Bug#883584: [apparmor] Bug#883584: A reload deletes /etc/apparmor.d/cache/CACHEDIR.TAG

intrigeri: > intrigeri: >> Dear upstream/parser developers, would it feel crazy to modify >> clear_cache_cb to ignore the passed file if its basename is >> CACHEDIR.TAG? Or should _aa_dirat_for_each get a list of excluded file >> names as a new argument, or so

Bug#886548: libreoffice-common: Try to ship all AppArmor profiles in enforce mode

in enforce mode instead. See #883800 for the beginning of this conversation. The remaining blocker seems to be autopkgtests being broken by AppArmor, due to using custom paths: René Engelhard wrote: > intrigeri wrote: >> You mentioned something elsewhere about the LibreOffice test suite >>

Bug#883800: libreoffice-common: Please re-enable the AppArmor profiles

Rene Engelhard: > done already, though in complain mode.. Thanks! I'll follow up on the next steps on a new bug report, quoting the useful bits from this one :) Cheers, -- intrigeri

Bug#884707: apparmor breaks clamdscan

Control: affects -1 - clamav-daemon Control: reassign -1 clamav-daemon Hi, Francois Gouget: > Intrigeri wrote: >> Can you please provide the corresponding AppArmor denial logs you'll >> find in the Journal or in kern.log? > Here is a short extract: > Dec 26 12:30:2

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

h to help you debug this problem or do you need more info? Cheers, -- intrigeri

Bug#883584: A reload deletes /etc/apparmor.d/cache/CACHEDIR.TAG

intrigeri: > Dear upstream/parser developers, would it feel crazy to modify > clear_cache_cb to ignore the passed file if its basename is > CACHEDIR.TAG? Or should _aa_dirat_for_each get a list of excluded file > names as a new argument, or something similar? > If any of these a

Bug#750106: AppArmor ineffective for LXC

e! Cheers, -- intrigeri

Bug#884787: apparmor-profiles-extra: Pidgin fails to load plugin from home directory

Control: tag -1 + fixed-upstream Control: tag -1 + pending Adrian Heine: > thanks for the help! I created > https://gitlab.com/apparmor/apparmor-profiles/merge_requests/7. Thanks a lot :) I've merged this upstream and imported the updated profile in our Vcs-Git. Cheers, -- intrigeri

Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's

(#882697) Cheers, -- intrigeri

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

uld remove the "confirmed" and/or "pending" tag so in doubt I'll leave it to you to do the right thing. Cheers, -- intrigeri

Bug#883948: apparmor: xdg-user-dirs should have localized directory names

Hi, good catch! It would be interesting to know how other distros handle this. Cheers, -- intrigeri

Bug#885522: apparmor breaks thunderbird's open link in firefox (quantum)

tream last July: https://gitlab.com/apparmor/apparmor/commit/ff66ca90390d14fa710ac28cc20728f934152724 … which will reach Debian once I package the recent 2.12 upstream release. Cheers, -- intrigeri

Bug#855346: been hit with same

for your feedback. I believe I've fixed this upstream in AppArmor itself: https://gitlab.com/apparmor/apparmor/commit/ff66ca90390d14fa710ac28cc20728f934152724 … which will make it into Debian once we package AppArmor 2.12. Cheers, -- intrigeri

Bug#883703: apparmor: Feature pinning breaks mount

Hi John, John Johansen: > Attached is the patch for the kernel that is currently in testing > From 1aa96ec6d0fce613e06fa4d073c8cf3e183989da Mon Sep 17 00:00:00 2001 > From: John Johansen > Date: Thu, 7 Dec 2017 00:28:27 -0800 > Subject: [PATCH] apparmor: fix

Bug#886328: live-boot: Please use /run/live instead of /lib/live/mount

agree with the proposed simplification idea. I didn't do a full code review though. Cheers, -- intrigeri

Bug#886329: aufs-dkms: Cannot use aufs union mount with Linux 4.14.7-1: kernel BUG at /var/lib/dkms/aufs/4.14+20171218/build/fs/aufs/finfo.c:113

Hi, in case it might help other Live systems still using aufs for some reason, for the record I've implemented a workaround to this bug in Tails:

Bug#886286: torbrowser-launcher: Tor Browser says .onion sites (like http://sejnfjrq6szgca7v.onion/) are not secure

