[Bug 2047256] Re: Ubuntu 24.04 Some image thumbnails no longer displayed
The main issue is that I still wasn't able to reproduce it locally. Dan, could you check if this issue still happens with the unprivileged user namespace restriction disabled? sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 Please note that this makes your setup vulnerable, so I recommend turning back on after testing with sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2047256 Title: Ubuntu 24.04 Some image thumbnails no longer displayed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/2047256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
I have updated the description with the information of the SRU version 4.0.1really4.0.1-0ubuntu0.24.04.3 The Test Plan is updated with detailed instructions and I also added an analysis of why the regression happened for the previous SRU. Note that since we have removed the enablement by default of the bwrap profile, some applications are still not going to work properly, which is the case for setzer in the test plan. A fix was already merged upstream [1] and will be present in a later 4.0.2 SRU. [1] https://gitlab.com/apparmor/apparmor/-/merge_requests/1272 ** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] + * Make sure to reboot after upgrading (Bug 2072811) This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py + + Steps: + $ git clone https://git.launchpad.net/qa-regression-testing + $ ./scripts/make-test-tarball ./scripts/test-apparmor.py + Copying: test-apparmor.py + Copying: testlib.py + Copying: install-packages + Copying: packages-helper + Copying: apparmor/ + + Test files: /tmp/qrt-test-apparmor.tar.gz + + To run, copy the tarball somewhere, then do: + $ tar -zxf qrt-test-apparmor.tar.gz + $ cd ./qrt-test-apparmor + $ sudo ./install-packages test-apparmor.py + $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- - Ran 62 tests in 1989.948s + Ran 62 tests in 1977.045s - OK (skipped=4) + OK (skipped=3) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu0.24.04.2 - Candidate: 4.0.1-0ubuntu0.24.04.2 + Installed: 4.0.1really4.0.1-0ubuntu0.24.04.3 + Candidate: 4.0.1really4.0.1-0ubuntu0.24.04.3 Run additional tests: 1. Install wike and make sure the wike window opens when executed: $ sudo apt install wike $ wike 2. Install foliate, download test epub and make sure it opens as expected: $ sudo apt install foliate $ wget https://github.com/daisy/epub-accessibility-tests/releases/download/fundamental-2.0/Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub $ foliate Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub 3. Install transmission and make sure it starts properly: $ sudo apt install transmission - $ transmission-gtk + $ transmission-gtk - 4. bwrap profile tests: - - Install setzer and check if it opens as expected: + 4. test bwrap profile is no longer enabled by default: + - Install setzer and it will not open because the bwrap profile is not loaded: $ sudo apt install setzer - $
[Bug 2065915] Re: [SRU] Add multiarch lines for each architecture we want to support in our apparmor profiles.
As I understand these changes are only waiting to be sponsored to proposed, correct? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065915 Title: [SRU] Add multiarch lines for each architecture we want to support in our apparmor profiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2065915/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`
Here's my proposed fix for oracular. It disables the bwrap profile so we can do further tests. As was done on noble, it does require a reboot. It's also available on this ppa: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu2 ** Patch added: "apparmor_4.0.1-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+attachment/5797804/+files/apparmor_4.0.1-0ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072811 Title: Apparmor: New update broke flatpak with `apparmor="DENIED"` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2072811] Re: Apparmor: New update broke flatpak with `apparmor="DENIED"`
@Robie Basak: I ran QRT and the tests passed: georgia@ubuntu:~/qrt-test-apparmor$ sudo ./install-packages test-apparmor.py georgia@ubuntu:~/qrt-test-apparmor$ sudo ./test-apparmor.py ... -- Ran 62 tests in 1974.585s OK (skipped=3) georgia@ubuntu:~/qrt-test-apparmor$ uname -a Linux ubuntu 6.8.0-36-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 10 10:49:14 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux georgia@ubuntu:~/qrt-test-apparmor$ apt policy apparmor apparmor: Installed: 4.0.1really4.0.0-beta3-0ubuntu0.1 Candidate: 4.0.1really4.0.0-beta3-0ubuntu0.1 Version table: *** 4.0.1really4.0.0-beta3-0ubuntu0.1 100 100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages 100 /var/lib/dpkg/status 4.0.1-0ubuntu0.24.04.2 500 500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages 4.0.0-beta3-0ubuntu3 500 500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072811 Title: Apparmor: New update broke flatpak with `apparmor="DENIED"` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072811/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065915] Re: [SRU] Add multiarch lines for each architecture we want to support in our apparmor profiles.
