67-d6f019c15904 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/25/2014 dmi.bios.release: 4.6 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 10b dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H61M-S1 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr10b:bd02/25/2014:br4.6:svnGigabyteTechnologyCo.,Ltd.:pnTobefilledbyO.E.M.:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH61M-S1:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.:skuTobefilledbyO.E.M.: dmi.product.family: To be filled by O.E.M. dmi.product.name: To be filled by O.E.M. dmi.product.sku: To be filled by O.E.M. dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 23.0.4-0ubuntu1~22.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.nvidia-graphics-drivers: nvidia-graphics-drivers-* N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2039589/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
As discussed with the wider security team, we have decided not to push ahead with this change for mantic and instead will look to enable it very early in the 24.04 devel cycle . Marking as invalid and unsubscribing the release team. ** Changed in: apparmor (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: Won't Fix Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[3
[Touch-packages] [Bug 2036698] Re: Unprivileged user namespace restrictions break various third-party applications
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu) Importance: Undecided => High ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036698 Title: Unprivileged user namespace restrictions break various third-party applications Status in apparmor package in Ubuntu: Confirmed Bug description: Similar to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 the proposed unprivileged user namespace restrictions feature of apparmor in mantic breaks various third-party applications that use unprivileged userns for sandboxing themselves. These include: - Brave - Microsoft Edge - Opera - Visual Studio Code - Vivaldi apparmor in mantic should ship skeleton profiles for each of these to ensure they work as expected if a user has them installed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036698/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036698] [NEW] Unprivileged user namespace restrictions break various third-party applications
Public bug reported: Similar to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 the proposed unprivileged user namespace restrictions feature of apparmor in mantic breaks various third-party applications that use unprivileged userns for sandboxing themselves. These include: - Brave - Microsoft Edge - Opera - Visual Studio Code - Vivaldi apparmor in mantic should ship skeleton profiles for each of these to ensure they work as expected if a user has them installed. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036698 Title: Unprivileged user namespace restrictions break various third-party applications Status in apparmor package in Ubuntu: New Bug description: Similar to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 the proposed unprivileged user namespace restrictions feature of apparmor in mantic breaks various third-party applications that use unprivileged userns for sandboxing themselves. These include: - Brave - Microsoft Edge - Opera - Visual Studio Code - Vivaldi apparmor in mantic should ship skeleton profiles for each of these to ensure they work as expected if a user has them installed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036698/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
** Changed in: apparmor (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: disabling unprivileged userns restrictions since unconfined userns is not supported / enabled Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[320]: kernel.apparmor_restrict_unprivileged_userns = 0 Sep 15 07:04:47 sec-mantic-a
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
@vorlon - the FFe you approved was to upload a whole new release apparmor-4.0.0~alpha2 with supporting infrastructure for this feature, but crucially it did not enable it at that time (as we wanted more time to add additional profiles for all the packages in the archive so that when then feature gets turned on they would work as before). This new FFe does enable it *and* also adds some logic so that we only enable it when the kernel supports all the required features. This is to ensure that during an upgrade from lunar -> mantic, or when booting an older kernel which doesn't have all the features, we don't enable the sysctl and break applications which expect to be able to use userns. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: Incomplete Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
FYI I redid this change again on top of the fix from https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2036302 and have uploaded it to the aforementioned PPA (debdiff is almost identical, except for the different context in debian/changelog) ** Patch added: "apparmor_4.0.0~alpha2-0ubuntu5.debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036128/+attachment/5701789/+files/apparmor_4.0.0~alpha2-0ubuntu5.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles...
[Touch-packages] [Bug 2035315] Re: Unprivileged user namespace restrictions break various applications
As seen in
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036302 it turns
out the lxc package already shipped a profile in
/etc/apparmor.d/usr.bin.lxc-create - so this profile itself needs to be
updated to add the userns permission and declare the new ABI in lxc in
mantic.
** Also affects: lxc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2035315
Title:
Unprivileged user namespace restrictions break various applications
Status in apparmor package in Ubuntu:
Fix Released
Status in lxc package in Ubuntu:
New
Bug description:
When the unprivileged user namespace restrictions are enabled, various
applications within and outside the Ubuntu archive fail to function,
as they use unprivileged user namespaces as part of their normal
operation.
A search of the Ubuntu archive for the 23.10 release was performed
looking for all applications that make legitimate use of the
CLONE_NEWUSER argument, the details of which can be seen in
https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502
For each package identified in that list, an investigation was made to
determine if the application actually used this as an unprivileged
user, and if so which of the binaries within the package were
affected.
The full investigation can be seen in
https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
private) but is summarised to the following list of Ubuntu source
packages, with the affected binaries as noted. NOTE that due to time
constraints for some packages it was not possible to finish the
complete investigation and so for those *all* the binaries from the
package are listed below.
For each of these binaries, an apparmor profile is required so that
the binary can be granted use of unprivileged user namespaces - an
example profile for the ch-run binary within the charliecloud package
is shown:
$ cat /etc/apparmor.d/usr.bin.ch-run
abi ,
include
/usr/bin/ch-run flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
However, in a few select cases, it has been decided not to ship an apparmor
profile, since this would effectively allow this mitigation to be bypassed. In
particular, the unshare and setns binaries within the util-linux package are
installed on every Ubuntu system, and allow an unprivileged user the ability to
launch an arbitrary application within a new user namespace. Any malicious
application then that wished to exploit an unprivileged user namespace to
conduct an attack on the kernel would simply need to spawn itself via `unshare
-U` or similar to be granted this permission. Therefore, due to the ubiquitous
nature of the unshare (and setns) binaries, profiles are not planned to be
provided for these by default. Similarly, the bwrap binary within bubblewrap is
also installed by default on Ubuntu Desktop 23.10 and can also be used to
launch arbitrary binaries within a new user namespace and so no profile is
planned to be provided for this either.
Those packages for which either a profile is not required or which a
profile is not planned are listed below, whilst the list of packages
that require a profile (and their associated binaries) is listed at
the end:
Packages that use user namespaces but for which a profile is not
required or not planned:
- bubblewrap
- /usr/bin/bwrap (NOT PLANNED AS NOTED ABOVE)
- cifs-utils
- /usr/sbin/cifs.upcall (NOT REQUIRED AS IS EXECUTED AS root)
- consfigurator # NOT REQUIRED, NO BINARIES OR reverse-depends
- criu
- /usr/sbin/criu (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
- docker.io-app
- /usr/bin/dockerd (NOT REQUIRED SINCE RUNS AS root)
- firejail
- /usr/bin/firejail (NOT REQUIRED SINCE is suid root)
- golang-github-containers-storage
- /usr/bin/containers-storage (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
- golang-gvisor-gvisor
- /usr/bin/runsc (NOT REQUIRED SINCE ONLY FUNCTIONS AS root)
- guix
- /usr/bin/guix-daemon (NOT REQURIED SINCE RUNS AS root)
- libvdestack # NOT REQUIRED, NO BINARIES OR reverse-depends
- libvirt # NOT REQUIRED SINCE USES lxc WHICH WILL HAVE A PROFILE
- network-manager # NOT REQUIRED SINCE CODE IS UNUSED
- nix # APPEARS UNNEEDED IN DEFAULT CONFIGURATION
- ocaml-extunix # NO BINARIES OR reverse-depends
- passt
- /usr/bin/passt # IS EXPECTED TO BE EXECUTED AS root
- rust-rustix # NO BINARIES AND CODE IS UNUSED IN THE ARCHIVE
- util-linux
-
Packages that use unprivileged user namespaces which require a profile (or
already have one as part of the previous apparmor update in
4.0.0~alpha2-0ubuntu1 v
[Touch-packages] [Bug 2036302] Re: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common
Uploaded in apparmor 4.0.0~alpha2-0ubuntu4 - currently waiting to build etc - https://launchpad.net/ubuntu/mantic/+queue?queue_state=3&queue_text=apparmor ** Changed in: apparmor (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2036302 Title: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common Status in apparmor package in Ubuntu: Fix Committed Status in lxc package in Ubuntu: Triaged Bug description: When running apt-get distupgrade I saw this message: Preparing to unpack .../apparmor_4.0.0~alpha2-0ubuntu3_amd64.deb ... Unpacking apparmor (4.0.0~alpha2-0ubuntu3) over (4.0.0~alpha2-0ubuntu2) ... dpkg: error processing archive /var/cache/apt/archives/apparmor_4.0.0~alpha2-0ubuntu3_amd64.deb (--unpack): trying to overwrite '/etc/apparmor.d/usr.bin.lxc-start', which is also in package liblxc-common 1:5.0.1-0ubuntu6 dpkg-deb: error: paste subprocess was killed by signal (Broken pipe) The problem could be overcome with: sudo apt-get install liblxc-common --reinstall which resulted in output Preparing to unpack .../liblxc-common_1%3a5.0.1-0ubuntu6_amd64.deb ... Unpacking liblxc-common (1:5.0.1-0ubuntu6) over (1:5.0.1-0ubuntu6) ... I have seen the same type of problem before with other packages. I would have expected apt-get to correctly sequence all necessary actions on its own. These are related events in my apt history: Start-Date: 2022-10-30 05:33:09 Commandline: apt-get install lxc Requested-By: ubuntu (1000) Install: liblxc-common:amd64 (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3, automatic) Start-Date: 2023-01-28 11:06:34 Commandline: apt-get dist-upgrade Requested-By: ubuntu (1000) Upgrade: liblxc-common:amd64 (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3, 1:5.0.1-0ubuntu6) ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: apt 2.7.3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Linux 6.5.0-5-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.27.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE Date: Sat Sep 16 11:12:36 2023 InstallationDate: Installed on 2021-07-01 (807 days ago) InstallationMedia: Kubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420) SourcePackage: apt UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036302/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036302] Re: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common
Apologies for this - I am working on an update now to resolve it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2036302 Title: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common Status in apparmor package in Ubuntu: Triaged Status in lxc package in Ubuntu: Triaged Bug description: When running apt-get distupgrade I saw this message: Preparing to unpack .../apparmor_4.0.0~alpha2-0ubuntu3_amd64.deb ... Unpacking apparmor (4.0.0~alpha2-0ubuntu3) over (4.0.0~alpha2-0ubuntu2) ... dpkg: error processing archive /var/cache/apt/archives/apparmor_4.0.0~alpha2-0ubuntu3_amd64.deb (--unpack): trying to overwrite '/etc/apparmor.d/usr.bin.lxc-start', which is also in package liblxc-common 1:5.0.1-0ubuntu6 dpkg-deb: error: paste subprocess was killed by signal (Broken pipe) The problem could be overcome with: sudo apt-get install liblxc-common --reinstall which resulted in output Preparing to unpack .../liblxc-common_1%3a5.0.1-0ubuntu6_amd64.deb ... Unpacking liblxc-common (1:5.0.1-0ubuntu6) over (1:5.0.1-0ubuntu6) ... I have seen the same type of problem before with other packages. I would have expected apt-get to correctly sequence all necessary actions on its own. These are related events in my apt history: Start-Date: 2022-10-30 05:33:09 Commandline: apt-get install lxc Requested-By: ubuntu (1000) Install: liblxc-common:amd64 (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3, automatic) Start-Date: 2023-01-28 11:06:34 Commandline: apt-get dist-upgrade Requested-By: ubuntu (1000) Upgrade: liblxc-common:amd64 (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3, 1:5.0.1-0ubuntu6) ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: apt 2.7.3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Linux 6.5.0-5-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.27.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE Date: Sat Sep 16 11:12:36 2023 InstallationDate: Installed on 2021-07-01 (807 days ago) InstallationMedia: Kubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420) SourcePackage: apt UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036302/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
