[Bug 1377338] Re: apparmor may fail to load some profiles if one is corrupted
I'm a bit confused: * On the one hand, this bug is *not* marked is fixed in AppArmor upstream; the only reason it was marked as "Fix Released" for Ubuntu is the pile of kludges added in /lib/apparmor/functions, that I migrated to rc.apparmor.functions upstream a few years back. * On the other hand, the aforementioned pile of kludges was removed by https://gitlab.com/apparmor/apparmor/-/commit/0b8ea047e88b250862da73a968b1cd1f8b7f6b91 because "LP:1377338 has been fixed for quite awhile". So, it seems to me that: * Either the parser bug was actually fixed upstream, and then the status this bug is incorrect: it should be "Fix Released". * Or the parser bug is still there, and then 0b8ea047e88b250862da73a968b1cd1f8b7f6b91 was done based on a misunderstanding. Which is it? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1377338 Title: apparmor may fail to load some profiles if one is corrupted To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1377338/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1379535] Re: policy namespace stacking
I see this is "Fix Released" everywhere but on the upstream AppArmor project. I understand this has made its way upstream and works with mainline kernel, e.g. for LXC. If my understanding is incorrect, please clarify what's left to do here (or perhaps track it on a finer-grained follow-up bug :) ** Changed in: apparmor Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1379535 Title: policy namespace stacking To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1379535/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1384746] Re: Support multiple versions of AppArmor policy cache files
It seems to me this was fixed & released a while ago. https://bugs.launchpad.net/apparmor/+bug/1384746/comments/2 could be tracked on a new, follow-up bug, if still desired. ** Changed in: apparmor Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1384746 Title: Support multiple versions of AppArmor policy cache files To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1384746/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865519] Re: apparmor depends on python3
Fixed in 3.0.0 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865519 Title: apparmor depends on python3 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1865519/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387657] Re: aa-logprof: doesn't handle large logs
1.5 later with no feedback, let's assume the tentative fix works. ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/387657 Title: aa-logprof: doesn't handle large logs To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/387657/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1575438] Re: usr.sbin.nscd needs r/w access to nslcd socket
Fix released in 3.0.0. ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1575438 Title: usr.sbin.nscd needs r/w access to nslcd socket To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1575438/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1331856] Re: apparmor-utils don't work when defining a variable on
** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1331856 Title: apparmor-utils don't work when defining a variable on To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1331856/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1435452] Re: dh_apparmor has no dh sequencer support
** Bug watch added: Debian Bug tracker #934735 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934735 ** Also affects: apparmor (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934735 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1435452 Title: dh_apparmor has no dh sequencer support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1435452/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1821920] Re: apparmor-profiles installs the chromium-browser profile but not the abstraction
Tyler Hicks: > It looks like the change mentioned in the above comment came from > Debian. Here's the commit: > https://salsa.debian.org/apparmor- > team/apparmor/commit/dc14f24b2c2943c29d0368f913020f1307d8f1d3 > They obviously don't have Actually, Debian has these abstractions and most of them work just fine for us. But we don't /usr/share/apparmor-profiles/abstractions/ubuntu-browsers.d/chromium-browser which is Ubuntu-only. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821920 Title: apparmor-profiles installs the chromium-browser profile but not the abstraction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1821920/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
Meta: I've re-read the discussion from December 2017. If there were messages later than this on the thread, I missed them due to suboptimal mailing list archive presentation. Sorry if this leads me to wrong conclusions! I lack the skills to do the actual work I think should be done. The only way I can help here is by facilitating the conversation, so I'll do that: I'd like to make sure there's no misunderstanding about the various opinions that were expressed, the current state of the discussion, and what the next steps should be (e.g. who's waiting for whom). My understanding is that [my personal opinion in square brackets]: 0. Upstream acknowledges that there is a problem and that it would be nice to solve it. 1. There's indeed desire upstream for finding a good balance between sharing (via generic infrastructure and possibly message types) and taking into account that each LSM has different needs. [This makes sense to me: there are probably bits worth sharing instead of every LSM doing their own thing 100% in their dark corner. Now, obviously finding a good balance requires discussion between LSMs to identify what can be shared and what is specific to each, which has its costs (and may require different skills than writing kernel code).] 2. There's a consensus about the fact we need _some_ way to tell which LSM has sent the message. Several options have been mentioned, including adding a new lsm= identifier and using different allocated blocks (be it in the 1400 range or elsewhere). [I'm glad that the door remains open for the option we had in mind initially.] 3. The ball is in our court: upstream proposed several options and I don't see them reach actionable conclusions without our input. At this point, it seems that the next step is: AppArmor developers express their needs. For example: * Are there existing messages formats supported by the auditd suite that would work for us and we'd be happy to share with other LSMs? If yes, great: if we start using them our users will benefit from it without having to adapt existing tools. * What are our needs that we think are specific to AppArmor? (It might be that once we state them, another LSM developer will say "actually, this could be useful for us too", who knows :) * Once we have the answers to the above questions, we can start checking many AppArmor-specific identifiers we need today and how many extra spare ones we want allocated. (Without this info, nobody can decide whether we can fit in the 1400 range.) John, are we on the same page? If not, I'd love to know what we understood differently :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784023] Re: Update profiles for usrmerge
