[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
To clarify on the statement from @georgiag above - "some applications are still not going to work properly" means that some applications *which currently do not work on Ubuntu 24.04 with the current version of apparmor in the archive (4.0.1really4.0.0-beta3-0ubuntu0.1)* are still not going to work properly. ie. this is not a regression from the current behaviour. I have reviewed the proposed update and ran both the qa-regression-tests and autopkgtests locally and it looks good to me (other than a minor typo in the debian/changelog - s/updatea/upstream/) - I have uploaded it to the unapproved queue for review by the SRU team. Thanks for all your help with this @rbasak. ** Changed in: apparmor (Ubuntu Noble) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
I have updated the description with the information of the SRU version 4.0.1really4.0.1-0ubuntu0.24.04.3 The Test Plan is updated with detailed instructions and I also added an analysis of why the regression happened for the previous SRU. Note that since we have removed the enablement by default of the bwrap profile, some applications are still not going to work properly, which is the case for setzer in the test plan. A fix was already merged upstream [1] and will be present in a later 4.0.2 SRU. [1] https://gitlab.com/apparmor/apparmor/-/merge_requests/1272 ** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] + * Make sure to reboot after upgrading (Bug 2072811) This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py + + Steps: + $ git clone https://git.launchpad.net/qa-regression-testing + $ ./scripts/make-test-tarball ./scripts/test-apparmor.py + Copying: test-apparmor.py + Copying: testlib.py + Copying: install-packages + Copying: packages-helper + Copying: apparmor/ + + Test files: /tmp/qrt-test-apparmor.tar.gz + + To run, copy the tarball somewhere, then do: + $ tar -zxf qrt-test-apparmor.tar.gz + $ cd ./qrt-test-apparmor + $ sudo ./install-packages test-apparmor.py + $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- - Ran 62 tests in 1989.948s + Ran 62 tests in 1977.045s - OK (skipped=4) + OK (skipped=3) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu0.24.04.2 - Candidate: 4.0.1-0ubuntu0.24.04.2 + Installed: 4.0.1really4.0.1-0ubuntu0.24.04.3 + Candidate: 4.0.1really4.0.1-0ubuntu0.24.04.3 Run additional tests: 1. Install wike and make sure the wike window opens when executed: $ sudo apt install wike $ wike 2. Install foliate, download test epub and make sure it opens as expected: $ sudo apt install foliate $ wget https://github.com/daisy/epub-accessibility-tests/releases/download/fundamental-2.0/Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub $ foliate Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub 3. Install transmission and make sure it starts properly: $ sudo apt install transmission - $ transmission-gtk + $ transmission-gtk - 4. bwrap profile tests: - - Install setzer and check if it opens as expected: + 4. test bwrap profile is no longer enabled by default: + - Install setzer and it will not open because the bwrap profile is not loaded: $ sudo apt install setzer - $
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Thanks. When the bwrap profile SRU is attempted again, I'd like the Test Plan reconsidered please to ensure that we catch the class of regression that occurred. On this SRU, before resubmitting it with the bwrap change removed, please revise the Test Plan to ensure that all necessary steps are included so that other developers can run it without problems. As discussed on IRC earlier, I was not able to do this! Reopening as the change introduced to fix this bug has been reverted. ** Changed in: apparmor (Ubuntu Noble) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
The regression is caused by d/p/u/enable-bwrap-profile.patch the bwrap profile is interacting with flatpak, and snapd. The d/p/u/enable-bwrap-profile.patch will need to be dropped, when the 4.0.1 SRU is redone. The bwrap, flatpak and snapd will need updates to enable bwrap to be used by regular users. Since this change is now known to have potential breakage it should be isolated to its own SRU where it is the only change, allowing easier testing and easier revert knowing it is the only moving piece. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
A regression caused by this update has been reported in bug 2072811. If found to be valid, we may revert the fix shortly. If you are or would be affected, your participation in the regression bug would be appreciated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