@sil2100 - apologies, I think I wasn't clear - for the actual enablement to take effect, this FFe does require the new kernel - BUT I added some fallback logic to detect if the kernel doesn't support the required feature so that the sysctl gets disabled in that case when the apparmor service is starting but before it has loaded any profiles. As such, we can safely land FFe this before the kernel lands. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-a
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
I have uploaded this new version to https://launchpad.net/~alexmurray/+archive/ubuntu/lp2036128 and so it should be built soon (from which the build log will be available). Please let me know if any other information is required. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: disabling unprivileged userns restrictions since unconfined userns is
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
apt log when installing new apparmor packages ** Description changed: As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace- restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then - if [ $unconfined_userns -eq 0 ]; then - # userns restrictions rely on unconfined userns to be supported - echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" - sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 - fi + if [ "$unconfined_userns" -eq 0 ]; then + # userns restrictions rely on unconfined userns to be supported + echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" + sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 + fi fi + this allows a local admin to disable the sysctl via the regular sysctl.d + conf approach, but to also make sure we don't inadvertently enable it + when it is not supported by the kernel. - this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. + This proposed change has been tested via the QA Regression Testing + project, in particular with the specific test added in + https://git.launchpad.net/qa-regression- + testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d + + This produces the following output, confirming the fallback works as + expected on the current mantic kernel (which does not fully support the + userns restrictions): + + --- + + Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') + test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) + Test that unconfined userns restrictions are applied ... Skipping private tests + + WARN: kernel rate limiting in effect + Disabling ratelimiting until the next reboot. To renable, run: + # sysctl -w kernel.printk_ratelimit=5 + + (enabling userns restrictions) (restarting apparmor) (checking userns + restrictions got disabled) ok + + -- + Ran 1 test in 0.232s + + OK + + --- + + + Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: + + root@sec-mantic-amd64:~# uptime + 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 + + root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager + Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... + Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor + Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: disabling unprivileged userns restrictions sin
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
Proposed changes for FFe to enable the sysctl by default but add fallback logic to disable it if the system doesn't provide all the required features. ** Patch added: "apparmor_4.0.0~alpha2-0ubuntu4.debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036128/+attachment/5701125/+files/apparmor_4.0.0~alpha2-0ubuntu4.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor Sep 15 07:04:
[Touch-packages] [Bug 2036128] [NEW] [FFe] enable unprivileged user namespace restrictions by default for mantic
Public bug reported: As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace- restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ $unconfined_userns -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next&id=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ $unconfined_userns -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel
[Touch-packages] [Bug 2035315] [NEW] Unprivileged user namespace restrictions break various applications
- /usr/bin/lxc-usernsexec
- mmdebstrap
- /usr/bin/mmdebstrap
- ocproxy
- /usr/bin/vpnns
- qt6-webengine
- /usr/lib/qt6/libexec/QtWebEngineProcess
- qtwebengine-opensource-src
- /usr/lib/@{multiarch}/qt5/libexec/QtWebEngineProcess
- rootlesskit
- /usr/bin/rootlesskit
- rpm
- /usr/bin/rpm
- runc
- /usr/sbin/runc
The usage of CLONE_NEWUSER within the following packages were not able to be
analysed fully and so profile are included for all relevant binaries:
- rust-virtiofsd
- /usr/libexec/virtiofsd
- sbuild
- /usr/bin/sbuild
- /usr/bin/sbuild-abort
- /usr/bin/sbuild-apt
- /usr/bin/sbuild-checkpackages
- /usr/bin/sbuild-clean
- /usr/bin/sbuild-createchroot
- /usr/bin/sbuild-distupgrade
- /usr/bin/sbuild-hold
- /usr/bin/sbuild-shell
- /usr/bin/sbuild-unhold
- /usr/bin/sbuild-update
- /usr/bin/sbuild-upgrade
- /usr/sbin/sbuild-adduser
- /usr/sbin/sbuild-destroychroot
- slirp4netns
- /usr/bin/slirp4netns
- stress-ng
- /usr/bin/stress-ng
- systemd
- thunderbird
- /usr/bin/thunderbird
- toybox
- /bin/toybox
- trinity
- /usr/bin/trinity
- tup
- /usr/bin/tup
- userbindmount
- /usr/bin/userbindmount
- uwsgi
- /usr/bin/uwsgi-core
- vdens
- /usr/bin/vdens
Finally as noted in https://bugs.launchpad.net/ubuntu/+source/linux-
meta-nvidia-5.19/+bug/2017980 the popular third-party application Google
Chrome also requires unprivileged user namespaces:
- google-chrome
- /opt/google/chrome/chrome
** Affects: apparmor (Ubuntu)
Importance: High
Assignee: Alex Murray (alexmurray)
Status: Confirmed
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Alex Murray (alexmurray)
** Changed in: apparmor (Ubuntu)
Importance: Undecided => High
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2035315
Title:
Unprivileged user namespace restrictions break various applications
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
When the unprivileged user namespace restrictions are enabled, various
applications within and outside the Ubuntu archive fail to function,
as they use unprivileged user namespaces as part of their normal
operation.
A search of the Ubuntu archive for the 23.10 release was performed
looking for all applications that make legitimate use of the
CLONE_NEWUSER argument, the details of which can be seen in
https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502
For each package identified in that list, an investigation was made to
determine if the application actually used this as an unprivileged
user, and if so which of the binaries within the package were
affected.
The full investigation can be seen in
https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately
private) but is summarised to the following list of Ubuntu source
packages, with the affected binaries as noted. NOTE that due to time
constraints for some packages it was not possible to finish the
complete investigation and so for those *all* the binaries from the
package are listed below.
For each of these binaries, an apparmor profile is required so that
the binary can be granted use of unprivileged user namespaces - an
example profile for the ch-run binary within the charliecloud package
is shown:
$ cat /etc/apparmor.d/usr.bin.ch-run
abi ,
include
/usr/bin/ch-run flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
However, in a few select cases, it has been decided not to ship an apparmor
profile, since this would effectively allow this mitigation to be bypassed. In
particular, the unshare and setns binaries within the util-linux package are
installed on every Ubuntu system, and allow an unprivileged user the ability to
launch an arbitrary application within a new user namespace. Any malicious
application then that wished to exploit an unprivileged user namespace to
conduct an attack on the kernel would simply need to spawn itself via `unshare
-U` or similar to be granted this permission. Therefore, due to the ubiquitous
nature of the unshare (and setns) binaries, profiles are not planned to be
provided for these by default. Similarly, the bwrap binary within bubblewrap is
also installed by default on Ubuntu Desktop 23.10 and can also be used to
launch arbitrary binaries within a new user namespace and so no profile is
planned to be provided for this either.
Those packages for which either a profile is not required or which a
profile is not planned are listed below, whilst the list of packages
that require a pro
[Touch-packages] [Bug 2034449] Re: IP phising
Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it. Submitting the bug about the proper source package is essential. For help see https://wiki.ubuntu.com/Bugs/FindRightPackage . Additionally, in the report please include: 1) The release of Ubuntu you are using, via 'cat /etc/lsb-release' or System -> About Ubuntu. 2) The version of the package you are using, via 'dpkg -l PKGNAME | cat' or by checking in Synaptic. 3) What happened and what you expected to happen. The Ubuntu community has also created debugging procedures for a wide variety of packages at https://wiki.ubuntu.com/DebuggingProcedures . Following the debugging instructions for the affected package will make your bug report much more complete. Thanks! ** Information type changed from Private Security to Public ** Changed in: curl (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/2034449 Title: IP phising Status in curl package in Ubuntu: Invalid Bug description: good afternoon I am writing to you because I have found some serious bugs about IPs in Ubuntu... I was trying to access the IPs of several different pages through the terminal with the Curl, wget and dig commands and I always got the same IP... I put it in the Firefox search engine to find out which page it was and the search engine warned me that it was a malicious page so naturally I did not enter it.the IP is this :90.169.41.164 so obviously I am suspicious. Translated with www.DeepL.com/Translator (free version) ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: curl 7.88.1-8ubuntu2.1 ProcVersionSignature: Ubuntu 6.2.0-32.32-generic 6.2.16 Uname: Linux 6.2.0-32-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Wed Sep 6 00:00:39 2023 InstallationDate: Installed on 2023-08-06 (30 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) ProcEnviron: LANG=es_ES.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: curl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2034449/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2034133] Re: i cant update ubuntu
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2034133 Title: i cant update ubuntu Status in apt package in Ubuntu: New Bug description: sudo apt-get update Obj:1 http://es.archive.ubuntu.com/ubuntu lunar InRelease Obj:2 https://dl.winehq.org/wine-builds/ubuntu lunar InRelease Obj:3 http://es.archive.ubuntu.com/ubuntu lunar-updates InRelease Obj:4 http://es.archive.ubuntu.com/ubuntu lunar-backports InRelease Obj:5 http://es.archive.ubuntu.com/ubuntu lunar-security InRelease Obj:6 http://security.ubuntu.com/ubuntu lunar-security InRelease Obj:7 http://es.archive.ubuntu.com/ubuntu lunar-proposed InRelease Ign:8 https://ppa.launchpadcontent.net/costales/yaru-colors-folder-color/ubuntu lunar InRelease Err:9 https://ppa.launchpadcontent.net/costales/yaru-colors-folder-color/ubuntu lunar Release 404 Not Found [IP: 185.125.190.52 443] Leyendo lista de paquetes... Hecho E: El repositorio «https://ppa.launchpadcontent.net/costales/yaru-colors-folder-color/ubuntu lunar Release» no tiene un fichero de Publicación. N: No se puede actualizar de un repositorio como este de forma segura y por tanto está deshabilitado por omisión. N: Vea la página de manual apt-secure(8) para los detalles sobre la creación de repositorios y la configuración de usuarios. ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: apt 2.6.0ubuntu0.1 ProcVersionSignature: Ubuntu 6.2.0-32.32-generic 6.2.16 Uname: Linux 6.2.0-32-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Tue Sep 5 12:12:29 2023 InstallationDate: Installed on 2023-08-06 (29 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) ProcEnviron: LANG=es_ES.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: apt UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2034133/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2033647] [NEW] When monitor set to 60Hz, "join screens" enabled