I took a look because this appeared on the Debian package tracker for apparmor-profiles-extra. At least 1.24 (just uploaded to sid) seems to be OK. I've not checked older versions so I don't know when exactly the problem that affected this package (which seems unspecified here) was fixed. If there's anything left to fix in this package, please let me know :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784023 Title: Update profiles for usrmerge To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784023/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1503762] Re: Provide systemd service
FTR a systemd unit was imported upstream: https://gitlab.com/apparmor/apparmor/merge_requests/81 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1503762 Title: Provide systemd service To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1503762/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751402] Re: abstraction/nameservice should include allow access to /var/lib/sss/mc/initgroups
FTR this was already added upstream in commit 84cd523d8c which is part of AppArmor v2.12. So i'll be fixed whenever Ubuntu upgrades to 2.12 :) ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751402 Title: abstraction/nameservice should include allow access to /var/lib/sss/mc/initgroups To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1751402/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1284507] Re: apparmor profile for libreoffice
> This was partially done. unfortunately the profiles are all missing a / I think that's been fixed in Debian already. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1284507 Title: apparmor profile for libreoffice To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/1284507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1717714] Re: @{pid} variable broken on systems with pid_max more than 6 digits
Eric Desrochers:
> The patch for bionic (devel release) has been sponsored but it is stuck in
> bionic-proposed for now waiting for the non amd64/i386 builder to be
> operational -> ppcel64, arm, s390x, ..
FWIW this patch is part of 2.12-1 that I've uploaded to Debian unstable.
No idea how exactly this will be sync'ed into Ubuntu.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1717714
Title:
@{pid} variable broken on systems with pid_max more than 6 digits
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1331856] Re: apparmor-utils don't work when defining a variable on
Vincas, do you want to test the proposed patch? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1331856 Title: apparmor-utils don't work when defining a variable on To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1331856/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1738958] Re: Ordering of start and apparmor reload upgrade can cause issues
Indeed, steps 3 and 4 should ideally happen in the reverse order. I don't know if debhelper provides facilities to order autoscript snippets though. In passing, once https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1385414 is done I think we should use systemd's AppArmorProfile= directive and it will do the right thing, i.e. compile the updated policy just before starting the upgraded daemon. But we're not there yet. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1738958 Title: Ordering of start and apparmor reload upgrade can cause issues To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1738958/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1579548] Re: OTR plugin does not load in Xenial
I guess this package needs the Ubuntu equivalent of what we call a binNMU in Debian. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1579548 Title: OTR plugin does not load in Xenial To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irssi-plugin-otr/+bug/1579548/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1730536] Re: "Unable to open external link" in Evince when google-chrome-unstable is the default browser
** Changed in: apparmor Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1730536 Title: "Unable to open external link" in Evince when google-chrome-unstable is the default browser To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1730536/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1730536] Re: "Unable to open external link" in Evince when google-chrome-unstable is the default browser
https://gitlab.com/apparmor/apparmor/merge_requests/9 fixes this bug on my Debian sid test VM. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1730536 Title: "Unable to open external link" in Evince when google-chrome-unstable is the default browser To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1730536/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1730536] Re: "Unable to open external link" in evince
This should be easy to fix with something very similar to https://gitlab.com/apparmor/apparmor/merge_requests/7. While I'm at it I'll check that google-chrome-stable works too. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Also affects: apparmor Importance: Undecided Status: New ** Also affects: apparmor (Debian) Importance: Undecided Status: New ** Changed in: apparmor (Debian) Status: New => Confirmed ** Changed in: apparmor Status: New => Confirmed ** Summary changed: - "Unable to open external link" in evince + "Unable to open external link" in Evince when google-chrome-unstable is the default browser ** Tags added: aa-policy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1730536 Title: "Unable to open external link" in Evince when google-chrome-unstable is the default browser To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1730536/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later
> The kernel patch causing the issue has been reverted. So 4.14-rc7 should work as pre 4.14-rc2 Great! (Modulo Linus' commit message…) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1042771] Re: sanitized_helper prevents proper transition to other profiles
See https://bugs.launchpad.net/apparmor-profiles/+bug/1727993 for a discussion about this topic. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1042771 Title: sanitized_helper prevents proper transition to other profiles To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1042771/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1717714] [NEW] @{pid} variable broken on systems with pid_max more than 6 digits
> I am aware this is a non-default configuration, but I think this
should work.