Diederik de Haas: > I was indeed wondering whether it would be useful to report because of that. > As you noticed I did decide to report it and add the upstream tag because of > it, but I can understand closing it :) :) > If more ppl would report it, you could chose to reopen it so it would be

Bug#886329: aufs-dkms: Cannot use aufs union mount with Linux 4.14.7-1: kernel BUG at /var/lib/dkms/aufs/4.14+20171218/build/fs/aufs/finfo.c:113

ro=rr+wh aufs /tmp/mount \ && ls /tmp/mount ; \ ls /tmp/mount Segmentation fault bla I've tested replacing that first read access with a write access, same result. (Off-topic: I'll try to implement a workaround in live-boot.) Cheers, -- intrigeri

Bug#886329: aufs-dkms: Cannot use aufs union mount with Linux 4.14.7-1: kernel BUG at /var/lib/dkms/aufs/4.14+20171218/build/fs/aufs/finfo.c:113

pn aufs-dev -- no debconf information -- intrigeri

Bug#884043: Bug #884043: obfsproxy: Ship an AppArmor profile again

a library so > AppArmor confinement doesn't matter there. … I think leaving this bug open and wontfix for a little while is a suitable approach. If someone on the team prefers to close it, I don't mind. Cheers, -- intrigeri

Bug#862799: [Pkg-privacy-maintainers] Bug#862799: torbrowser-launcher: missing dependencies on libasound2 libdbus-glib-1-2 and libevent-2.0-5

Control: severity -1 serious Roger Shimizu: > I confirmed that there's only one package need to be installed > specifically: libdbus-glib-1-2 [...] > I'll only add libdbus-glib-1-2 as dependency. Thanks for confirming. Making this bug RC then, as per policy. Cheers, -- intrigeri

Bug#886009: live-config: race condition between live-config and systemd-tmpfiles-setup

Control: tag -1 + patch Ronny Standtke: > The attached patch (against the current version in git) fixes this issue. Looks good to me.

Bug#870417: perlpanel: Depends on obsolete libgnome2-vfs-perl that will go away during the Buster cycle

intrigeri: > I intend to proceed with the removal request if nobody objects within > another 2 months. Done: #885913

Bug#885913: ftp.debian.org: RM: perlpanel -- ROM; depends on deprecated+unmaintained gnome-vfs

(last time I checked, inst:74 / vote: 14). It's been orphaned back in March. I've proposed removing perlpanel 5 months ago (#870417) and nobody objected so I think we can now go ahead. Cheers, -- intrigeri

Bug#885911: ftp.debian.org: RM: yarssr -- ROM; depends on deprecated & unmaintained gnome-vfs

Package: ftp.debian.org Severity: normal Hi! The GNOME team is going to drop libgnome and related libraries in Buster. This is one of the few packages that still depend on the corresponding Perl bindings. Approval of the current maintainer: https://bugs.debian.org/868410 Cheers, -- intrigeri

Bug#870418: Precarious status of Shutter in Debian

that someone steps up. Did this happen? Updates: - The GNOME team is now bumping severity on bugs that block the removal of libgnome*. - shutter transitively depends on libunique that shall go away as well (#885811). Cheers, -- intrigeri

Bug#885775: apparmor: Apparmor triggers NULL pointer dereference in kernel 4.14.7-1 when updating with aptitude

.14 too Do you need more info from me or from the bug reporter (Kertesz Laszlo, Cc'ed)? Cheers, -- intrigeri

Bug#773346: [reportbug/master] Add AppArmor status in the bug reports (Closes: #773346)

tag 773346 pending thanks Date: Thu Oct 26 16:18:19 2017 + Author: intrigeri <intrig...@debian.org> Commit ID: f2cc06d6696a35288f109681d57fd313b6334627 Commit URL: https://anonscm.debian.org/cgit/reportbug/reportbug.git;a=commitdiff;h=f2cc06d6696a35288f109681d57fd313b6334627 Pat

Bug#885157: thunderbird: Upgrading from 1:52.5.0-1 to 1:52.5.2-1 enforces the AppArmor profile

ow how to fix this, and IMO we should not block on it before we address the bug I'm reporting here, but perhaps it's worth a NEWS.Debian entry? Cheers, -- intrigeri