Hi Scarlett, No worries, that log should be enough to understand what's going on. That is a bug in the snapd interface because the AppArmor policy specified the peer_label as unconfined, but that's no longer the case for plasmashell. I'll reach out to the snapd team and report the issue. Thank you! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065915 Title: [SRU] Add multiarch lines for each architecture we want to support in our apparmor profiles. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2065915/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2072615] Re: Request to add a default profile for bitbake
Hi Changqing Li, Thanks for your report. Unfortunately, as John has stated in this comment: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/comments/3 We are not able to ship a profile for bitbake running in a writable location of an unprivileged user because it could be used to bypass the restriction. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072615 Title: Request to add a default profile for bitbake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2072615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065915] Re: [SRU] Fix hard coded path in apparmor profiles.
As per the discussion in
https://irclogs.ubuntu.com/2024/07/09/%23ubuntu-security.txt
The recommendation from the security team is to not revert to the
"flags=(unconfined)" profile if the profile is already confined. That means
that we should only fix the multiarch issue.
Scarlett, you're right, just adding the variable @{multiarch} directly
does not work in this case, because due to how the parser is currently
implemented, @{multiarch} translates to *-linux-gnu* and the wildcard
makes it conflict with the "/** pux," rule. That's the reason that it's
hard coded in the plasmashell profile as well. We are currently working
on fixing it in the parser but it's not available right now.
So for this case, we would have to add the other arch hard coded too.
Something like the following diff, for every architecture we want to
support.
@@ -18,6 +18,7 @@
ptrace,
/usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx ->
//QtWebEngineProcess,
+ /usr/lib/aarch64-linux-gnu/qt5/libexec/QtWebEngineProcess cx ->
//QtWebEngineProcess,
/** pux,
/{,**} mrwlk,
Regarding dbus being denied, could you point those reports my way? I'm more
than happy to help
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065915
Title:
[SRU] Fix hard coded path in apparmor profiles.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2065915/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062138] Re: test-logprof.py from test_utils_testsuite / test_utils_testsuite3 in ubuntu_qrt_apparmor failing on Azure Standard_A2_v2
Added to QRT in MR https://code.launchpad.net/~georgiag/qa-regression- testing/+git/qa-regression-testing/+merge/468941 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062138 Title: test-logprof.py from test_utils_testsuite / test_utils_testsuite3 in ubuntu_qrt_apparmor failing on Azure Standard_A2_v2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2062138/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2032602] Re: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
** Tags removed: verification-needed-jammy-linux-lowlatency-hwe-6.8 ** Tags added: verification-done-jammy-linux-lowlatency-hwe-6.8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2032602 Title: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056297] Re: Non-flatpak Firefox-based browsers crash with kernel 6.8.0-11-generic in 24.04
*** This bug is a duplicate of bug 2046844 *** https://bugs.launchpad.net/bugs/2046844 Verification done as part of Bug 2064672 ** Tags removed: verification-needed verification-needed-noble ** Tags added: verification-done verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056297 Title: Non-flatpak Firefox-based browsers crash with kernel 6.8.0-11-generic in 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2056297/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Verification done as part of Bug 2064672 ** Tags removed: verification-needed verification-needed-noble ** Tags added: verification-done verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060100] Re: denials from sshd in noble
Verification done as part of Bug 2064672 ** Tags removed: verification-needed verification-needed-noble ** Tags added: verification-done verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060100 Title: denials from sshd in noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Thanks for the verification, John. I updated the tags based on the results of your tests. ** Tags removed: verification-needed verification-needed-noble ** Tags added: verification-done verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Thanks for reviewing, Chris. I have updated the test plan with your suggestions, and I also updated the ppa containing a new version of the package with the wike profile location fixed. I'll also make sure to comment on the bugs in the changelog that verification is not required. ** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- Ran 62 tests in 1989.948s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu0.24.04.2 - Candidate: 4.0.1-0ubuntu0.24.04.2 + Installed: 4.0.1-0ubuntu0.24.04.2 + Candidate: 4.0.1-0ubuntu0.24.04.2 + + Run additional tests: + + 1. Install wike and make sure the wike window opens when executed: + $ sudo apt install wike + $ wike + + 2. Install foliate, download test epub and make sure it opens as expected: + $ sudo apt install foliate + $ wget https://github.com/daisy/epub-accessibility-tests/releases/download/fundamental-2.0/Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub + $ foliate Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub + + 3. Install transmission and make sure it starts properly: + $ sudo apt install transmission + $ transmission-gtk + + 4. bwrap profile tests: + - Install setzer and check if it opens as expected: + $ sudo apt install setzer + $ setzer + - Check if flatpak option --unshare=network works, the Recipes app window should open: + $ sudo apt install flatpak + $ flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo + $ flatpak install flathub org.gnome.Recipes + $ flatpak run --unshare=network org.gnome.Recipes [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- - Ran 62 tests in 1855.366s + Ran 62 tests in 1989.948s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu0.24.04.1 - Candidate: 4.0.1-0ubuntu0.24.04.1 + Installed: 4.0.1-0ubuntu0.24.04.2 + Candidate: 4.0.1-0ubuntu0.24.04.2 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: - https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.1 + https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2032602] Re: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
** Tags removed: verification-needed-noble-linux-oracle ** Tags added: verification-done-noble-linux-oracle -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2032602 Title: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061113] Re: Default included php-fpm profile prevent php-fpm installation
Fix committed in https://gitlab.com/apparmor/apparmor/-/merge_requests/1251 ** Changed in: apparmor (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061113 Title: Default included php-fpm profile prevent php-fpm installation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
** Changed in: apparmor (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/2056696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2057927] Re: lxd vga console throws "Operation not permitted" error
** Changed in: apparmor (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2057927 Title: lxd vga console throws "Operation not permitted" error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065724] Re: After upgrade to Kubuntu 24.04 the Chromium browser freezes when typing to address box
This is probably happening because before 24.04 plasmashell was not confined, therefore it had the "unconfined" label. But now that it is confined, we need a rule to allow peer_label="plasmashell" ** Also affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065724 Title: After upgrade to Kubuntu 24.04 the Chromium browser freezes when typing to address box To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2065724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2040250] Re: apparmor notification files verification
** Tags removed: verification-needed-jammy-linux-nvidia-6.8 verification-needed-noble-linux-gke ** Tags added: verification-done-jammy-linux-nvidia-6.8 verification-done-noble-linux-gke -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2040250 Title: apparmor notification files verification To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040250/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2040245] Re: apparmor oops when racing to retrieve a notification
** Tags removed: verification-needed-jammy-linux-nvidia-6.8 verification-needed-noble-linux-gke ** Tags added: verification-done-jammy-linux-nvidia-6.8 verification-done-noble-linux-gke -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2040245 Title: apparmor oops when racing to retrieve a notification To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040245/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2040192] Re: AppArmor spams kernel log with assert when auditing
** Tags removed: verification-needed-jammy-linux-nvidia-6.8 verification-needed-noble-linux-gke ** Tags added: verification-done-jammy-linux-nvidia-6.8 verification-done-noble-linux-gke -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2040192 Title: AppArmor spams kernel log with assert when auditing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040192/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2040194] Re: apparmor restricts read access of user namespace mediation sysctls to root
** Tags removed: verification-needed-jammy-linux-nvidia-6.8 verification-needed-noble-linux-gke ** Tags added: verification-done-jammy-linux-nvidia-6.8 verification-done-noble-linux-gke -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2040194 Title: apparmor restricts read access of user namespace mediation sysctls to root To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2040194/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2028253] Re: update apparmor and LSM stacking patch set
** Tags removed: verification-needed-noble-linux-gke ** Tags added: verification-done-noble-linux-gke ** Tags removed: verification-needed-noble-linux-gcp ** Tags added: verification-done-noble-linux-gcp ** Tags removed: verification-needed-noble-linux-azure ** Tags added: verification-done-noble-linux-azure ** Tags removed: verification-needed-noble-linux-aws ** Tags added: verification-done-noble-linux-aws ** Tags removed: verification-needed-jammy-linux-oem-6.5 ** Tags added: verification-done-jammy-linux-oem-6.5 ** Tags removed: verification-needed-jammy-linux-nvidia-6.5 verification-needed-jammy-linux-nvidia-6.8 ** Tags added: verification-done-jammy-linux-nvidia-6.5 verification-done-jammy-linux-nvidia-6.8 ** Tags removed: verification-needed-jammy-linux-aws-6.5 verification-needed-jammy-linux-azure-6.5 ** Tags added: verification-done-jammy-linux-aws-6.5 verification-done-jammy-linux-azure-6.5 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2028253 Title: update apparmor and LSM stacking patch set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2028253/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2028253] Re: update apparmor and LSM stacking patch set
** Tags removed: verification-needed-noble-linux-lowlatency ** Tags added: verification-done-noble-linux-lowlatency ** Tags removed: verification-needed-noble-linux-ibm ** Tags added: verification-done-noble-linux-ibm -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2028253 Title: update apparmor and LSM stacking patch set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2028253/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2032602] Re: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
This bug corresponds to the userspace components of AppArmor but it was added in some kernel patches along with Bug 2028253. Verification should be completed in Bug 2028253 ** Tags removed: verification-needed-jammy-linux-aws-6.5 verification-needed-jammy-linux-azure-6.5 verification-needed-jammy-linux-nvidia-6.8 verification-needed-noble-linux-aws verification-needed-noble-linux-azure verification-needed-noble-linux-gcp verification-needed-noble-linux-gke verification-needed-noble-linux-ibm verification-needed-noble-linux-lowlatency verification-needed-noble-linux-raspi-realtime ** Tags added: verification-done-jammy-linux-aws-6.5 verification-done-jammy-linux-azure-6.5 verification-done-jammy-linux-nvidia-6.8 verification-done-noble-linux-aws verification-done-noble-linux-azure verification-done-noble-linux-gcp verification-done-noble-linux-gke verification-done-noble-linux-ibm verification-done-noble-linux-lowlatency verification-done-noble-linux-raspi-realtime -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2032602 Title: [FFe] apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2032602/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Hi Simon,
The use of --unshare=network does not cause a regression with the bwrap profile.
This is the full profile:
https://gitlab.com/apparmor/apparmor/-/blob/aa74b9b12d9ed55909489403a0c2514b9ea6a95f/profiles/apparmor/profiles/extras/bwrap-userns-restrict
If you look at the bwrap profile itself, you can see that it allows the
use of all capabilities, but that on execs, it transitions to a profile
that does not allow capabilities. That's bwrap can, briefly, use
CAP_NET_ADMIN.
profile bwrap /usr/bin/bwrap ... {
allow capability,
...
allow px /** -> bwrap//_bwrap,
}
To be clear, I tested `flatpak run --unshare=network org.gnome.Recipes`
specifically and it worked as expected.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064672
Title:
[SRU] - fixes for apparmor on noble
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2067564] Re: Syslog is flooded with messages when watching videos on Youtube
** Package changed: apparmor (Ubuntu) => snapd (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067564 Title: Syslog is flooded with messages when watching videos on Youtube To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2067564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2067443] Re: Several apparmor profiles fail to enable after upgrading to noble
*** This bug is a duplicate of bug 2064144 *** https://bugs.launchpad.net/bugs/2064144 Hi Mikko. Thanks for the report. This seems to be a duplicate of Bug 2064144, which has the fix on its way to noble. ** This bug has been marked a duplicate of bug 2064144 lxc ships apparmor config that confuses aa-logprof -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067443 Title: Several apparmor profiles fail to enable after upgrading to noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2067443/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- Ran 62 tests in 1855.366s OK (skipped=4) - $ apt policy apparmor + georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu0.1 - Candidate: 4.0.1-0ubuntu0.1 + Installed: 4.0.1-0ubuntu0.24.04.1 + Candidate: 4.0.1-0ubuntu0.24.04.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: - https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.1 + https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- - Ran 62 tests in 1861.933s + Ran 62 tests in 1855.366s OK (skipped=4) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.1 Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: - https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1-redo + https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.1 ** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) + fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 + relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression
[Bug 2047256] Re: Ubuntu 24.04 Some image thumbnails no longer displayed
Thanks. That version should have the nautilus profile that makes the thumbnails appear, so we will need to dig a bit deeper. Could you paste the results of the following command? This will show us if there is a profile for nautilus loaded and it should look something like this $ sudo aa-status --filter.profile=nautilus apparmor module is loaded. 178 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 profiles are in prompt mode. 0 profiles are in kill mode. 1 profiles are in unconfined mode. nautilus 19 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are in prompt mode. 0 processes are in kill mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. After, lets put nautilus in audit mode with $ sudo aa-audit nautilus Open your favorite web browser and download any image from there. Open the file browser and check if the thumbnail is still not loading Let's also check if nautilus is running unconfined with the AppArmor profile: $ ps -auxZ | grep nautilus nautilus (unconfined) georgia 7599 15.5 2.7 2636400 220492 ? Sl 18:27 0:03 /usr/bin/nautilus --gapplication-service Then, check the system logs for any logs like the following: $ sudo dmesg | grep apparmor [ 2752.926412] audit: type=1400 audit(1716239896.790:226): apparmor="AUDIT" operation="userns_create" class="namespace" profile="nautilus" pid=7466 comm="bwrap" requested="userns_create" It would be great if you could share what the result of these commands looks like in your system -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2047256 Title: Ubuntu 24.04 Some image thumbnails no longer displayed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/2047256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064781] Re: setzer does not launch