Public bug reported: Hello there, I have Ubuntu 23.04 installed on a Dell XPS 13 9300 with an LG 32" 4K Ergo Monitor attached as an external display. When I set the "primary display" at 1080p@60Hz for the LG 32" only with the "secondary display" of the Dell XPS 13" disabled" and "suspend power" of the Dell XPS 13, both the "primary display" of the LG 32" and the "secondary display" of the Dell XPS 13 are both "enabled" when resuming from "power suspend". Also, the frequency of the "primary display" of the LG 32" is lowered to 30Hz. If the Ubuntu 23.04 software development team in charge of the X.org display could rectify the issue regarding the stability of my "primary display" at 1080p@60Hz during "power suspend" and "power on", that would be great. Thanks! ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-31.31-generic 6.2.15 Uname: Linux 6.2.0-31-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Thu Aug 31 05:03:37 2023 DistUpgraded: Fresh install DistroCodename: lunar DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation Iris Plus Graphics G7 [8086:8a52] (rev 07) (prog-if 00 [VGA controller]) Subsystem: Dell Iris Plus Graphics G7 [1028:096d] InstallationDate: Installed on 2023-05-07 (116 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) MachineType: Dell Inc. XPS 13 9300 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.2.0-31-generic root=UUID=35826320-1bf8-43d1-831e-3b6e6d6a73e5 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 07/11/2023 dmi.bios.release: 1.19 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.19.0 dmi.board.name: 0Y4GNJ dmi.board.vendor: Dell Inc. dmi.board.version: A01 dmi.chassis.type: 10 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvr1.19.0:bd07/11/2023:br1.19:svnDellInc.:pnXPS139300:pvr:rvnDellInc.:rn0Y4GNJ:rvrA01:cvnDellInc.:ct10:cvr:sku096D: dmi.product.family: XPS dmi.product.name: XPS 13 9300 dmi.product.sku: 096D dmi.sys.vendor: Dell Inc. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.114-1 version.libgl1-mesa-dri: libgl1-mesa-dri 23.0.4-0ubuntu1~23.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.7-1ubuntu3 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-3 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 ** Affects: xorg (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug lunar ubuntu wayland-session -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2033647 Title: When monitor set to 60Hz, "join screens" enabled Status in xorg package in Ubuntu: New Bug description: Hello there, I have Ubuntu 23.04 installed on a Dell XPS 13 9300 with an LG 32" 4K Ergo Monitor attached as an external display. When I set the "primary display" at 1080p@60Hz for the LG 32" only with the "secondary display" of the Dell XPS 13" disabled" and "suspend power" of the Dell XPS 13, both the "primary display" of the LG 32" and the "secondary display" of the Dell XPS 13 are both "enabled" when resuming from "power suspend". Also, the frequency of the "primary display" of the LG 32" is lowered to 30Hz. If the Ubuntu 23.04 software development team in charge of the X.org display could rectify the issue regarding the stability of my "primary display" at 1080p@60Hz during "power suspend" and "power on", that would be great. Thanks! ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-31.31-generic 6.2.15 Uname: Linux 6.2.0-31-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Thu Aug 31 05:03:37 2023 DistUpgraded: Fresh install DistroCodename: lunar DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation Iris Plus Graphics G7 [8086:8a52] (rev 07) (prog-if 00 [VGA controller]) Subsystem: Dell Iris Plus Graphics G7 [1028:096d] InstallationDate: Installed on 2023-05-07 (116 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) MachineType: Dell Inc. XPS 13 9300 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.2.0-31-generic root=UUID=35826320
[Touch-packages] [Bug 2027850] Re: ethernet cable not detected
** Description changed: The network card inside my laptop will stop detecting connections after a while whithout having an ethernet cable inserted. in the gnome settings, it will show that there is no cable conected. The lights on the port on the laptop won't light up, but those on the port of the switch will light up when the laptop is connected. I got this problem in kernel 5.15, 5.19 and 6.2(ubuntu 23.04 upgraded from 22.04). the problem won't occur if i use a usb NIC. I wasn't able to find a true cause for this, but right after reboot, the cable will work with the integrated card. this is returned when doing ifconfig. as you can see, the card transfered some data before not working. enp1s0f0: flags=4099 mtu 1500 - ether 9c:2d:cd:d4:c6:45 txqueuelen 1000 (Ethernet) - RX packets 1626450 bytes 2260480956 (2.2 GB) - RX errors 0 dropped 0 overruns 0 frame 0 - TX packets 348415 bytes 30674255 (30.6 MB) - TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0 + ether 9c:2d:cd:d4:c6:45 txqueuelen 1000 (Ethernet) + RX packets 1626450 bytes 2260480956 (2.2 GB) + RX errors 0 dropped 0 overruns 0 frame 0 + TX packets 348415 bytes 30674255 (30.6 MB) + TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0 + the fix I found was to run the command `sudo systemctl restart systemd- + networkd` to make the interface active again ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: network-manager 1.42.4-1ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-25.25-generic 6.2.13 Uname: Linux 6.2.0-25-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Jul 15 04:00:21 2023 InstallationDate: Installed on 2022-12-03 (224 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) IpRoute: default via 192.168.2.1 dev enxa0cec8778fcf proto dhcp src 192.168.2.223 metric 100 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown 192.168.2.0/24 dev enxa0cec8778fcf proto kernel scope link src 192.168.2.223 metric 100 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: network-manager UpgradeStatus: Upgraded to lunar on 2023-07-07 (7 days ago) nmcli-nm: RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN running 1.42.4 connected started full enabled enabled disabled missing disabled -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/2027850 Title: ethernet cable not detected Status in network-manager package in Ubuntu: New Bug description: The network card inside my laptop will stop detecting connections after a while whithout having an ethernet cable inserted. in the gnome settings, it will show that there is no cable conected. The lights on the port on the laptop won't light up, but those on the port of the switch will light up when the laptop is connected. I got this problem in kernel 5.15, 5.19 and 6.2(ubuntu 23.04 upgraded from 22.04). the problem won't occur if i use a usb NIC. I wasn't able to find a true cause for this, but right after reboot, the cable will work with the integrated card. this is returned when doing ifconfig. as you can see, the card transfered some data before not working. enp1s0f0: flags=4099 mtu 1500 ether 9c:2d:cd:d4:c6:45 txqueuelen 1000 (Ethernet) RX packets 1626450 bytes 2260480956 (2.2 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 348415 bytes 30674255 (30.6 MB) TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0 the fix I found was to run the command `sudo systemctl restart systemd-networkd` to make the interface active again ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: network-manager 1.42.4-1ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-25.25-generic 6.2.13 Uname: Linux 6.2.0-25-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Jul 15 04:00:21 2023 InstallationDate: Installed on 2022-12-03 (224 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) IpRoute: default via 192.168.2.1 dev enxa0cec8778fcf proto dhcp src 192.168.2.223 metric 100 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown 192.168.2.0/24 dev enxa0cec8778fcf proto kernel scope link src 192.168.2.223 metric 100 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown ProcEnviron: L
[Touch-packages] [Bug 2027850] Re: ethernet cable not detected
** Description changed: - The network card inside my laptop will stop detecting connections after a while whithout having an ethernet cable inserted. in the gnome settings, it will show that there is no cable conected. The lights on the port on the laptop won't light up, but those on the port of the switch will light up when the laptop is connected. I got this problem in kernel 5.15, 5.19 and 6.2(ubuntu 23.04 upgraded from 22.04). the problem won't occur if i use a usb NIC. + The network card inside my laptop will stop detecting connections after a while whithout having an ethernet cable inserted. in the gnome settings, it will show that there is no cable conected. The lights on the port on the laptop won't light up, but those on the port of the switch will light up when the laptop is connected. I got this problem in kernel 5.15, 5.19 and 6.2(ubuntu 23.04 upgraded from 22.04). the problem won't occur if i use a usb NIC. I wasn't able to find a true cause for this, but right after reboot, the cable will work with the integrated card. + + this is returned when doing ifconfig. as you can see, the card + transfered some data before not working. + + enp1s0f0: flags=4099 mtu 1500 + ether 9c:2d:cd:d4:c6:45 txqueuelen 1000 (Ethernet) + RX packets 1626450 bytes 2260480956 (2.2 GB) + RX errors 0 dropped 0 overruns 0 frame 0 + TX packets 348415 bytes 30674255 (30.6 MB) + TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0 + ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: network-manager 1.42.4-1ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-25.25-generic 6.2.13 Uname: Linux 6.2.0-25-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Jul 15 04:00:21 2023 InstallationDate: Installed on 2022-12-03 (224 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) IpRoute: - default via 192.168.2.1 dev enxa0cec8778fcf proto dhcp src 192.168.2.223 metric 100 - 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown - 192.168.2.0/24 dev enxa0cec8778fcf proto kernel scope link src 192.168.2.223 metric 100 - 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown + default via 192.168.2.1 dev enxa0cec8778fcf proto dhcp src 192.168.2.223 metric 100 + 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown + 192.168.2.0/24 dev enxa0cec8778fcf proto kernel scope link src 192.168.2.223 metric 100 + 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown ProcEnviron: - LANG=en_US.UTF-8 - PATH=(custom, no user) - SHELL=/bin/bash - TERM=xterm-256color - XDG_RUNTIME_DIR= + LANG=en_US.UTF-8 + PATH=(custom, no user) + SHELL=/bin/bash + TERM=xterm-256color + XDG_RUNTIME_DIR= SourcePackage: network-manager UpgradeStatus: Upgraded to lunar on 2023-07-07 (7 days ago) nmcli-nm: - RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN - running 1.42.4 connected started full enabled enabled disabled missing disabled + RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN + running 1.42.4 connected started full enabled enabled disabled missing disabled -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/2027850 Title: ethernet cable not detected Status in network-manager package in Ubuntu: New Bug description: The network card inside my laptop will stop detecting connections after a while whithout having an ethernet cable inserted. in the gnome settings, it will show that there is no cable conected. The lights on the port on the laptop won't light up, but those on the port of the switch will light up when the laptop is connected. I got this problem in kernel 5.15, 5.19 and 6.2(ubuntu 23.04 upgraded from 22.04). the problem won't occur if i use a usb NIC. I wasn't able to find a true cause for this, but right after reboot, the cable will work with the integrated card. this is returned when doing ifconfig. as you can see, the card transfered some data before not working. enp1s0f0: flags=4099 mtu 1500 ether 9c:2d:cd:d4:c6:45 txqueuelen 1000 (Ethernet) RX packets 1626450 bytes 2260480956 (2.2 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 348415 bytes 30674255 (30.6 MB) TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0 ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: network-manager 1.42.4-1ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-25.25-generic 6.2.13 Uname: Linux 6.2.0-25-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pa
[Touch-packages] [Bug 2027850] [NEW] ethernet cable not detected