Bug#866187: add torrc.d configuration directory

Next step is probably: whoever wants to see this happen works on it and proposes a branch or patch. Cheers, -- intrigeri

Bug#883949: ntp: no info how to fix the access to a local DCF clock blocked by apparmor

, only # apparmor_parser -r /path/to/ntpd/profile is missing :) > When I googled the issue, the most prominent results were to disable any > SElinux / apparmor. And this is definitely the worst option ;-) Exactly. Cheers, -- intrigeri

Bug#884787: apparmor-profiles-extra: Pidgin fails to load plugin from home directory

x upstream yourself directly? If you are: 1. fork https://gitlab.com/apparmor/apparmor-profiles 2. edit the ubuntu/18.04/usr.bin.pidgin file and commit (ideally, reference this bug report) 3. submit a merge request Otherwise, no problem, someone on the Debian AppArmor team will pick it up :) Cheers, -- intrigeri

Bug#851694: qemu: Formatting USB disks to EXT4 with nec-xhci USB controller fails with Buffer I/O fails

Hi QEMU maintainers! intrigeri: > upstream independently applied (commit 99f9aeb) the exact change > that anonym submitted them early. I've verified that this bug is > fixed in 1:2.10.0+dfsg-1 :) I've just seen another Stretch user face this bug again, and wonder why the operation

Bug#884707: apparmor breaks clamdscan

70808 > ii python33.6.3-2 > apparmor recommends no packages. > Versions of packages apparmor suggests: > pn apparmor-profiles > pn apparmor-profiles-extra > pn apparmor-utils > -- debconf information: > apparmor/homedirs: -- intrigeri

Bug#884280: [pkg-apparmor] Processed: forwarded 884280 (apparmor-profiles: dovecot denied_mask="send")

Control: severity -1 minor (We ship this profile in complain mode by default, and apart of noise in the logs, no actual functionality breakage was reported.)

Bug#884278: prevent deinstallation of boot-critical package

ter, the system hang. No error > message appeared, no clue pointed to missing apparmor. Sorry about that. How did you draw the conclusion that this system hang was caused by deinstalling the apparmor package? Cheers, -- intrigeri

Bug#849864: Bug#883170: Bug#849864: paxrat: Please run paxrat during (early) boot

Santiago R.R.: > On Mon, 16 Jan 2017 17:50:15 +0100 intrigeri <intrig...@debian.org> wrote: >> santiag...@riseup.net: >> > I am not expert on writing systemd units, and I am unable to play with >> > this soon. So it would be great if you could propose a patch :-)

Bug#883765: cups-client: Unsupported document-format "application/octet-stream".

locally by sysadmins, other than education and documentation about AppArmor so they're able to adjust their AppArmor configuration accordingly. Regards, -- intrigeri

Bug#884043: obfsproxy: Ship an AppArmor profile again

Hi pkg-privacy-tools & fteproxy maintainers! Nicolas Braud-Santoni: > On Mon, Dec 11, 2017 at 07:21:50AM +0100, intrigeri wrote: >> I suggest first checking why we're still including obfsproxy: >> I suspect most of the reverse-dependency relationships might be >> ob

Bug#884014: apparmor: AppArmor does not allow Thunderbird to open Hyperlinks with Chromium

Martin: > I can confirm that the changes from commit >> https://gitlab.com/apparmor/apparmor/commit/cc5a23d4c1236a0221f7bae0fd3d59f583ec9a1d > fix the problem. Thanks!

Bug#884014: apparmor: AppArmor does not allow Thunderbird to open Hyperlinks with Chromium

2.11.95 (aka. 2.12~beta1), unless someone wants to cherry-pick this commit as a Debian patch for now. Cheers, -- intrigeri

Bug#881936: apparmor: support usrmerge

Control: tag -1 + fixed-upstream Héctor Orón Martínez: > FYI patch got merged upstream: > https://gitlab.com/apparmor/apparmor/commit/b24a1c4d546a6825f252d27243e09c80d04cf484 Congrats! Tagging this bug accordingly :)

Bug#884043: obfsproxy: Ship an AppArmor profile again

confining matters, I'm fine with us including a profile again *if* someone commits to maintaining it, which apparently is hard to do properly without routinely using it on testing/sid. Thanks! Cheers, -- intrigeri

Bug#880387: [Filesystems-devel] Bug#880387: aufs-dkms: the module is not built for Linux 4.14

Jan Luca Naumann: > I have already prepared an upload but there was a seg fault on my test > system I want to investigate before uploading. Great, thanks for the update!