*** This bug is a duplicate of bug 2046844 *** https://bugs.launchpad.net/bugs/2046844 Hello! Thanks for tagging apparmor. Yes, this is a duplicate of bug 2046844. We are working on an update that introduces a profile for bwrap which would allow setzer (and several other applications) to work properly without having to have an AppArmor profile specifically. Although having an AppArmor profile is always a good idea :) This is the profile that will be added: https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/bwrap- userns-restrict While the update doesn't land, you could add it to /etc/apparmor.d/ and load it with apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict ** This bug has been marked a duplicate of bug 2046844 AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064781 Title: setzer does not launch To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2047256] Re: Ubuntu 24.04 Some image thumbnails no longer displayed
If you're still running into this issue, do you mind sharing which AppArmor version are you running? For that you can run apt-cache policy apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2047256 Title: Ubuntu 24.04 Some image thumbnails no longer displayed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/2047256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- - Ran 62 tests in 1868.839s + Ran 62 tests in 1861.933s OK (skipped=4) - $ apt-cache policy apparmor + $ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu1 - Candidate: 4.0.1-0ubuntu1 + Installed: 4.0.1-0ubuntu0.1 + Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: - https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1 + https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1-redo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062138] Re: test-logprof.py from test_utils_testsuite / test_utils_testsuite3 in ubuntu_qrt_apparmor failing on Azure Standard_A2_v2
I added the suggested patch to QRT: https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/465526 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062138 Title: test-logprof.py from test_utils_testsuite / test_utils_testsuite3 in ubuntu_qrt_apparmor failing on Azure Standard_A2_v2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2062138/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads - The final test output was: -- Ran 62 tests in 1868.839s OK (skipped=4) + + $ apt-cache policy apparmor + apparmor: + Installed: 4.0.1-0ubuntu1 + Candidate: 4.0.1-0ubuntu1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] [NEW] [SRU] - fixes for apparmor on noble
Public bug reported: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- Ran 62 tests in 1868.839s OK (skipped=4) [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1 ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - -
[Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
The mqueue patches are present in jammy-linux-gcp-fips: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-gcp-fips ** Tags added: verification-done-jammy-linux-gcp-fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8
The fix is similar for privoxy. I attached the debdiff that fixes it. ** Patch added: "privoxy_3.0.34-3ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/cups-browsed/+bug/2058866/+attachment/5759689/+files/privoxy_3.0.34-3ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2058866] Re: proposed-migration for cups-browsed 2.0.0-0ubuntu8
Ah, sorry, Łukasz. I didn't see you were working on it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2058866 Title: proposed-migration for cups-browsed 2.0.0-0ubuntu8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058866/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Erich Eickmeyer, I don't have a Tuxedo Computer to test, so could you
please check if the following profile works for you?
$ echo "# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile tuxedo-control-center /opt/tuxedo-control-center/tuxedo-control-center
flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}" | sudo tee /etc/apparmor.d/tuxedo-control-center
$ sudo apparmor_parser /etc/apparmor.d/tuxedo-control-center
and restart tuxedo-control-center.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2046844/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2047256] Re: Ubuntu 24.04 Some image thumbnails no longer displayed
This issue should be fixed by apparmor 4.0.0~beta2-0ubuntu3 which is currently in -proposed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2047256 Title: Ubuntu 24.04 Some image thumbnails no longer displayed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/2047256/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052662] Re: move_mount mediation does not detect if source is detached
Verification in mantic was successful: georgia@sec-mantic-amd64:~$ uname -a Linux sec-mantic-amd64 6.5.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 7 18:21:00 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux georgia@sec-mantic-amd64:~$ cat /sys/kernel/security/apparmor/features/mount/move_mount detached georgia@sec-mantic-amd64:~$ cd apparmor/tests/regression/apparmor/ georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo bash ./mount.sh using mount rules ... not supported by parser - skipping mount options=(nodirsync), ** Tags removed: verification-needed-mantic-linux ** Tags added: verification-done-mantic-linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052662 Title: move_mount mediation does not detect if source is detached To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2052662/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2038443] Re: mantic:linux: ubuntu_qrt_apparmor: ApparmorTestsuites.test_regression_testsuiteattach_disconnected.