Public bug reported: The network card inside my laptop will stop detecting connections after a while whithout having an ethernet cable inserted. in the gnome settings, it will show that there is no cable conected. The lights on the port on the laptop won't light up, but those on the port of the switch will light up when the laptop is connected. I got this problem in kernel 5.15, 5.19 and 6.2(ubuntu 23.04 upgraded from 22.04). the problem won't occur if i use a usb NIC. I wasn't able to find a true cause for this, but right after reboot, the cable will work with the integrated card. this is returned when doing ifconfig. as you can see, the card transfered some data before not working. enp1s0f0: flags=4099 mtu 1500 ether 9c:2d:cd:d4:c6:45 txqueuelen 1000 (Ethernet) RX packets 1626450 bytes 2260480956 (2.2 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 348415 bytes 30674255 (30.6 MB) TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0 ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: network-manager 1.42.4-1ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-25.25-generic 6.2.13 Uname: Linux 6.2.0-25-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Jul 15 04:00:21 2023 InstallationDate: Installed on 2022-12-03 (224 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) IpRoute: default via 192.168.2.1 dev enxa0cec8778fcf proto dhcp src 192.168.2.223 metric 100 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown 192.168.2.0/24 dev enxa0cec8778fcf proto kernel scope link src 192.168.2.223 metric 100 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: network-manager UpgradeStatus: Upgraded to lunar on 2023-07-07 (7 days ago) nmcli-nm: RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN running 1.42.4 connected started full enabled enabled disabled missing disabled ** Affects: network-manager (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug lunar wayland-session -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/2027850 Title: ethernet cable not detected Status in network-manager package in Ubuntu: New Bug description: The network card inside my laptop will stop detecting connections after a while whithout having an ethernet cable inserted. in the gnome settings, it will show that there is no cable conected. The lights on the port on the laptop won't light up, but those on the port of the switch will light up when the laptop is connected. I got this problem in kernel 5.15, 5.19 and 6.2(ubuntu 23.04 upgraded from 22.04). the problem won't occur if i use a usb NIC. I wasn't able to find a true cause for this, but right after reboot, the cable will work with the integrated card. this is returned when doing ifconfig. as you can see, the card transfered some data before not working. enp1s0f0: flags=4099 mtu 1500 ether 9c:2d:cd:d4:c6:45 txqueuelen 1000 (Ethernet) RX packets 1626450 bytes 2260480956 (2.2 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 348415 bytes 30674255 (30.6 MB) TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0 ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: network-manager 1.42.4-1ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-25.25-generic 6.2.13 Uname: Linux 6.2.0-25-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Jul 15 04:00:21 2023 InstallationDate: Installed on 2022-12-03 (224 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) IpRoute: default via 192.168.2.1 dev enxa0cec8778fcf proto dhcp src 192.168.2.223 metric 100 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown 192.168.2.0/24 dev enxa0cec8778fcf proto kernel scope link src 192.168.2.223 metric 100 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: network-manager UpgradeStatus: Upgraded to lunar on 2023-07-07 (7 days ago) nmcli-nm: RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN running 1.42.4 connected started full enabled enabled disabled missing disabled To manage notifications about this bug go to: https://bugs.launchpad.net/
[Touch-packages] [Bug 2026227] [NEW] Backport 4.0 ABI for AppArmor 3 in mantic
Public bug reported: To support the use of AppArmor policies that specify features like userns, add the new 4.0 ABI from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/1061. Note this should not be enabled by default (as the existing AppArmor profiles have not been updated to account for this) but it will allow easier testing of profiles that want to support this new ABI. Also note this ABI is identical to that provided by the kernel in mantic and lunar currently: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu Mantic Minotaur (development branch) Release:23.10 Codename: mantic # uname -a Linux sec-mantic-amd64 6.3.0-7-generic #7-Ubuntu SMP PREEMPT_DYNAMIC Thu Jun 8 16:02:30 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux # diff /etc/apparmor.d/abi/4.0 <(aa-features-abi -x) # md5sum /etc/apparmor.d/abi/4.0 <(aa-features-abi -x) f17b0a97806d733b5b884d8a1c2fea37 /etc/apparmor.d/abi/4.0 f17b0a97806d733b5b884d8a1c2fea37 /dev/fd/63 ** Affects: apparmor (Ubuntu) Importance: Undecided Assignee: Alex Murray (alexmurray) Status: New ** Affects: apparmor (Ubuntu Mantic) Importance: Undecided Assignee: Alex Murray (alexmurray) Status: New ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) ** Also affects: apparmor (Ubuntu Mantic) Importance: Undecided Assignee: Alex Murray (alexmurray) Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2026227 Title: Backport 4.0 ABI for AppArmor 3 in mantic Status in apparmor package in Ubuntu: New Status in apparmor source package in Mantic: New Bug description: To support the use of AppArmor policies that specify features like userns, add the new 4.0 ABI from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/1061. Note this should not be enabled by default (as the existing AppArmor profiles have not been updated to account for this) but it will allow easier testing of profiles that want to support this new ABI. Also note this ABI is identical to that provided by the kernel in mantic and lunar currently: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Mantic Minotaur (development branch) Release: 23.10 Codename: mantic # uname -a Linux sec-mantic-amd64 6.3.0-7-generic #7-Ubuntu SMP PREEMPT_DYNAMIC Thu Jun 8 16:02:30 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux # diff /etc/apparmor.d/abi/4.0 <(aa-features-abi -x) # md5sum /etc/apparmor.d/abi/4.0 <(aa-features-abi -x) f17b0a97806d733b5b884d8a1c2fea37 /etc/apparmor.d/abi/4.0 f17b0a97806d733b5b884d8a1c2fea37 /dev/fd/63 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2026227/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Patch added: "bionic debdiff with corrected version number" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682930/+files/apparmor_2.12-4ubuntu5.3.debdiff ** Patch removed: "debdiff for bionic" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682828/+files/apparmor_2.12-4ubuntu5.2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: In Progress Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: In Progress Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
It turns out there was already an upload of apparmor 2.12-4ubuntu5.2 to bionic-proposed that got rejected (https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1703821/comments/15), so this update will instead need to skip this version number and use 2.12-4ubuntu5.3 instead. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: In Progress Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: In Progress Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Patch added: "xenial debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682832/+files/apparmor_2.10.95-0ubuntu2.12.debdiff ** Changed in: apparmor (Ubuntu Xenial) Importance: Undecided => High ** Changed in: apparmor (Ubuntu Bionic) Importance: Undecided => High ** Changed in: apparmor (Ubuntu Xenial) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Bionic) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Xenial) Status: New => In Progress ** Changed in: apparmor (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: In Progress Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: In Progress Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notificatio
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Patch added: "debdiff for bionic" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682828/+files/apparmor_2.12-4ubuntu5.2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: New Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: New Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
A possible fix on the snapd side is being prepared in tandem in https://github.com/snapcore/snapd/pull/12909 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: New Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: New Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Also affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: New Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: New Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Also affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in apparmor source package in Xenial: New Status in apparmor source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] [NEW] apparmor.service tries to load snapd generated apparmor profiles but fails
Public bug reported: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic ** Description changed: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. - In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor - profiles generated by snapd as since snapd 2.44.3 it has shipped the - snapd.apparmor.service unit which loads its apparmor profiles on boot. + This is seen as a failure to load the apparmor.service at boot once this + new snapd snap with the vendored apparmor is installed: + + root@sec-bionic-amd64:~# systemctl status apparmor + ● apparmor.service - AppArmor initialization +Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) +Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago + Docs: man:apparmor(7) +http://wiki.apparmor.net/ + Main PID: 1590 (code=exited, status=123) + + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr
[Touch-packages] [Bug 2022824] Re: random blue/pink frames in the desktop
** Description changed: I am running a fresh install of ubuntu 22.04 with kde-plasma-desktop. every 1-2 minutes, there will be a random blue/pink frame(i'm not sure of the color because it only appears for a short time). I don't get this problem in fullscreen games running with dxvk and the random frames didn't show when I recorded my desktop with obs studio. I also got this - problem in gnome(on wayland). When I have a dxvk game running, I don't - get this issue. + problem in gnome(on wayland). When I have a dxvk game running or when I + have 2 monitors connected, I don't get this issue. One thing to note is + that when I have 2 monitors connected, my gpu will boost its vram clock + to 2000mhz. what I tried: -rebooting -updating -disabling blur in kde settings -lowering my refresh rate from 144hz to 120hz ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.19.0-43.44~22.04.1-generic 5.19.17 Uname: Linux 5.19.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: unknown CompositorRunning: None CurrentDesktop: KDE Date: Sat Jun 3 00:45:32 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: - Advanced Micro Devices, Inc. [AMD/ATI] Navi 22 [Radeon RX 6700/6700 XT / 6800M] [1002:73df] (rev c1) (prog-if 00 [VGA controller]) -Subsystem: ASUSTeK Computer Inc. Navi 22 [Radeon RX 6700/6700 XT / 6800M] [1043:05d7] + Advanced Micro Devices, Inc. [AMD/ATI] Navi 22 [Radeon RX 6700/6700 XT / 6800M] [1002:73df] (rev c1) (prog-if 00 [VGA controller]) + Subsystem: ASUSTeK Computer Inc. Navi 22 [Radeon RX 6700/6700 XT / 6800M] [1043:05d7] InstallationDate: Installed on 2023-06-01 (1 days ago) InstallationMedia: Ubuntu 22.04.2 LTS "Jammy Jellyfish" - Release amd64 (20230223) MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M. ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.19.0-43-generic root=UUID=ca576fb0-08b4-45d8-aadd-83e9df696ff2 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/10/2021 dmi.bios.release: 5.17 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: P2.80 dmi.board.name: B450M Pro4-F dmi.board.vendor: ASRock dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: To Be Filled By O.E.M. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrP2.80:bd05/10/2021:br5.17:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnB450MPro4-F:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:skuToBeFilledByO.E.M.: dmi.product.family: To Be Filled By O.E.M. dmi.product.name: To Be Filled By O.E.M. dmi.product.sku: To Be Filled By O.E.M. dmi.product.version: To Be Filled By O.E.M. dmi.sys.vendor: To Be Filled By O.E.M. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 22.2.5-0ubuntu0.1~22.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2022824 Title: random blue/pink frames in the desktop Status in xorg package in Ubuntu: New Bug description: I am running a fresh install of ubuntu 22.04 with kde-plasma-desktop. every 1-2 minutes, there will be a random blue/pink frame(i'm not sure of the color because it only appears for a short time). I don't get this problem in fullscreen games running with dxvk and the random frames didn't show when I recorded my desktop with obs studio. I also got this problem in gnome(on wayland). When I have a dxvk game running or when I have 2 monitors connected, I don't get this issue. One thing to note is that when I have 2 monitors connected, my gpu will boost its vram clock to 2000mhz. what I tried: -rebooting -updating -disabling blur in kde settings -lowering my refresh rate from 144hz to 120hz ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.19.0-43.44~22.04.1-generic 5.19.17 Uname: Linux 5.19.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Permi
[Touch-packages] [Bug 2022824] [NEW] random blue/pink frames in the desktop