Bug#883682: don't install features-file as conffile for easier overriding

Hi, Laurent Bigonville: > if a policy creator wants to modify the policy he might need to modify this > file as well same if a user is building his own kernel. There's really no good reason why one would need to modify the default file in /usr: the features-file that the parser uses is

Bug#881936: apparmor: support usrmerge

Control: retitle -1 the upstream test suite does not support usrmerge intrigeri: > Can you please send this upstream as a merge request there: > https://gitlab.com/apparmor/apparmor/ > ? > If you prefer not to, I can forward. But IIRC it's not your first > contribution so o

Bug#882597: [pkg-apparmor] Bug#882597: libreoffice: Failed to start when apparmor is running because of user rights

intrigeri: > Rene Engelhard: >>> that everyone else can't benefit from AppArmor security benefits >>> due to that, so I'm leaning towards: >>> >>> 1. keep the AppArmor profile enforced by default, so the vast >>> majori

Bug#883800: libreoffice-common: Please re-enable the AppArmor profiles

AppArmor in Debian is that we want to avoid creating a culture of "AppArmor breaks stuff so I always disable it entirely". Cheers, -- intrigeri >From 1afd67ec9f4e68e619f4e707bd62142ba8de78cf Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@boum.org> Date: Thu, 7 Dec 2017 17:

Bug#845232: Maybe add README.Debian

it? Exactly! > ACK, thanks for your work! :) Cheers, -- intrigeri

Bug#845232: Maybe add README.Debian

Christian Boltz: > Am Donnerstag, 7. Dezember 2017, 09:40:04 CET schrieb intrigeri: >> - disabling use_group in notify.conf, so this (mostly useless AFAICT) >> check does not harm UX > Can you please submit this upstream? Sure, will do! > I agree that this check is u

Bug#882597: libreoffice: Failed to start when apparmor is running because of user rights

tablished system administration practice, and it should not come as a surprise to any advanced user who passes a custom profile path to LibreOffice on the command line. Cheers, -- intrigeri

Bug#882597: libreoffice: Failed to start when apparmor is running because of user rights

l path?) If the above does not work, yes. > One could also just patch it :-) Absolutely. Cheers, -- intrigeri

Bug#882597: [pkg-apparmor] Bug#882597: libreoffice: Failed to start when apparmor is running because of user rights

n README.Debian. > Would be nice. Great. I'll do this then :) If you don't mind, once I have a patch I won't build a test package locally: I suspect src:libreoffice takes a while to build, and my changes should boil down to setting ENABLE_APPARMOR_PROFILES=y and adding README.Debian that dh_installdocs should pick up automatically. Cheers, -- intrigeri

Bug#881496: [Pkg-privacy-maintainers] Bug#881496: onioncircuits: python3/testing and apparmor/testing breaks onioncircuits

.1). > I also can't see it being overridden anywhere. So I am not sure why this > permission should be denied... Can you please share the content of your /etc/apparmor.d/abstractions/python file? Cheers, -- intrigeri

Bug#882937: apparmor: cupsd profile blocks creation of PDF files with printer-driver-cups-pdf

MEDIRS}+=/home/host to /etc/apparmor.d/tunables/home.d/site.local should do the trick. Then, "sudo systemctl restart apparmor" and retry. Does this fix the problem you're experiencing? Cheers, -- intrigeri

Bug#883682: don't install features-file as conffile for easier overriding

Fabian Grünbichler: > sounds like a plan, I'll re-spin my patch later today. :)

Bug#882047: apparmor-utils: aa-complain thunderbird fails

d work (before the change that prompted the aforementioned merge request) as documented. Shall we simply modify aa-complain(8) to make it clearer that one is supposed to pass the path to the binary that's being confined by the profile, and not anything else? Cheers, -- intrigeri

Bug#883682: don't install features-file as conffile for easier overriding

Hi, Fabian Grünbichler: > On Thu, Dec 07, 2017 at 08:47:52AM +0100, intrigeri wrote: >> > I am not sure whether we are the only derivative/downstream/.. affected >> > by this change, but it has the potential to break a lot of setups using >> > their own (more re