*** This bug is a duplicate of bug 2051932 *** https://bugs.launchpad.net/bugs/2051932 ** This bug has been marked a duplicate of bug 2051932 attach_disconnected test from test_regression_testsuite of ubuntu_qrt_apparmor failed with "Unable to run test sub-executable" on Mantic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2038443 Title: mantic:linux: ubuntu_qrt_apparmor: ApparmorTestsuites.test_regression_testsuiteattach_disconnected. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2038443/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2033282] Re: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: yeni apparmor paketi pre-installation betiği alt süreci 1 hatalı çıkış kodu ile sona erdi
*** This bug is a duplicate of bug 2032851 *** https://bugs.launchpad.net/bugs/2032851 ** This bug has been marked a duplicate of bug 2032851 package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor package pre-installation script subprocess returned error exit status 1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2033282 Title: package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: yeni apparmor paketi pre-installation betiği alt süreci 1 hatalı çıkış kodu ile sona erdi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2033282/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
The mqueue patches are present in jammy-linux-mtk: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-mtk ** Tags added: verification-done-jammy-linux-mtk -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
The mqueue patches are present in linux-azure-fips: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-azure-fips ** Tags added: verification-done-jammy-linux-azure-fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
The mqueue patches are present in linux-nvidia-tegra: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-nvidia-tegra ** Tags added: verification-done-jammy-linux-nvidia-tegra -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2045384] Re: AppArmor patch for mq-posix interface is missing in jammy
I can confirm that the mqueue patches are present in linux-xilinx- zynqmp: commits 6e7ff802c7b10 and b4ebbcfebd4d3 ** Tags removed: verification-needed-jammy-linux-xilinx-zynqmp ** Tags added: verification-done-jammy-linux-xilinx-zynqmp -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2045384 Title: AppArmor patch for mq-posix interface is missing in jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045384/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
@Sebastien, yes, I asked people from the security team to sponsor it but we are still reviewing the snap_browsers abstraction. We are denying access to /run/user/[0-9]*/gdm/Xauthority in the policy but if that was the case, then the browser should not have been able to open, but it does open so we are investigating if there's an issue. Regarding the evince debdiff, even though it looks like the dependency is on Build-Depends on the debdiff, it is actually under Depends. If we don't set this dependency, then the snap_browsers abstraction might not be available. So if the new evince is installed with an old apparmor, then the evince apparmor policy will fail to load and evince will run unconfined. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_2.12-4ubuntu5.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581885/+files/apparmor_2.12-4ubuntu5.2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
@Sebastien, yes, just did. Thank you! I also attached the debdiffs for evince and apparmor for bionic, focal, impish and jammy. They were also uploaded into the Security Proposed PPA: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=apparmor https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=evince -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_3.0.3-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581883/+files/apparmor_3.0.3-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_2.13.3-7ubuntu5.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581884/+files/apparmor_2.13.3-7ubuntu5.2.debdiff ** Patch removed: "apparmor_3.0.3-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581883/+files/apparmor_3.0.3-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_3.0.3-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581882/+files/apparmor_3.0.3-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_3.0.4-2ubuntu3.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581881/+files/apparmor_3.0.4-2ubuntu3.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "evince_3.28.4-0ubuntu1.3.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581880/+files/evince_3.28.4-0ubuntu1.3.