This bug was fixed in the package apparmor - 4.0.1-0ubuntu0.24.04.2 --- apparmor (4.0.1-0ubuntu0.24.04.2) noble; urgency=medium [Georgia Garcia] * New upstream release. (LP: #2064672) * Refresh - d/p/u/parser-add-support-for-prompting.patch - Add condition in policydb serialization to only encode xtable if kernel_supports_permstable32 * Add patch to add balena-etcher profile (LP: #2046844) - d/p/u/profiles-add-unconfined-balena-etcher-profile.patch * Fix d/p/u/userns-runtime-disable.patch to work when kernel.apparmor_restrict_unprivileged_userns does not exist by adding -e to sysctl. * d/apparmor.install - install new profiles - wike - changed installation from apparmor to apparmor.d - foliate - balena-etcher - transmission [Alex Murray] * Add upstream patch to relax mount rules to fix use of virtiofs and other file-system types - d/p/u/mountrule-relaxing-constraints-on-fstype.patch * Remove patches which got dropped from quilt series earlier - d/p/u/parser-support-uin128_t-key-as-a-pair-of-uint64_t-nu.patch - d/p/u/Minor-improvements-for-MountRule.patch * d/control: Remove obsolete lsb-base Depends and swap pkg-config to pkgconf for Build-Depends apparmor (4.0.0-beta4-0ubuntu1) noble; urgency=medium * New upstream release. (LP: #2046844, LP: #2060100, LP: #2056297) * Refresh - d/p/u/samba-systemd-interaction.patch * Drop patches which have now been applied updatea - d/p/u/parser-fix-issues-appointed-by-coverity.patch - d/p/u/profiles-add-unconfined-profile-for-tuxedo-control-c.patch * Add patch to enable bwrap profile - d/p/u/enable-bwrap-profile.patch (LP: #2046844, LP: #2065708) * d/apparmor.install - install new profile - bwrap-userns-restrict * d/apparmor-profiles.install - install new profile - unshare-userns-restrict -- Georgia Garcia Tue, 30 Apr 2024 14:12:01 -0300 ** Changed in: apparmor (Ubuntu Noble) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Test Environment 1: kvm virtual machine, clean 24.04 install, updated, then proposed enabled. Test Environment 2: x86 laptop with nvidia graphics, upgraded to 24.04, updated, then proposed enabled. Test plan fully executed on both environments. Notes: kde, budgie, and kapps: only tested in environment 1 steam: only tested on environment 2. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
List of Applications tested for regression Tellico Supercollider steam rssguard qutebrowser qmapshack plasma-welcome plasma-desktop pageedit opam notepadqq marble loupe kontact konqueror kmail kgeotag kdeplasma-addons kchmviewer kalgebra goldendict-webengine ghostwriter foliate geary firefox snap falkon evolution epiphany-browser digikam devhelp cantor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Thanks for the verification, John. I updated the tags based on the results of your tests. ** Tags removed: verification-needed verification-needed-noble ** Tags added: verification-done verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
On a clean install of 24.04 with Ubuntu (gnome) desktop. Updated as of June 27, 24.04. 0. Enabled proposed, updated, upgrade and installed apparmor packages via $ sudo apt install apparmor apparmor-profiles apparmor-utils libapparmor-dev libapparmor1 libpam-apparmor python3-apparmor python3-libapparmor -t noble-proposed Full test plan executed for Ubuntu Desktop, Kubuntu Desktop, Budgie Desktop, [ Test Plan ] Test QA Regression Testing The final test output was: -- Ran 62 tests in 903.834s OK (skipped=3) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 Version table: *** 4.0.1-0ubuntu0.24.04.2 100 100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages 100 /var/lib/dpkg/status 4.0.0-beta3-0ubuntu3 500 500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages Run additional tests: 1. test wike$ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 Version table: *** 4.0.1-0ubuntu0.24.04.2 100 100 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages 100 /var/lib/dpkg/status 4.0.0-beta3-0ubuntu3 500 500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages run from terminal, works with no apparmor rejections run from gnome activities, works no apparmor rejections 2. test foliate run from terminal, works with no apparmor rejections run from gnome activities, works with no apparmor rejections 3. test transmission run from terminal, works with no apparmor rejections run from gnome activites, works with no apparmor rejections 4. test bwrap 4.1 setzer run from terminal, works with no apparmor rejections run from gnome activites, works with no apparmor rejections 4.2 flatpak gnome.recepieces works as expected In addition to the test plan using the gnome desktop, the Kubuntu, and Budgie desktop were brought up and tested. To ensure no regressions, around widgets (), applications or previously reported bugs. See https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 for tracked list of applications. See next comment for results from testing each application. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