Makes sense. Do you want to send a merge request?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1717714
Title:
@{pid} variable broken on systems with pid_max more than 6 digits
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1717714/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1710487] Re: evince silently crashes with apparmor error on artful
FWIW: Jamie, while reviewing the Debian..Ubuntu packaging log in order to merge the Ubuntu one into the Debian source package, I see a few instances of duplicate packaging work going on (e.g. the fix for this bug, upstart job removal). Such duplicate work could have been avoided by merging from Debian first… which would also have avoided mistakes like keeping the obsolete ubuntu-manpage-updates.patch, and removing the initscript by mistake to re-add it 3 versions later. Let me know if I can adjust my workflow in a way that makes it easier for you folks to merge from Debian more consistently, I'm open to requests & suggestions :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1710487 Title: evince silently crashes with apparmor error on artful To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1710487/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1661766] Re: aa-genprof crashes on start due to python 3.6 bug
FTR Debian sid still defaults to python3 == Python 3.5, but will soon switch to 3.6 (https://release.debian.org/transitions/html/python3.6-supported.html) and will therefore be affected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1661766 Title: aa-genprof crashes on start due to python 3.6 bug To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1661766/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
FTR this was raised as a potential blocker for enabling AppArmor by default on Debian: https://bugs.debian.org/872726. I'm going to investigate why this is a blocker there. tl;dr: as the audit maintainers said in 2014 (https://www.redhat.com/archives/linux-audit/2014-May/msg00119.html) and 2016 (https://www.redhat.com/archives/linux- audit/2016-April/msg00129.html), we should use events ids from the range that has been allocated to us (1500-1599) instead of from the range assigned to SELinux. Any plans / ETA to fix this? Regardless of how you would prioritize this problem otherwise, the fact it might prevent AppArmor from being enabled by default in Debian could be a reason to handle it ASAP :) ** Bug watch added: Debian Bug tracker #872726 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
FWIW current Ubuntu citrain branch seems to apply exactly the same patch twice for some reason: debian/patches/adjust-nameservice-for-systemd-resolved.patch debian/patches/profiles-grant-access-to-systemd-resolved.patch Not sure what's going on, but anyway we don't apply this patch in Debian so this only affects the Ubuntu-specific bits of the packaging. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1503762] Re: Provide systemd service
** Bug watch added: Debian Bug tracker #870697 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870697 ** Also affects: apparmor (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870697 Importance: Unknown Status: Unknown ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1503762 Title: Provide systemd service To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1503762/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1385414] Re: provide systemd compatible cache loading library
Thanks! So we still need an AppArmor task, not just a systemd one, right? (My question came up because all the AppArmor tasks are marked as "Fix released", and thus I thought the only remaining thing to do is on the systemd side, but your answer suggests that's not actually the case.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1331856] Re: apparmor-utils don't work when defining a variable on
Anyone interested in moving this forward: please send a merge request. We're apparently not very good at tracking patches attached to bug reports, sorry! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1331856 Title: apparmor-utils don't work when defining a variable on To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1331856/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1385414] Re: provide systemd compatible cache loading library
I could ask for help to the person who implemented the initial AppArmor support in systemd. But first I would need a clearer task description than "Add systemd task since it needs an update to make it use the cache loading library". What exactly do we need systemd to do? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507469] Re: Evince's AppArmor profile prevents opening docs from other apps under Wayland
This was fixed in 2.11.0 so it's fixed in zesty. ** Summary changed: - Evince's Apparmour profile prevents opening docs from other apps under Wayland + Evince's AppArmor profile prevents opening docs from other apps under Wayland ** Changed in: apparmor (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507469 Title: Evince's AppArmor profile prevents opening docs from other apps under Wayland To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1507469/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 740510] Re: multiarch paths in abstractions should not be Linux-specific
FWIW Stretch was released for Linux architectures only, and I doubt it'll change any time soon. I believe the Debian landscape looked different when Steve filed this bug in 2011. Nowadays I'm not sure what's the value of keeping this bug open. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/740510 Title: multiarch paths in abstractions should not be Linux-specific To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/740510/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 776648] Re: apparmor profile for chromium browser
This bug report is about the custom profile shipped by Ubuntu in their apparmor-profiles package (and nowhere else AFAIK), not about the apparmor-profiles project (yeah, it's confusing, I know). ** Changed in: apparmor-profiles Status: Triaged => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/776648 Title: apparmor profile for chromium browser To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/776648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1101298] Re: More resources must be added into Chromium profile