Public bug reported: I am running a fresh install of ubuntu 22.04 with kde-plasma-desktop. every 1-2 minutes, there will be a random blue/pink frame(i'm not sure of the color because it only appears for a short time). I don't get this problem in fullscreen games running with dxvk and the random frames didn't show when I recorded my desktop with obs studio. I also got this problem in gnome(on wayland). When I have a dxvk game running, I don't get this issue. what I tried: -rebooting -updating -disabling blur in kde settings -lowering my refresh rate from 144hz to 120hz ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.19.0-43.44~22.04.1-generic 5.19.17 Uname: Linux 5.19.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: unknown CompositorRunning: None CurrentDesktop: KDE Date: Sat Jun 3 00:45:32 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Advanced Micro Devices, Inc. [AMD/ATI] Navi 22 [Radeon RX 6700/6700 XT / 6800M] [1002:73df] (rev c1) (prog-if 00 [VGA controller]) Subsystem: ASUSTeK Computer Inc. Navi 22 [Radeon RX 6700/6700 XT / 6800M] [1043:05d7] InstallationDate: Installed on 2023-06-01 (1 days ago) InstallationMedia: Ubuntu 22.04.2 LTS "Jammy Jellyfish" - Release amd64 (20230223) MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M. ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.19.0-43-generic root=UUID=ca576fb0-08b4-45d8-aadd-83e9df696ff2 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/10/2021 dmi.bios.release: 5.17 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: P2.80 dmi.board.name: B450M Pro4-F dmi.board.vendor: ASRock dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: To Be Filled By O.E.M. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrP2.80:bd05/10/2021:br5.17:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnB450MPro4-F:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:skuToBeFilledByO.E.M.: dmi.product.family: To Be Filled By O.E.M. dmi.product.name: To Be Filled By O.E.M. dmi.product.sku: To Be Filled By O.E.M. dmi.product.version: To Be Filled By O.E.M. dmi.sys.vendor: To Be Filled By O.E.M. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 22.2.5-0ubuntu0.1~22.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 ** Affects: xorg (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug corruption jammy kubuntu ubuntu -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2022824 Title: random blue/pink frames in the desktop Status in xorg package in Ubuntu: New Bug description: I am running a fresh install of ubuntu 22.04 with kde-plasma-desktop. every 1-2 minutes, there will be a random blue/pink frame(i'm not sure of the color because it only appears for a short time). I don't get this problem in fullscreen games running with dxvk and the random frames didn't show when I recorded my desktop with obs studio. I also got this problem in gnome(on wayland). When I have a dxvk game running, I don't get this issue. what I tried: -rebooting -updating -disabling blur in kde settings -lowering my refresh rate from 144hz to 120hz ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.19.0-43.44~22.04.1-generic 5.19.17 Uname: Linux 5.19.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: unknown CompositorRunning: None CurrentDesktop: KDE Date: Sat Jun 3 00:45:32 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Advanced Micro Devices, Inc. [AMD/ATI] Navi 22 [Radeon RX 6700/6700 XT / 6800M] [1002:73df] (rev c1) (prog-if 00 [VGA controller]) Subsystem: ASUSTeK Computer Inc. Navi 22 [Radeon RX 6700/6700 XT / 6800M] [1043:05d7] InstallationDate: Installed on 2023-06-01 (1 days ago) InstallationMedia: Ubuntu 22
[Touch-packages] [Bug 401935] Re: aa-genprof fails if profiles are in a subdirectory of /etc/apparmor.d
It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing. https://xtrench- run.com -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/401935 Title: aa-genprof fails if profiles are in a subdirectory of /etc/apparmor.d Status in apparmor package in Ubuntu: Fix Released Bug description: Binary package hint: apparmor aa-genprof fails if there are profiles in a subdirectory of /etc/apparmor.d. Reproducer: $ sudo mkdir /etc/apparmor.d/foo $ sudo cp /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/foo $ sudo aa-genprof /usr/bin/gedit include contains syntax errors. ProblemType: Bug ApparmorStatusOutput: Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set. apparmor module is loaded. Architecture: amd64 Date: Mon Jul 20 16:12:57 2009 DistroRelease: Ubuntu 9.10 Package: apparmor 2.3.1+1403-0ubuntu5 ProcEnviron: PATH=(custom, user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 2.6.31-3.19-generic SourcePackage: apparmor Uname: Linux 2.6.31-3-generic x86_64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/401935/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926014] Re: simple-scan is trying to start disabled avahi-daemon.service
The report is now 2 years old, so I'm not sore if anyone will still read or follow this, but I don't think it's related to policykit, not even related to simple-scan. I got the same message recently, and it's probably related to the hpaio backend of sane (included in hplib). There's a bugreport on this here: https://bugs.launchpad.net/hplip/+bug/1996438 As a workaround, when no HP scanner is used, you can disable this e.g. by editing `/etc/sane.d/dll.d/hplib` and commenting out the only included library there: # dll.conf snippet for hplip # #hpaio -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1926014 Title: simple-scan is trying to start disabled avahi-daemon.service Status in policykit-1 package in Ubuntu: New Bug description: Hi, I have a fresh installation of Ubuntu desktop 21.04. I stop and disable avahi-daemon.service + avahi-daemon.socket (I don't use these services on my desktop) Then I start "simple-scan" program. After that I see a pop-up window for admin password! It's wrong, no such thing should be there. In previouse release (20.10) it was OK. Thanks. Antonin ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: policykit-1 0.105-30 ProcVersionSignature: Ubuntu 5.11.0-16.17-generic 5.11.12 Uname: Linux 5.11.0-16-generic x86_64 ApportVersion: 2.20.11-0ubuntu65 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 24 15:17:52 2021 InstallationDate: Installed on 2021-04-22 (1 days ago) InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=cs_CZ.UTF-8 SHELL=/bin/bash SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1926014/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968154] Re: Only keep 2 kernels
Don't to what? Install unsigned kernel packages? My point is that there is a regression. linux-image-unsigned-* are longer considered kernel packages with the new patch. If linux-image-unsigned-5.4.0-1099-aws and linux-image- unsigned-5.4.0-1100-aws were the only kernel packages on the system, they both would be removed with 1.16.17 including the active kernel. That was not the case in 1.16.14. # apt autoremove Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: linux-image-unsigned-5.4.0-1099-aws linux-image-unsigned-5.4.0-1100-aws linux-modules-5.4.0-1099-aws linux-modules-5.4.0-1100-aws 0 upgraded, 0 newly installed, 4 to remove and 66 not upgraded. After this operation, 165 MB disk space will be freed. Do you want to continue? [Y/n] ^C # uname -a Linux ip-xxx 5.4.0-1100-aws #108~18.04.1-Ubuntu SMP Thu Mar 30 02:15:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1968154 Title: Only keep 2 kernels Status in apt package in Ubuntu: Fix Released Status in apt source package in Bionic: Fix Released Status in apt source package in Focal: Fix Released Status in apt source package in Impish: Fix Released Bug description: [Impact] APT currently keeps 3 kernels or even 4 in some releases. Our boot partition is sized for a steady state of 2 kernels + 1 new one being unpacked, hence users run out of space and new kernels fail to install, upgrade runs might abort in the middle. It's not nice. [Test plan] 1. Have two kernels installed (let's call them version 3, 2) 2. Check that both kernels are not autoremovable 3. Install an old kernel (let's call it 1), and mark it automatic 4. Check that 1 will be autoremovable (apt autoremove -s) 5. Reboot into 1, check that 2 is autoremovable (apt autoremove -s) 6. Actually remove 2 7. Reboot into 3 and check that both 1 and 3 are now not autoremovable [Where problems could occur] We could keep the wrong kernels installed that the user did not expect. We remove the requirement to keep the most recently installed version, previously recorded in APT::LastInstalledKernel, to achieve this, as we had 3 hard requirements so far: 1. keep booted kernel 2. keep highest version 3. keep most recently installed 1 can't be removed as it would break running systems, 2 is what you definitely want to keep. During normal system lifetime, the most recently installed kernel is the same as the highest version, so 2==3, and there are no changes to behavior. Likewise, if you most recently installed an older kernel manually for debugging, it would be manually installed and not subject to removal, even if the rule is dropped. The behavior really only changes if you install an older kernel, and then mark it auto - that older kernel becomes automatically removable immediately after it is marked as auto. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1968154/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968154] Re: Only keep 2 kernels
There is a regression w.r.t. unsigned kernel packages: - install linux-image-unsigned-5.4.0-1099-aws, reboot - install linux-image-unsigned-5.4.0-1100-aws - mark both as auto - autoremove will attempt to remove 1100 apt 1.6.14 would keep both. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1968154 Title: Only keep 2 kernels Status in apt package in Ubuntu: Fix Released Status in apt source package in Bionic: Fix Released Status in apt source package in Focal: Fix Released Status in apt source package in Impish: Fix Released Bug description: [Impact] APT currently keeps 3 kernels or even 4 in some releases. Our boot partition is sized for a steady state of 2 kernels + 1 new one being unpacked, hence users run out of space and new kernels fail to install, upgrade runs might abort in the middle. It's not nice. [Test plan] 1. Have two kernels installed (let's call them version 3, 2) 2. Check that both kernels are not autoremovable 3. Install an old kernel (let's call it 1), and mark it automatic 4. Check that 1 will be autoremovable (apt autoremove -s) 5. Reboot into 1, check that 2 is autoremovable (apt autoremove -s) 6. Actually remove 2 7. Reboot into 3 and check that both 1 and 3 are now not autoremovable [Where problems could occur] We could keep the wrong kernels installed that the user did not expect. We remove the requirement to keep the most recently installed version, previously recorded in APT::LastInstalledKernel, to achieve this, as we had 3 hard requirements so far: 1. keep booted kernel 2. keep highest version 3. keep most recently installed 1 can't be removed as it would break running systems, 2 is what you definitely want to keep. During normal system lifetime, the most recently installed kernel is the same as the highest version, so 2==3, and there are no changes to behavior. Likewise, if you most recently installed an older kernel manually for debugging, it would be manually installed and not subject to removal, even if the rule is dropped. The behavior really only changes if you install an older kernel, and then mark it auto - that older kernel becomes automatically removable immediately after it is marked as auto. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1968154/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1949340] Re: [upstream] Saving downloads or pages is difficult because of unfocused file chooser dialog
On an Ubuntu 22.04 (newly updated from 18.04) box I got Firefox and
Chromium browser back to using the good, system SaveAs dialog box
instead of the horrid (((search box focus grabber and almost impossible
to change file name from the default))) dialog box by doing this:
sudo snap install snapd
This version of snapd, 2.38.3, apparently overrides the apt-installed
snapd version 2.38.
That the snap version of snapd wasn't installed ("snap list" did not
list it) was the glaring difference between the bad box and a laptop
that did not have the problem.
I should note: widget.use-xdg-desktop-portal.file-picker needs to be put
back to the default, 2, from 0.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu.
https://bugs.launchpad.net/bugs/1949340
Title:
[upstream] Saving downloads or pages is difficult because of unfocused
file chooser dialog
Status in Mozilla Firefox:
Invalid
Status in GTK+:
Fix Released
Status in chromium-browser package in Ubuntu:
Confirmed
Status in firefox package in Ubuntu:
Confirmed
Status in gnome-shell package in Ubuntu:
Confirmed
Status in gtk+3.0 package in Ubuntu:
Confirmed
Status in gtk4 package in Ubuntu:
Fix Released
Status in xdg-desktop-portal-gnome package in Ubuntu:
Confirmed
Status in xdg-desktop-portal-gtk package in Ubuntu:
Confirmed
Status in gtk+3.0 source package in Jammy:
Confirmed
Status in gtk4 source package in Jammy:
Triaged
Status in gtk+3.0 source package in Kinetic:
Confirmed
Status in gtk4 source package in Kinetic:
Fix Released
Bug description:
Steps to reproduce:
1. Open Chromium (release does not matter, here deb-packaged version from
18.04 LTS is used)
2a. Navigate to some page, press +
2b. Navigate to some page, with "Ask where to save each file before
downloading" enabled try to download some file
Actual result:
* file chooser dialog is unfocused, user should select the window by mouse
and then hit for specified location
Expected result:
* file chooser dialog is focused, user can simply hit to save in
previously selected location.