@raof I've installed the proposed package, and so far it seems to be working. Thank you! (Apologies if you receive telemetry, and this message is just spam.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Hello Georgia, or anyone else affected, Accepted apparmor into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/4.0.1-0ubuntu0.24.04.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-noble. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: apparmor (Ubuntu Noble) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Thanks for reviewing, Chris. I have updated the test plan with your suggestions, and I also updated the ppa containing a new version of the package with the wike profile location fixed. I'll also make sure to comment on the bugs in the changelog that verification is not required. ** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- Ran 62 tests in 1989.948s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu0.24.04.2 - Candidate: 4.0.1-0ubuntu0.24.04.2 + Installed: 4.0.1-0ubuntu0.24.04.2 + Candidate: 4.0.1-0ubuntu0.24.04.2 + + Run additional tests: + + 1. Install wike and make sure the wike window opens when executed: + $ sudo apt install wike + $ wike + + 2. Install foliate, download test epub and make sure it opens as expected: + $ sudo apt install foliate + $ wget https://github.com/daisy/epub-accessibility-tests/releases/download/fundamental-2.0/Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub + $ foliate Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub + + 3. Install transmission and make sure it starts properly: + $ sudo apt install transmission + $ transmission-gtk + + 4. bwrap profile tests: + - Install setzer and check if it opens as expected: + $ sudo apt install setzer + $ setzer + - Check if flatpak option --unshare=network works, the Recipes app window should open: + $ sudo apt install flatpak + $ flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo + $ flatpak install flathub org.gnome.Recipes + $ flatpak run --unshare=network org.gnome.Recipes [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- - Ran 62 tests in 1855.366s + Ran 62 tests in 1989.948s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu0.24.04.1 - Candidate: 4.0.1-0ubuntu0.24.04.1 + Installed: 4.0.1-0ubuntu0.24.04.2 + Candidate: 4.0.1-0ubuntu0.24.04.2 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: - https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.1 + https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Ok, I've reviewed the upload in the queue. I've rejected it, as one of the patches was broken, but apart from that the diff looks OK (although there's a *lot* of it, most of it is removal of autogenerated autoconf stuff). If we're going to use just this bug for verification, please update the other bugs making it clear that they don't need to be verified as per https://wiki.ubuntu.com/StableReleaseUpdates#Bug_references_in_changelogs Also, it looks like the verification test plan needs to be augmented? From the above discussion there seems to be a requirement to test some specific bubblewrap functionality, which should be added to the test plan. Although, since it seems like the wike fix was accidentally not applied, maybe we should also test to ensure that the new profiles work, at least the more important applications? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
It shouldn't but we do need to make sure it works. Previously flatpak was getting around the bwrap restriction by using the flatpak unconfined profile. But the unconfined profile uses pix which means it will now use the bwrap profile, when calling bwrap. If this does cause breakage we will need to move flatpak to using just ix when calling bwrap. @smcv: do you have a specific app in mind to test. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Hi Simon,
The use of --unshare=network does not cause a regression with the bwrap profile.