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "evince_3.36.10-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581879/+files/evince_3.36.10-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "evince_40.4-2ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581878/+files/evince_40.4-2ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "evince_42.1-3ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581877/+files/evince_42.1-3ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Description changed: - This is related to bug #1792648. After fixing that one (see discussion - at https://salsa.debian.org/gnome-team/evince/merge_requests/1), - clicking a hyperlink in a PDF opens it correctly if the default browser - is a well-known application (such as /usr/bin/firefox), but it fails to - do so if the default browser is a snap (e.g. the chromium snap). + [Impact] - This is not a recent regression, it's not working on bionic either. + * Users cannot open a hyperlink in a PDF opened with evince when the default browser is a snap. + * The fix creates a snap_browsers abstraction on AppArmor which can be used in a transition for when the browser is executed. The snap_browsers abstraction provides the minimal amount of permissions required to execute a browser provided through snaps. This is a workaround since AppArmor currently does not provide mediation/filtering on enhanced environment variables. - ProblemType: Bug - DistroRelease: Ubuntu 18.10 - Package: evince 3.30.0-2 - ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 - Uname: Linux 4.18.0-7-generic x86_64 - NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair - ApportVersion: 2.20.10-0ubuntu11 - Architecture: amd64 - CurrentDesktop: ubuntu:GNOME - Date: Mon Sep 24 12:28:06 2018 - EcryptfsInUse: Yes - InstallationDate: Installed on 2016-07-02 (813 days ago) - InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) - SourcePackage: evince - UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago) - modified.conffile..etc.apparmor.d.abstractions.evince: [modified] - mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158 + [Test Plan] + + * Make sure the default browser is provided through the snap store. + * Open a PDF that contains a hyperlink using evince and click on the URL. + * The browser should open the requested URL. + + [Where problems could occur] + + * If the browser or snap core update to have new requirements for + opening a browser, then the current policy could become obsolete and + will need to be updated again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
I'm working on a SRU for apparmor and evince to introduce the snap_browsers abstraction on apparmor as a workaround for this issue. It is based on these two merge requests from upstream: https://gitlab.com/apparmor/apparmor/-/merge_requests/806 https://gitlab.com/apparmor/apparmor/-/merge_requests/877 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
I was able to reproduce this issue on focal and bionic but not on impish. I'm still investigating why, since I don't see any changes in policies that might affect this issue, but I could have missed something. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939915] Re: memory leaking when removing a profile
Tested on -proposed by causing the leak and checking the memory used with "free", since CONFIG_DEBUG_KMEMLEAK is not set. It worked as expected - the memory used shown in "free" after removing the profile was in an expected range. ** Tags removed: verification-needed-bionic verification-needed-focal ** Tags added: verification-done-bionic verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939915 Title: memory leaking when removing a profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1939915/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939915] Re: memory leaking when removing a profile
** Description changed:
There's a memory leak in the kernel when removing a profile.
A simple reproducible example:
root@ubuntu:~# echo "profile foo {}" > profile
root@ubuntu:~# apparmor_parser profile
root@ubuntu:~# apparmor_parser -R profile
root@ubuntu:~# echo scan > /sys/kernel/debug/kmemleak
root@ubuntu:~# cat /sys/kernel/debug/kmemleak
unreferenced object 0x99bcf5128bb0 (size 16):
comm "apparmor_parser", pid 1318, jiffies 4295139856 (age 33.196s)
hex dump (first 16 bytes):
01 00 00 00 00 00 00 00 98 1f 01 fd bc 99 ff ff
backtrace:
[] kmem_cache_alloc_trace+0xd8/0x1e0
[<86ca7bd9>] aa_alloc_proxy+0x30/0x60
[<0e34f34c>] aa_alloc_profile+0xd4/0x100
[] unpack_profile+0x16f/0xe10
[<19033e2b>] aa_unpack+0x119/0x500
[] aa_replace_profiles+0x94/0xca0
[<1833f520>] policy_update+0x124/0x1e0
[<992f950e>] profile_load+0x7d/0xa0
[] __vfs_write+0x1b/0x40
[<4e709f5d>] vfs_write+0xb9/0x1a0
[<280db840>] SyS_write+0x5e/0xe0
[<14c5ab5d>] do_syscall_64+0x79/0x130
[] entry_SYSCALL_64_after_hwframe+0x41/0xa6
[<9d368497>] 0x
This issue was already fixed upstream 3622ad25d4d6 v5.8-rc1~102^2
It still needs to be applied on xenial, bionic and focal.
+
+ This issue could lead to a OOM and eventually DoS. We could see this
+ issue happening during a test in which snaps were disconnected and
+ reconnected, causing the leak every time the profile was removed.
+ Since it is a refcount issue, there could be a lot of memory involved
+ because the whole profile would be leaked.