To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1949340/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1815101] Re: [master] Restarting systemd-networkd breaks keepalived, heartbeat, corosync, pacemaker (interface aliases are restarted)
We are seeing SIGSEGV related to this in Bionic. lp1815101-0006-network- make-KeepConfiguration-static-drop-DHCP-addr.patch is missing network checks in link_drop_foreign_config Would it be possible to incorporate this patch from upstream to prevent this? https://github.com/systemd/systemd/commit/b1b0b42e48303134731e017a108c6c334ef5f4c8 Core was generated by `/lib/systemd/systemd-networkd'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x555962aa1c34 in link_drop_foreign_config (link=link@entry=0x555963583f30) at ../src/network/networkd-link.c:2741 2741../src/network/networkd-link.c: No such file or directory. (gdb) bt #0 0x555962aa1c34 in link_drop_foreign_config (link=link@entry=0x555963583f30) at ../src/network/networkd-link.c:2741 #1 0x555962aa233d in link_carrier_lost.lto_priv.328 (link=, link=) at ../src/network/networkd-link.c:3462 #2 0x555962a8e9b2 in link_update (m=0x5559635702c0, link=) at ../src/network/networkd-link.c:3698 #3 manager_rtnl_process_link (rtnl=, message=0x5559635702c0, userdata=) at ../src/network/networkd-manager.c:713 #4 0x555962a48a16 in process_match (m=0x5559635702c0, rtnl=0x55596355d990) at ../src/libsystemd/sd-netlink/sd-netlink.c:388 #5 process_running (ret=0x0, rtnl=0x55596355d990) at ../src/libsystemd/sd-netlink/sd-netlink.c:418 #6 sd_netlink_process (rtnl=0x55596355d990, ret=ret@entry=0x0) at ../src/libsystemd/sd-netlink/sd-netlink.c:452 #7 0x555962a48cb3 in time_callback (s=, usec=, userdata=) at ../src/libsystemd/sd-netlink/sd-netlink.c:759 #8 0x555962a4dbae in source_dispatch (s=s@entry=0x55596355dce0) at ../src/libsystemd/sd-event/sd-event.c:2311 #9 0x555962a4de2a in sd_event_dispatch (e=, e@entry=0x55596355bf70) at ../src/libsystemd/sd-event/sd-event.c:2663 #10 0x555962a4dfb9 in sd_event_run (e=, e@entry=0x55596355bf70, timeout=timeout@entry=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:2723 #11 0x555962a4e1fb in sd_event_loop (e=) at ../src/libsystemd/sd-event/sd-event.c:2744 #12 0x555962a223d6 in main (argc=, argv=) at ../src/network/networkd.c:158 (gdb) p link->network $2 = (struct Network *) 0x0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1815101 Title: [master] Restarting systemd-networkd breaks keepalived, heartbeat, corosync, pacemaker (interface aliases are restarted) Status in netplan: Triaged Status in heartbeat package in Ubuntu: Won't Fix Status in keepalived package in Ubuntu: In Progress Status in systemd package in Ubuntu: Fix Released Status in keepalived source package in Xenial: Confirmed Status in systemd source package in Xenial: Won't Fix Status in keepalived source package in Bionic: Confirmed Status in systemd source package in Bionic: Fix Released Status in systemd source package in Disco: Won't Fix Status in systemd source package in Eoan: Fix Released Status in keepalived source package in Focal: Confirmed Status in systemd source package in Focal: Fix Released Bug description: [impact] - ALL related HA software has a small problem if interfaces are being managed by systemd-networkd: nic restarts/reconfigs are always going to wipe all interfaces aliases when HA software is not expecting it to (no coordination between them. - keepalived, smb ctdb, pacemaker, all suffer from this. Pacemaker is smarter in this case because it has a service monitor that will restart the virtual IP resource, in affected node & nic, before considering a real failure, but other HA service might consider a real failure when it is not. [test case] - comment #14 is a full test case: to have 3 node pacemaker, in that example, and cause a networkd service restart: it will trigger a failure for the virtual IP resource monitor. - other example is given in the original description for keepalived. both suffer from the same issue (and other HA softwares as well). [regression potential] - this backports KeepConfiguration parameter, which adds some significant complexity to networkd's configuration and behavior, which could lead to regressions in correctly configuring the network at networkd start, or incorrectly maintaining configuration at networkd restart, or losing network state at networkd stop. - Any regressions are most likely to occur during networkd start, restart, or stop, and most likely to involve missing or incorrect ip address(es). - the change is based in upstream patches adding the exact feature we needed to fix this issue & it will be integrated with a netplan change to add the needed stanza to systemd nic configuration file (KeepConfiguration=) [other info] original description: --- Configure netplan for interfaces, for example (a working config with IP addresses obfuscated) network: ethernets:
[Touch-packages] [Bug 1899218] Re: Incorrect warning from apparmor_parser on force complained profiles
This bug is fixed and the behaviour you are seeing is expected - ie. it is expected that AppArmor prints a warning about forcing complain mode for the usr.sbin.sssd profile and that it then also prints a warning about caching being disabled for that due to it being in force complain mode. This is expected and normal behaviour. However, if you feel this expected behaviour is a bug, please file a separate bug report for that and describe what you think is incorrect about this behaviour and how instead you feel it should behave. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1899218 Title: Incorrect warning from apparmor_parser on force complained profiles Status in apparmor package in Ubuntu: Fix Released Bug description: apparmor_parser on a force complained profile produces an incorrect warning message: $ sudo apparmor_parser -rW /etc/apparmor.d/usr.sbin.sssd Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd line 54): Warning failed to create cache: usr.sbin.sssd Even though not generating the cache at all is expected, the warning should describe caching is disabled for force complained profiles instead of failure to create it. $ lsb_release -rd Description: Ubuntu Groovy Gorilla (development branch) Release: 20.10 $ apt-cache policy apparmor apparmor: Installed: 3.0.0~beta1-0ubuntu6 Candidate: 3.0.0~beta1-0ubuntu6 Version table: *** 3.0.0~beta1-0ubuntu6 500 500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899218/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2006517] Re: Bluetooth works on desktop but not on ubuntu core
@AceLan, In the comment #32 you were saying: "removed the beta bluez, and install stable bluez" It looks like you removed bluez that was from 22/beta track (bluez (22/beta) 5.64-3), and then installed one from 20/stable track (bluez 5.53-7 334 20/stable). You wrote that with that revision of bluez snap "power cycle the machine, and then advinfo works". Can you please confirm that? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/2006517 Title: Bluetooth works on desktop but not on ubuntu core Status in bluez package in Ubuntu: Confirmed Bug description: We have built a snap that uses some bluetooth functionality. The snap runs well when using Ubuntu desktop 22.04 (all updates applied end of Jan 2022). We have tried using this same snap on Ubuntu Core 22 running on X86_64. On some hardware platforms (thinkpad E15 and x86 Mac) everything works as expected. We can install the snap on Jammy 22.04 or Core 22 on these platforms and get expected functionality regardless of OS. On our targeted platform (a Dell 5570) things are not working. When running 22.04 Jammy, everything works. When running Core 22, some advanced bluetooth functionality is not available. Since the Core 22 image installs and runs on other X86_64 hardware we suspect a device driver issue. Attached are several files taken from the Dell 5570 1) dmesg from Core 22. 2) dmesg from Jammy 22.04 3) output of lspci from Jammy 22.04 4) Output of lsusb from Jammy 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2006517/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2009618] [NEW] GDB: function parameters have garbage values on function entry
Public bug reported:
After upgrading from Ubuntu 18.04 to Ubuntu 20.04 on my x86_64 desktop
machine, I've noticed a significant regression in the debug experience
with gdb. In particular, function parameters in GDB now seem to reliably
have garbage values on entry to the function until I step once inside
the function. Here is a reproducer:
$ cat test.c
#include
int f(int x, int y) {
printf ("%d, %d\n", x, y);
}
int main(void) {
f(2,3);
}
$ gcc -g3 test.c
$ gdb a.out
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.1) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
[Touch-packages] [Bug 2008541] [NEW] very high power draw from battery when watching videos
Public bug reported: when I watch a video in fullscreen, my laptop can draw as many as 25w. For comparaison, on windows 11, a similar video will take only 8w from the battery. obviously, the cpu temps and fan speed are much higher on ubuntu tan on windows. Also, this might be unrelated, but when I plug in or unplug the charger on my laptop, the power draw reported takes time to climb up to the actual power draw/ charge rate ( up to 45 sec). In this vase, my laptop can think that it still has a couple of days left worth of battery life left ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-60.66-generic 5.15.78 Uname: Linux 5.15.0-60-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Sat Feb 25 00:52:24 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu DkmsStatus: openrazer-driver/3.2.0, 5.15.0-60-generic, x86_64: installed openrazer-driver/3.2.0, 5.19.0-32-generic, x86_64: installed ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Advanced Micro Devices, Inc. [AMD/ATI] Rembrandt [1002:1681] (rev d1) (prog-if 00 [VGA controller]) InstallationDate: Installed on 2022-12-03 (84 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) MachineType: LENOVO 21CH000GUS ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-60-generic root=UUID=32b06683-a98d-4585-81c7-edb51198f58c ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 11/11/2022 dmi.bios.release: 1.32 dmi.bios.vendor: LENOVO dmi.bios.version: R23ET62W (1.32 ) dmi.board.asset.tag: Not Available dmi.board.name: 21CH000GUS dmi.board.vendor: LENOVO dmi.board.version: SDK0T76530 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.ec.firmware.release: 1.24 dmi.modalias: dmi:bvnLENOVO:bvrR23ET62W(1.32):bd11/11/2022:br1.32:efr1.24:svnLENOVO:pn21CH000GUS:pvrThinkPadT16Gen1:rvnLENOVO:rn21CH000GUS:rvrSDK0T76530WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_21CH_BU_Think_FM_ThinkPadT16Gen1: dmi.product.family: ThinkPad T16 Gen 1 dmi.product.name: 21CH000GUS dmi.product.sku: LENOVO_MT_21CH_BU_Think_FM_ThinkPad T16 Gen 1 dmi.product.version: ThinkPad T16 Gen 1 dmi.sys.vendor: LENOVO version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 22.2.5-0ubuntu0.1~22.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx 22.2.5-0ubuntu0.1~22.04.1 version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2.7 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 ** Affects: xorg (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy performance ubuntu wayland-session -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2008541 Title: very high power draw from battery when watching videos Status in xorg package in Ubuntu: New Bug description: when I watch a video in fullscreen, my laptop can draw as many as 25w. For comparaison, on windows 11, a similar video will take only 8w from the battery. obviously, the cpu temps and fan speed are much higher on ubuntu tan on windows. Also, this might be unrelated, but when I plug in or unplug the charger on my laptop, the power draw reported takes time to climb up to the actual power draw/ charge rate ( up to 45 sec). In this vase, my laptop can think that it still has a couple of days left worth of battery life left ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-60.66-generic 5.15.78 Uname: Linux 5.15.0-60-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Sat Feb 25 00:52:24 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu DkmsStatus: openrazer-driver/3.2.0, 5.15.0-60-generic, x86_64: installed openrazer-driver/3.2.0, 5.19.0-32-generic, x86_64: installed ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Advanced Micro Devices, Inc. [AMD/ATI] Rembrandt [1002:1681] (rev d1) (prog-if 00 [VGA control
[Touch-packages] [Bug 2006517] Re: Bluetooth works on desktop but not on ubuntu core
@Daniel, The same Ubuntu Core image works as expected on the Thinkpad E15 and x86 Mac. Why would the lack of "some extra privileges" impact how it runs on the Dell system, but not Thinkpad and Mac? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/2006517 Title: Bluetooth works on desktop but not on ubuntu core Status in bluez package in Ubuntu: Confirmed Bug description: We have built a snap that uses some bluetooth functionality. The snap runs well when using Ubuntu desktop 22.04 (all updates applied end of Jan 2022). We have tried using this same snap on Ubuntu Core 22 running on X86_64. On some hardware platforms (thinkpad E15 and x86 Mac) everything works as expected. We can install the snap on Jammy 22.04 or Core 22 on these platforms and get expected functionality regardless of OS. On our targeted platform (a Dell 5570) things are not working. When running 22.04 Jammy, everything works. When running Core 22, some advanced bluetooth functionality is not available. Since the Core 22 image installs and runs on other X86_64 hardware we suspect a device driver issue. Attached are several files taken from the Dell 5570 1) dmesg from Core 22. 2) dmesg from Jammy 22.04 3) output of lspci from Jammy 22.04 4) Output of lsusb from Jammy 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2006517/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2006370] Re: Terribly flicking and blicking HDMI-port display