This is the full profile:
https://gitlab.com/apparmor/apparmor/-/blob/aa74b9b12d9ed55909489403a0c2514b9ea6a95f/profiles/apparmor/profiles/extras/bwrap-userns-restrict
If you look at the bwrap profile itself, you can see that it allows the
use of all capabilities, but that on execs, it transitions to a profile
that does not allow capabilities. That's bwrap can, briefly, use
CAP_NET_ADMIN.
profile bwrap /usr/bin/bwrap ... {
allow capability,
...
allow px /** -> bwrap//_bwrap,
}
To be clear, I tested `flatpak run --unshare=network org.gnome.Recipes`
specifically and it worked as expected.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064672
Title:
[SRU] - fixes for apparmor on noble
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
> add profile for bwrap utility Please check that this doesn't make `flatpak run --unshare=network $APP_ID` regress. Explanation: Some Flatpak apps (the ones that have no legitimate reason to use networking) have `--unshare=network` by default, as a way to prevent them from contacting the internet if they are malicious or compromised. This sandboxing feature requires bwrap to use CAP_NET_ADMIN to bring up a loopback device inside the new network namespace, before it drops privileges and executes the actual sandboxed code. Otherwise, there would be no `lo` device and no 127.0.0.1 or ::1, breaking apps' reasonable expectations. Many apps *normally* allow networking, but they can all be run with `--unshare=network` to force the no-network code path, for example `flatpak run --unshare=network org.gnome.Recipes`. Of course, some or all features of the app will not work when run like this, but it should at least start. I'm hoping that either the new bwrap profile allows this, or the flatpak profile (previously added) takes precedence and allows CAP_NET_ADMIN to be used (briefly!) during the switch from the TCB to the sandboxed environment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
@jjohansen Thank you very much for your detailed explanation! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
@smoelius: If you are interested in learning more of the processes, you can read about it at https://wiki.ubuntu.com/StableReleaseUpdates To summarize the upload is at step 4 of the procedures. It has been uploaded but has not been promoted to the -proposed pocket. Once it has been accepted it will be in the -proposed pocket for a minimum of 7 days, the absolute earliest this SRU could land in updates is mid next week, but it will likely take a little longer. It is available earlier either through the ppa (https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-sru), or the -proposed pocket (user opt in by enabling proposed) once promoted. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Please forgive me as I am unfamiliar with Ubuntu's release process. What are the next steps to releasing this fix? And how soon could it appear in normal distribution? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
I have just uploaded apparmor 4.0.1-0ubuntu0.24.04.1 from georgiag's PPA to noble - it is sitting in the unapproved queue. ** Changed in: apparmor (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- Ran 62 tests in 1855.366s OK (skipped=4) - $ apt policy apparmor + georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu0.1 - Candidate: 4.0.1-0ubuntu0.1 + Installed: 4.0.1-0ubuntu0.24.04.1 + Candidate: 4.0.1-0ubuntu0.24.04.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: - https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.1 + https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- - Ran 62 tests in 1861.933s + Ran 62 tests in 1855.366s OK (skipped=4) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.1 Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: - https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1-redo + https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.1 ** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) + fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 + relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: -- - Ran 62 tests in 1868.839s + Ran 62 tests in 1861.933s OK (skipped=4) - $ apt-cache policy apparmor + $ apt policy apparmor apparmor: - Installed: 4.0.1-0ubuntu1 - Candidate: 4.0.1-0ubuntu1 + Installed: 4.0.1-0ubuntu0.1 + Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: - https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1 + https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1-redo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064672] Re: [SRU] - fixes for apparmor on noble
** Description changed: [ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads - The final test output was: -- Ran 62 tests in 1868.839s OK (skipped=4) + + $ apt-cache policy apparmor + apparmor: + Installed: 4.0.1-0ubuntu1 + Candidate: 4.0.1-0ubuntu1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064672 Title: [SRU] - fixes for apparmor on noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