+ Note that only privileged users can remove a profile.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939915
Title:
memory leaking when removing a profile
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1939915/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
Tested on bionic-proposed using the test binary that can be obtained in the old description and it worked as expected: root@ubuntu:~# gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid path: /proc/1/ns/pid rpath: pid:[4026531836] root@ubuntu:~# uname -a Linux ubuntu 4.15.0-156-generic #163-Ubuntu SMP Thu Aug 19 23:31:58 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890848 Title: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1918410] Re: isc-dhcp-client denied by apparmor
** Tags added: hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918410 Title: isc-dhcp-client denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940305] Re: dhclient not starting on boot due to apparmor
*** This bug is a duplicate of bug 1918410 *** https://bugs.launchpad.net/bugs/1918410 This is likely a duplicate of bug #1918410 ** This bug has been marked a duplicate of bug 1918410 isc-dhcp-client denied by apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940305 Title: dhclient not starting on boot due to apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1940305/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
From the commits mentioned that solve the issue, 338d0be437ef was not
available on 4.15 kernels. The cherry-pick was submitted to the kernel
team for approval.
** Description changed:
- Per 'man namespaces':
+ SRU Justification:
- "Permission to dereference or read (readlink(2)) these symbolic links is
- governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
+ [Impact]
+ Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
+ only 'ptrace read' should be required according to 'man namespaces':
+
+ "Permission to dereference or read (readlink(2)) these symbolic links
+ is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
- This suggests that a 'ptrace read' rule should be sufficient to
- readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
- (Ubuntu 20.04 LTS).
+ [Fix]
- However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
- Here is a reproducer:
+ Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
+ read check.
- $ cat ./readlink-ns.c
- #include
- #include
- #include
- #include
- #include
- #include
- #include
+ [Test Plan]
- void usage() {
- fprintf(stderr, "Usage: readlink-ns -p -n \n");
- }
+ BugLink contains the source of a binary that reproduces the issue. In
+ summary, it executes readlink() on /proc/*/ns/*. There's also a policy
+ that has only 'ptrace read' permission. When the bug is fixed,
+ execution is allowed.
- int main(int argc, char *argv[])
- {
- pid_t pid = 0;
- char *ns = NULL;
- char path[PATH_MAX] = {};
- char rpath[PATH_MAX] = {};
- int c;
+ [Where problems could occur]
- while ((c = getopt(argc, argv, "hn:p:")) != -1) {
- switch(c) {
- case 'n':
- ns = optarg;
- break;
- case 'p':
- pid = atoi(optarg);
- break;
- case 'h':
- usage();
- return 0;
- case '?':
- usage();
- return 1;
- default:
- return 1;
- }
- }
-
- int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
- if (n < 0 || (size_t)n >= sizeof(path)) {
- fprintf(stderr, "cannot format string\n");
- return 1;
- }
- path[n] = '\0';
- printf("path: %s\n", path);
-
- n = readlink(path, rpath, sizeof(rpath));
- if (n < 0) {
- perror("readlink()");
- return 1;
- } else if (n == sizeof(rpath)) {
- fprintf(stderr, "cannot readlink()\n");
- return 1;
- }
- printf("rpath: %s\n", rpath);
-
- return 0;
- }
-
- $ cat ./readlink-ns.apparmor
- #include
-
- profile test {
- #include
-
- # focal
- ptrace (read) peer="unconfined",
-
- # xenial, bionic
- #ptrace (trace) peer="unconfined",
- }
-
-
- # bionic and xenial need 'ptrace trace'
- $ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
- path: /proc/1/ns/pid
- readlink(): Permission denied
-
- Denial:
- Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
-
-
- # focal needs only 'ptrace read'
- $ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
- path: /proc/1/ns/pid
- rpath: pid:[4026531836]
+ The regression can be considered as low, since it's lowering the number
+ of permissions required. Existing policies that already contain the
+ permission 'ptrace trace' and 'ptrace read' will have a broader policy
+ than required.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1932331] Re: ubuntu_qrt_apparmor: i18n test fails on arm64 Hirsute / Impish
After downloading the apparmor source from hirsute-proposed and running the regression tests, I was able to confirm that the i18n test is now passing for arm64. ** Tags removed: verification-needed verification-needed-hirsute ** Tags added: verification-done verification-done-hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1932331 Title: ubuntu_qrt_apparmor: i18n test fails on arm64 Hirsute / Impish To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1932331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