PPS: I have Ubuntu 22.04 (the same version) on my Acer Aspire 3 A315-21G-63YM [very old notebook of about 5-6 years old]; I tried several times to connect this notebook to the same monitor with the same scheme - it works perfectly (I did not try screenshots, because the picture there is perfect). But I still am a rare user of Ubuntu, because I need powerful computers (like this HP Gaming Pavilion) for my operations, and I can't do them on just one monitor in quite OK computers, and I can't do this on two monitors with a relatively slow computer like Acer Aspire 3. It means, it is some driver issue [that Ubuntu has problems with the inbuilt drivers, but not 100% sure in this]. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2006370 Title: Terribly flicking and blicking HDMI-port display Status in xorg package in Ubuntu: New Bug description: Hi, I have HP15 Gaming Pavilion bought 2-3 years ago. I had Windows 10 before (not it is the second OS due to this bug [I can't use Ubuntu with this bug]), and Win 10 has no problems. No solution [that I found over the internet] worked. I have to have at least two displays. My connection technology: PC HDMI output -> HDMI-VGA(+audio) transmitter -> LED 20' Display (external monitor) Win 10 have never had any problems with it (it has good drivers). When I add any input to the second screen - it blinks and flickers so terrible that I can see nothing - a white screen problem. If I do nothing - it will turn to some picture in some time, but if I make any action at the second monitor - flickering and the white screen problem appears again. I think these are drivers. I tested the equipment in Win 10 after I found this bug - and it works perfectly (so, the hardware is good). It is a typical notebook and this bug is crucial. I use two monitors to type codes and work on PC. I can't survive with just one monitor. Right now when I am typing you this message the second monitor became white again for quite a long time (I did nothing there). I hope you will be able to fix this bug :) Best wishes, Alex, Prague, Czech Republic, EU PS: When typing this message I found another bug compared to MS Windows. When making screenshots (Alt/Shift + Print Screen) - it makes perfect picture even when you actually have the second monitor white all the time (so the screenshot is not how it is). I made an actual photo (and deleted some parts of the background not related to the monitors/computer). You can see a white screen, but the screenshot shows a "perfect world" with a perfect picture which is not how it is on the screen. Windows, on the contrary, makes actual screenshots. And Win 10 test of this monitor never have this white screen or any other monitor problems. Moreover, when the monitors stops to be white for a second it depicts different picture (more terrible image; it is disproportional, with font heavily readable, but the screenshot functions shows an "ideal world" a user can never see :) I made this detailed description to help Ubuntu. I think the project is great in concept, but poor in realization. Such bugs make it impossible for users to use Ubuntu (who can work on just one monitor? Who do not wish to make screenshots with what he/she actually sees on the monitor [rather than modified images with the pictures users do not actually see]?). ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Mon Feb 6 19:45:32 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: NVIDIA Corporation TU117M [10de:1f99] (rev a1) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company TU117M [103c:87b1] Advanced Micro Devices, Inc. [AMD/ATI] Renoir [1002:1636] (rev c6) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company Renoir [103c:87b1] InstallationDate: Installed on 2023-02-04 (2 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) MachineType: HP HP Pavilion Gaming Laptop 15-ec1xxx ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-58-generic root=UUID=30f188c5-d67f-4f68-ba6d-6995864ff95e ro quiet splash loglevel=3 vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 08/18/2021 dmi.bios.release: 15.25 dmi.bios.vendo
[Touch-packages] [Bug 2006370] [NEW] Terribly flicking and blicking HDMI-port display
Public bug reported: Hi, I have HP15 Gaming Pavilion bought 2-3 years ago. I had Windows 10 before (not it is the second OS due to this bug [I can't use Ubuntu with this bug]), and Win 10 has no problems. No solution [that I found over the internet] worked. I have to have at least two displays. My connection technology: PC HDMI output -> HDMI-VGA(+audio) transmitter -> LED 20' Display (external monitor) Win 10 have never had any problems with it (it has good drivers). When I add any input to the second screen - it blinks and flickers so terrible that I can see nothing - a white screen problem. If I do nothing - it will turn to some picture in some time, but if I make any action at the second monitor - flickering and the white screen problem appears again. I think these are drivers. I tested the equipment in Win 10 after I found this bug - and it works perfectly (so, the hardware is good). It is a typical notebook and this bug is crucial. I use two monitors to type codes and work on PC. I can't survive with just one monitor. Right now when I am typing you this message the second monitor became white again for quite a long time (I did nothing there). I hope you will be able to fix this bug :) Best wishes, Alex, Prague, Czech Republic, EU PS: When typing this message I found another bug compared to MS Windows. When making screenshots (Alt/Shift + Print Screen) - it makes perfect picture even when you actually have the second monitor white all the time (so the screenshot is not how it is). I made an actual photo (and deleted some parts of the background not related to the monitors/computer). You can see a white screen, but the screenshot shows a "perfect world" with a perfect picture which is not how it is on the screen. Windows, on the contrary, makes actual screenshots. And Win 10 test of this monitor never have this white screen or any other monitor problems. Moreover, when the monitors stops to be white for a second it depicts different picture (more terrible image; it is disproportional, with font heavily readable, but the screenshot functions shows an "ideal world" a user can never see :) I made this detailed description to help Ubuntu. I think the project is great in concept, but poor in realization. Such bugs make it impossible for users to use Ubuntu (who can work on just one monitor? Who do not wish to make screenshots with what he/she actually sees on the monitor [rather than modified images with the pictures users do not actually see]?). ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Mon Feb 6 19:45:32 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: NVIDIA Corporation TU117M [10de:1f99] (rev a1) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company TU117M [103c:87b1] Advanced Micro Devices, Inc. [AMD/ATI] Renoir [1002:1636] (rev c6) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company Renoir [103c:87b1] InstallationDate: Installed on 2023-02-04 (2 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) MachineType: HP HP Pavilion Gaming Laptop 15-ec1xxx ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-58-generic root=UUID=30f188c5-d67f-4f68-ba6d-6995864ff95e ro quiet splash loglevel=3 vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 08/18/2021 dmi.bios.release: 15.25 dmi.bios.vendor: AMI dmi.bios.version: F.25 dmi.board.asset.tag: Base Board Asset Tag dmi.board.name: 87B1 dmi.board.vendor: HP dmi.board.version: 31.23 dmi.chassis.type: 10 dmi.chassis.vendor: HP dmi.chassis.version: Chassis Version dmi.ec.firmware.release: 31.23 dmi.modalias: dmi:bvnAMI:bvrF.25:bd08/18/2021:br15.25:efr31.23:svnHP:pnHPPavilionGamingLaptop15-ec1xxx:pvr:rvnHP:rn87B1:rvr31.23:cvnHP:ct10:cvrChassisVersion:sku1N3L2EA#ACB: dmi.product.family: 103C_5335KV HP Pavilion dmi.product.name: HP Pavilion Gaming Laptop 15-ec1xxx dmi.product.sku: 1N3L2EA#ACB dmi.sys.vendor: HP version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 22.2.5-0ubuntu0.1~22.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2.6 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-
[Touch-packages] [Bug 1956039] Re: BADSIG 871920D1991BC93C Ubuntu Archive Automatic Signing Key (2018)
What fixed it for me was to remove my apt-cacher-ng container + cache, then re-add it. This resolved the issue on multiple servers. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1956039 Title: BADSIG 871920D1991BC93C Ubuntu Archive Automatic Signing Key (2018) Status in apt package in Ubuntu: Confirmed Bug description: Updating Jammy fails with: Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB] Err:2 http://archive.ubuntu.com/ubuntu jammy InRelease The following signatures were invalid: BADSIG 871920D1991BC93C Ubuntu Archive Automatic Signing Key (2018) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1956039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1434986] Re: Not working network connection after boot
I can confirm that this is still happening in Kubuntu 18.04. Rudolfs Caunes's solution actually works. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1434986 Title: Not working network connection after boot Status in NetworkManager: Expired Status in network-manager package in Ubuntu: Triaged Bug description: Directly after boot the network connections are not working. I am connected and have an IP address, but I cannot establish a connection with any Internet server. I have the impression it is related to thee DNS lookup, which waits forever for a result. Cycling the connection (disconnect->reconnect) seems to fix the problem for some time. I am reporting this against network-manager, but I am not sure if it is directly in network manager or if it is systemd related. With 14.10 everything worked perfectly. ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: network-manager 0.9.10.0-4ubuntu11 ProcVersionSignature: Ubuntu 3.19.0-9.9-generic 3.19.1 Uname: Linux 3.19.0-9-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.16.2-0ubuntu4 Architecture: amd64 CurrentDesktop: GNOME Date: Sun Mar 22 12:38:26 2015 EcryptfsInUse: Yes IfupdownConfig: # interfaces(5) file used by ifup(8) and ifdown(8) auto lo iface lo inet loopback InstallationDate: Installed on 2015-01-30 (50 days ago) InstallationMedia: Ubuntu-GNOME 14.10 "Utopic Unicorn" - Release amd64 (20141022.1) IpRoute: default via 192.168.1.1 dev eth0 proto static metric 1024 169.254.0.0/16 dev wlan0 scope link metric 1000 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.26 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.29 NetworkManager.state: [main] NetworkingEnabled=true WirelessEnabled=true WWANEnabled=true WimaxEnabled=true ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: network-manager UpgradeStatus: Upgraded to vivid on 2015-03-19 (3 days ago) modified.conffile..etc.NetworkManager.NetworkManager.conf: [modified] mtime.conffile..etc.NetworkManager.NetworkManager.conf: 2015-02-16T00:14:50.662693 nmcli-dev: DEVICE TYPE STATE DBUS-PATH CONNECTION CON-UUID CON-PATH eth0 ethernet connected /org/freedesktop/NetworkManager/Devices/2 Kabelnetzwerkverbindung 1 4a581685-6002-4401-a993-49aa649667eb /org/freedesktop/NetworkManager/ActiveConnection/4 wlan0 wifi connected /org/freedesktop/NetworkManager/Devices/1 4A616E7320574C414E f45aa3a7-fb44-41b7-a02a-ea9720d79414 /org/freedesktop/NetworkManager/ActiveConnection/3 lo loopback unmanaged /org/freedesktop/NetworkManager/Devices/0 -- -- -- nmcli-nm: Error: command ['nmcli', '-f', 'all', 'nm'] failed with exit code 2: Error: Object 'nm' is unknown, try 'nmcli help'. To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1434986/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy
These have now been uploaded to -proposed and are sitting in UNAPPROVED: https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=apparmor https://launchpad.net/ubuntu/focal/+queue?queue_state=1&queue_text=apparmor ** Changed in: apparmor (Ubuntu Focal) Status: Confirmed => In Progress ** Changed in: apparmor (Ubuntu Jammy) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1994146 Title: [SRU] apparmor - Focal, Jammy Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Focal: In Progress Status in apparmor source package in Jammy: In Progress Bug description: [ Impact ] This is a SRU proposal for apparmor in Focal and Jammy. For focal, we want to SRU fixes for Bug 1964636 which introduces the capability upstream patches. We are also fixing Bug 1728130 and Bug 1993353 which are introducing full backport of abi from apparmor-3.0 and support for POSIX message queue rules, which are both a request from Honeywell. Note that specifically for message queue rules, we are overriding the abi behavior. Message queue mediation is not a part of the 2.13 abi we are pinning. Honeywell has a kernel that has message queue mediation, but their policy does not contain an abi specified, so when we pin the abi for a kernel that does not mediate message queue, it will break Honeywell's AppArmor policies. So we are making an exception: when abi is not specified in the policy, and the policy contain mqueue rules, we are enforcing mqueue rules. When the policy does not contain mqueue rules, then they are not being enforced. This is so we do not break Honeywell policies and we also are not breaking policies that were developed when there was no mqueue or abi support. For jammy, we are SRUing fixes for Bug 1993353 which adds message queue rules support. [ Test Plan ] This has been extensively tested by using QA Regression Tests[1] for AppArmor. All tests have passed and demonstrated AppArmor to be working as expected. We are also adding regression tests for message queue rules[2] which guarantees it is working as expected. [1] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858 [ Where problems could occur ] The message queue rules support could cause issues for AppArmor policies that were developed before there was support for mqueues, that's why we are also backporting abi support and pinning the abi on parser.conf on focal. Jammy already has the abi pinned for a kernel that does not have support for mqueue mediation. [ Other Info ] The patches for both focal and jammy can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1992930] Re: chromium won't launch at menu when installed; lubuntu kinetic
This current bug looks like LP: #1991691 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1992930 Title: chromium won't launch at menu when installed; lubuntu kinetic Status in apparmor package in Ubuntu: New Bug description: Lubuntu kinetic live test `chromium` snap once installed; will not open from menu, but will open if started from terminal. This maybe filed against incorrect package sorry. Originally reported here - https://discourse.lubuntu.me/t/lubuntu- kinetic-after-5-19-update-chromium-only-start-from-terminal/3685 where it was reported as an issue on the 5.19.0-19-generic kernel update ** to re-create - boot currently lubuntu kinetic daily - snap install chromium - using menu, attempt to run chromium from internet apps ** expected outcome chromium starts ** actual outcome menu just closes; no messages. ** further notes u/FossFreedom (Ubuntu Budgie) reports no issues with Ubuntu Budgie kinetic starting Chromium. On Lubuntu's discourse; u/neblaz (OP for issue) also reported issues starting Opera; with that package being the snap (loaded from discover) and reported as (using `snap list`) opera 91.0.4516.77202 latest/stable ** in `dmesg` I note the following (this may be unrelated or unhelpful sorry) [ 1510.255228] loop7: detected capacity change from 0 to 293648 [ 1510.739240] audit: type=1400 audit(1665727470.633:54): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.chromium" pid=3359 comm="apparmor_parser" [ 1510.820094] audit: type=1400 audit(1665727470.713:55): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.chromium.chromedriver" pid=3360 comm="apparmor_parser" [ 1511.014103] audit: type=1400 audit(1665727470.909:56): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.chromium.chromium" pid=3361 comm="apparmor_parser" [ 1511.071575] audit: type=1400 audit(1665727470.965:57): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.chromium.hook.configure" pid=3362 comm="apparmor_parser" [ 1515.313383] audit: type=1400 audit(1665727475.206:58): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/snapd/17029/usr/lib/snapd/snap-confine" pid=3496 comm="apparmor_parser" [ 1515.313401] audit: type=1400 audit(1665727475.206:59): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/snapd/17029/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=3496 comm="apparmor_parser" [ 1516.817149] audit: type=1400 audit(1665727476.710:60): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.chromium" pid=3498 comm="apparmor_parser" [ 1518.067335] audit: type=1400 audit(1665727477.962:61): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.chromedriver" pid=3499 comm="apparmor_parser" [ 1518.568962] audit: type=1400 audit(1665727478.462:62): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.hook.configure" pid=3501 comm="apparmor_parser" [ 1519.485025] audit: type=1400 audit(1665727479.378:63): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.chromium" pid=3500 comm="apparmor_parser" [ 1520.203518] audit: type=1400 audit(1665727480.098:64): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/meta/snap.yaml" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.245234] audit: type=1400 audit(1665727480.142:65): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/usr/local/share/fonts/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.245256] audit: type=1400 audit(1665727480.142:66): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/usr/local/share/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.246876] audit: type=1400 audit(1665727480.142:67): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/var/lib/snapd/hostfs/usr/share/doc/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.246933] audit: type=1400 audit(1665727480.142:68): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/var/lib/snapd/hostfs/usr/share/fonts/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.349971] audit: type=1400 audit(1665727480.246:69): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.ch