This bug report is about the custom profile shipped by Ubuntu in their apparmor-profiles package (and nowhere else AFAIK), not about the apparmor-profiles project (yeah, it's confusing, I know). ** Project changed: apparmor-profiles => apparmor (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1101298 Title: More resources must be added into Chromium profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1101298/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1647188] Re: Please make the AppArmor profile support merged-/usr systems
FYI I've applied this patch in the usr.sbin.tcpdump profile included in Debian's apparmor-profiles-extra 1.11. And I intend to have this profile moved to the tcpdump package proper at the beginning of the Debian 10 (Buster) development cycle, i.e. once Stretch is released. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647188 Title: Please make the AppArmor profile support merged-/usr systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/1647188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1647188] Re: Please make the AppArmor profile support merged-/usr systems
Ping? Colder stages of the Debian Stretch freeze will soon be in effect, so it would be nice to have this reviewed & applied earlier :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647188 Title: Please make the AppArmor profile support merged-/usr systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/1647188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1647188] [NEW] Please make the AppArmor profile support merged-/usr systems
Public bug reported: merged-/usr is already available in Debian, will likely be the default in Debian Stretch. The attached patch makes the included AppArmor profile support this use case. Thanks for considering :) ** Affects: tcpdump (Ubuntu) Importance: Undecided Status: New ** Tags: patch ** Patch added: "tcpdump-apparmor-usrmerge.patch" https://bugs.launchpad.net/bugs/1647188/+attachment/4787363/+files/tcpdump-apparmor-usrmerge.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647188 Title: Please make the AppArmor profile support merged-/usr systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/1647188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507469] Re: Evince's Apparmour profile prevents opening docs from other apps under Wayland
Cherry-picked in Debian's Vcs-Bzr, will be part of the apparmor 2.10.95-7 upload. Thanks everybody! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507469 Title: Evince's Apparmour profile prevents opening docs from other apps under Wayland To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1507469/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1600524] Re: ubuntuBSD support
> Well then could you apply the patch to make apparmor installable? The dependency on any kind of initramfs-tools has been dropped in Debian a while ago (2.9.0-3+exp1), because AFAIK it was needed only for the early modules loading code, that was removed a while ago. For some undocumented reason, last time Ubuntu merged Debian's packaging (2.10-3ubuntu1), these deps were kept in Ubuntu, so I'm afraid there's nothing I can personally do about it. Sorry! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1600524 Title: ubuntuBSD support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1600524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1600524] Re: ubuntuBSD support
> I'm confused then. Why is the Architecture field in debian/control set to any? > And why debian/patches/non-linux.patch, debian/non- linux/apparmor_parser? I find it marginally useful to build on Debian/kFreeBSD: this can sometimes help discover real bugs that affect Linux but would not be immediately visible there. But if this ever becomes too tedious, I won't bother and will drop the non-Linux targets. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1600524 Title: ubuntuBSD support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1600524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1408106] Re: attach_disconnected not sufficient for overlayfs
Hi! What kind of (realistic) timeline can we expect here? (With the move to ZFS for containers, I wonder :) E.g. is this part of your goals for 16.10? (I mean: for the AppArmor /Ubuntu-specific parts, as I've learnt to be patient wrt. the upstreaming to Linux mainline.) Thanks for your work on AppArmor! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1408106 Title: attach_disconnected not sufficient for overlayfs To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1408106/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1435368] Re: dh_apparmor does not assist postinst scripts that need to run the constrained binary before the postinst completes
Another workaround would be to run mysqld unconfined (e.g. with aa- unconfined, or by copying/hardlinking the binary to a different file and running that one) for whatever operations the postinst has to do. I won't pretend it's nicer than what you've done already, but that's another option on the table. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1435368 Title: dh_apparmor does not assist postinst scripts that need to run the constrained binary before the postinst completes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1435368/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1399845] Re: tunables/global doesn't include all defined variables
I'm not sure I get what's the problem: what exact variable (or tunable file containing variables) do you think should be made available to every profile, and is currently not? My understanding of this comment (as a non-native English speaker) is that there is a possibility that some tunables (e.g. the dovecot and ntpd ones) are not globals, don't need to be made available to every profile, and thus should not be included in tunables/global. It makes sense to me from a design PoV, and also from a profile author PoV. Did I miss anything? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1399845 Title: tunables/global doesn't include all defined variables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1399845/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1377338] Re: apparmor may fail to load some profiles if one is corrupted
Along with LP: #1488179, this is one source of ugliness in current Debian/Ubuntu initscript, that makes it harder than needed to port it to systemd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1377338 Title: apparmor may fail to load some profiles if one is corrupted To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1377338/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