[Touch-packages] [Bug 1992580] Re: i915 DG1 fails to load
*** This bug is a duplicate of bug 1991704 *** https://bugs.launchpad.net/bugs/1991704 ** This bug has been marked a duplicate of bug 1991704 Kinetic kernels 5.19.0-18/19-generic won't boot on Intel 11th/12th gen -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/1992580 Title: i915 DG1 fails to load Status in initramfs-tools package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Bug description: On kernel 5.19 in Ubuntu Jammy i915 fails to initialize Intel DG1 GPU --- ProblemType: Bug ApportVersion: 2.23.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.10 InstallationDate: Installed on 2020-12-06 (674 days ago) InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022) Package: linux PackageArchitecture: all ProcVersionSignature: Ubuntu 5.19.0-19.19-generic 5.19.7 Tags: wayland-session kinetic Uname: Linux 5.19.0-19-generic x86_64 UpgradeStatus: Upgraded to kinetic on 2022-09-19 (22 days ago) UserGroups: adm cdrom dip docker libvirt lpadmin lxd plugdev sambashare sudo wireshark _MarkForUpload: True To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1992580/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1992430] Re: Snap based apps crash after 5.19.0-18->5.19.0-19 kernel upgrade
*** This bug is a duplicate of bug 1991691 *** https://bugs.launchpad.net/bugs/1991691 ** This bug has been marked a duplicate of bug 1991691 cannot change mount namespace -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1992430 Title: Snap based apps crash after 5.19.0-18->5.19.0-19 kernel upgrade Status in apparmor package in Ubuntu: New Bug description: This occurs on Ubuntu ver. 22.10. Here is an example: skype update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.skype /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied + [ -f /home/user/snap/skype/common/.config/skypeforlinux/settings.json ] + export SKYPE_LOGS=/home/user/snap/skype/231/logs + [ ! -d /home/user/snap/skype/231/logs ] + exec /snap/skype/231/usr/share/skypeforlinux/skypeforlinux (skypeforlinux:9439): Gtk-WARNING **: 10:13:12.251: Theme parsing error: gtk.css:3536:25: 'font-feature-settings' is not a valid property name Gtk-Message: 10:13:12.294: Failed to load module "colorreload-gtk-module" Gtk-Message: 10:13:12.295: Failed to load module "window-decorations-gtk-module" [1011/101312.442717:ERROR:scoped_ptrace_attach.cc(27)] ptrace: Permission denied (13) Nyomkövetési/töréspont csapda (core készült) Google translation: Trace/breakpoint trap (core made) Here is an another one: teams update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): cannot inspect "/var/lib/snapd/hostfs/usr/share/fonts": lstat /var/lib/snapd/hostfs/usr/share/fonts: permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0): cannot inspect "/usr/local/share/fonts": lstat /usr/local/share/fonts: permission denied update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.teams /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied Loading of the previous kernel fixes the issue this is why I think it could be kernel-related or something like that. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1992430/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1810241] Re: NULL dereference when decompressing specially crafted archives
Thanks I have updated the status of this CVE in the Ubuntu CVE tracker. ** Changed in: tar (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1810241 Title: NULL dereference when decompressing specially crafted archives Status in tar package in Ubuntu: Fix Released Bug description: Hi, Fuzzing tar with checksums disabled reveals a NULL pointer dereference when parsing certain archives that have malformed extended headers. This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't tested Xenial's version. A test case with fixed checksums is attached. To avoid breaking anything that looks inside tar archives, I have converted it to text with xxd. To reproduce: $ xxd -r gnutar-crash.tar.txt gnutar-crash.tar $ tar Oxf gnutar-crash.tar tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr' tar: Malformed extended header: missing length Segmentation fault (core dumped) I have also attached a patch against the latest upstream git and against 1.30 (in Cosmic). This fixes the issue by detecting the null result before it is dereferenced. Regards, Daniel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release
** Description changed: - Placeholder for preparation of AppArmor 3.1.1 for kinetic. + AppArmor 3.1.1 is the latest upstream version of the apparmor userspace + tooling. + + This includes a large number of bug fixes since the 3.0.7 release which + is currently in kinetic, as well as various cleanups and optimisations + to the different tools to improve performance and maintainability. + + The full ChangeLog can be seen at [1] + + + TESTING + + This has been extensively tested by the security team - this includes + following the documented Ubuntu merges test plan[2] for AppArmor and the + extensive QA Regression Tests[3] for AppArmor as well. This ensures that + the various applications that make heavy use of AppArmor (LXD, docker, + lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions + have been observed. All tests have passed and demonstrated both apparmor + and the various applications that use it to be working as expected. + + + BUILD LOGS + + This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on + Launchpad at: + https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc + + + DEBDIFF + + The debdiff can be found in the PPA: + https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz + + + INSTALL / UPGRADE LOG + + The apt upgrade log is attached. + + + [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 + [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor + [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py ** Attachment added: "apparmor-3.1.1-0ubuntu1-apt-upgrade.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt-upgrade.log ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. The full ChangeLog can be seen at [1] - TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that - the various applications that make heavy use of AppArmor (LXD, docker, - lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions - have been observed. All tests have passed and demonstrated both apparmor + the various applications that make heavy use of AppArmor (LXD, docker, + lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions + have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. - BUILD LOGS This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on Launchpad at: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc - DEBDIFF The debdiff can be found in the PPA: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz - INSTALL / UPGRADE LOG - The apt upgrade log is attached. - + The apt upgrade log is attached in + https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt- + upgrade.log [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. - The full ChangeLog can be seen at [1] + The full ChangeLog can be seen at [1]. Upstream does not provide a + ChangeLog file, however I have generated one based on the git commit + history of apparmor from the 3.0.7 tag to 3.1.1 as: + + $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git- + log.log + + This can be seen in the attached file. + TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regr
[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release
** Attachment added: "apparmor-3.0.7-to-3.1.1-git-log.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git-log.log ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. The full ChangeLog can be seen at [1]. Upstream does not provide a ChangeLog file, however I have generated one based on the git commit history of apparmor from the 3.0.7 tag to 3.1.1 as: $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git- log.log - This can be seen in the attached file. - + This can be seen in the attached file + https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git- + log.log TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. BUILD LOGS This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on Launchpad at: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc DEBDIFF The debdiff can be found in the PPA: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz INSTALL / UPGRADE LOG The apt upgrade log is attached in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt- upgrade.log [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989309 Title: [FFe] apparmor 3.1.1 upstream release Status in apparmor package in Ubuntu: New Bug description: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. The full ChangeLog can be seen at [1]. Upstream does not provide a ChangeLog file, however I have generated one based on the git commit history of apparmor from the 3.0.7 tag to 3.1.1 as: $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git-log.log This can be seen in the attached file https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git- log.log TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. BUILD LOGS This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on Launchpad at: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc DEBDIFF The debdiff can be found in the PPA: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz INSTALL / UPGRADE LOG The apt upgrade log is attached in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt- upgrade.log [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Po
[Touch-packages] [Bug 1990064] Re: unconfined profile denies userns_create for chromium based processes
This sounds like a kernel regression.
The commit you link to is for SELinux, which is not enabled by default
in Ubuntu, so I doubt it is that specifically - instead I suspect this
is due to the following commit: https://git.launchpad.net/~ubuntu-
kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-
next&id=30bce26855c9171f8dee74d93308fd506730c914
The logic here:
int aa_profile_ns_perm(struct aa_profile *profile, struct common_audit_data *sa,
u32 request)
{
...
if (profile_unconfined(profile)) {
if (!unprivileged_userns_restricted ||
ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN))
return 0;
aad(sa)->info = "User namespace creation restricted";
/* fall through to below allows complain mode to override */
} else {
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules),
list);
aa_state_t state;
state = RULE_MEDIATES(rules, aad(sa)->class);
if (!state)
/* TODO: add flag to complain about unmediated */
return 0;
perms = *aa_lookup_perms(&rules->policy, state);
}
aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, sa, audit_ns_cb);
}
Seems to indicate that all unconfined processes that do not have
CAP_SYS_ADMIN will be denied the ability to use user namespaces - this
feels like a definite regression / policy change within the kernel
itself.
Should the kernel instead be built with
CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS=n ?
Or is this code not doing what it was intended to do.
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1990064
Title:
unconfined profile denies userns_create for chromium based processes
Status in apparmor package in Ubuntu:
New
Status in linux package in Ubuntu:
New
Bug description:
For Ubuntu 22.10, since the last kernel update, i can´t launch any
chromium based browser, due to apparmor denying userns_create
dmesg shows:
apparmor="DENIED" operation="userns_create" class="namespace" info="User
namespace creation restricted" error=-13 profile="unconfined" pid=21323
comm="steamwebhelper" requested="userns_create" denied="userns_create"
This happens for every process which uses a chromium engine, like
google chrome itself or in this case steamwebhelper.
Might be related to this change?:
https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/
not sure if it got merged in this form though..
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989309] [NEW] [FFe] apparmor 3.1.1 upstream release
Public bug reported: Placeholder for preparation of AppArmor 3.1.1 for kinetic. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Summary changed: - [FFe] apparmor 3.1.0 upstream release + [FFe] apparmor 3.1.1 upstream release -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989309 Title: [FFe] apparmor 3.1.1 upstream release Status in apparmor package in Ubuntu: New Bug description: Placeholder for preparation of AppArmor 3.1.1 for kinetic. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental
> I do not intend to take further action to modify those packages. If it is a > blocker for Ubuntu > that they are fixed, then someone from Ubuntu will need to do that work. Given the relationship between the packages has now changed - ie. polkitd-pkla is not mutually exclusive from the javascript backend and then allows both legacy pkla policies as well as the "new" javascript policies to be handled - then this is not a blocker anymore from my point of view. I suspect Marc may also agree (especially given the relatively small number of packages in this category). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1972654 Title: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental Status in policykit-1 package in Ubuntu: Confirmed Bug description: Please sync policykit-1 0.120-6 (main) from Debian experimental Changelog entries since current kinetic version 0.105-33: https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6 In particular, see the 0.120-4 changelog entry. I am filing a bug for Security Team review. Previously, Debian and Ubuntu developers agreed to keep using the last version of policykit before it switched to using JavaScript rules. But that was years ago. I believe Debian & Ubuntu are the only distros to have opted out of the new policykit. It is harder to maintain the old style rules when upstream rules use the new format. And it is a challenge to backport security and other bugfixes from the new series, without making mistakes or missing important details. There was a proposal to use duktape instead of mozjs for the JavaScript interpreter but I don't think that's been merged yet. It appears the Debian maintainer is considering switching Debian to the updated version in time for the next Debian Stable release (so uploading to unstable later this year). My requested deadline is August 25, Ubuntu 22.10 Feature Freeze. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