Bug#845232: Maybe add README.Debian

t one must be in the "adm" group to use aa-notify - disabling use_group in notify.conf, so this (mostly useless AFAICT) check does not harm UX So let's not bother tracking this on a new, dedicated bug. Cheers, -- intrigeri

Bug#880859: apparmor-notify: packaging patches first utils/notify.conf but then overwrites it with debian/notify/notify.conf

ful for. ⇒ I'll unset use_group in the next upload of the package to Debian. Then, if someone explains what use_group is supposed to be useful for, we can reconsider later :) Cheers, -- intrigeri

Bug#883256: apparmor-profiles-extra: Totem can't access files outside $HOME

nt,opt,srv}/**. Where are the files you're trying to play located? If they are in one of the supposedly allowed directories, please provide the AppArmor denial logs. Thanks in advance! Cheers, -- intrigeri

Bug#883682: don't install features-file as conffile for easier overriding

f this use case and we can work together to support it better :) >> > intrigeri: >> >> Understood. Ideally parser.conf would be complemented by >> >> /etc/apparmor/parser.conf.d/*.conf, which could be sourced at the end >> >> of parser.conf somehow. A

Bug#883561: thunderbird: AppArmor profile is not applied after opting-in due to new binary path

This is now really "pending": I've merged the fix upstream and pushed it to our Vcs-Git :)

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

intrigeri: > At first glance this very much looks like a bug in the custom kernel > you're using. According to #883703 this bug affects the mainline Linux kernel as well so this stretch-pu may break as many use cases at it'll repair when running Linux 4.13+ on Stretch :/ Dear release tea

Bug#883703: apparmor: Feature pinning breaks mount

or sid, I think we should simply bump the pinned feature set to 4.14's: it's easier to fix policy than to deal with kernel bugs. Cc'ing John so he's aware of this kernel bug. For Stretch, my proposed update shall be reverted. I'll follow up on the corresponding release.d.o bug. :/ Cheers, -- intrigeri

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

Hi again Fabian & release team, Fabian Grünbichler: > On Wed, Dec 06, 2017 at 03:28:03PM +0100, intrigeri wrote: >> > it potentially breaks systems using a custom/backports/newer kernel >> > and AA profiles requiring features not supported by the pinned 4.9 >> >

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

becomes weaker, but the application keeps working. > since > both the AA config file itself and the feature set file are conffiles, > overriding is not easily possible without conffile modification. Right. Sorry I did not think about this Debian derivative use case. > I'll of course def

Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's

than currently.. Right. This looks like a good interim solution to me. Do you want to try to implement it in the packaging? > intrigeri: >> Understood. Ideally parser.conf would be complemented by >> /etc/apparmor/parser.conf.d/*.conf, which could be sourced at the end >> of parser.c

Bug#883584: A reload deletes /etc/apparmor.d/cache/CACHEDIR.TAG

ent, or something similar? If any of these approaches seems acceptable, is anyone around willing to write this patch, or should I try to find a C person elsewhere? Thanks in advance! Cheers, -- intrigeri

Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's

ks a lot for working hard on getting AA to work OOTB in Debian BTW > - long overdue and really looking forward to it!) Thank you :) Cheers, -- intrigeri

Bug#882769: Cannot upgrade from Stretch: cp: target '/lib/live/mount/medium/live/vmlinuz.new' is not a directory

Thomas Goirand: > Do you know if it's possible to generate a Sid live system? We have weekly builds of testing Live ISO images: https://get.debian.org/cdimage/weekly-live-builds/amd64/iso-hybrid/ … so I don't see any reason why building sid Live systems would be impossible :)

Bug#883561: thunderbird: AppArmor profile is not applied after opting-in due to new binary path

thunderbird /usr/lib/thunderbird/thunderbird { +profile thunderbird /usr/lib/thunderbird/thunderbird{,-bin} { #include #include #include Cheers, -- intrigeri

Bug#882769: Cannot upgrade from Stretch: cp: target '/lib/live/mount/medium/live/vmlinuz.new' is not a directory

jority of cases. Besides, I would feel wrong to see live-boot automatically removed from testing merely because of this bug. So perhaps this could be demoted to severity:important? Cheers, -- intrigeri

Bug#880387: aufs-dkms: the module is not built for Linux 4.14

feasible) so that we're > ready when 4.14 reaches sid? Linux 4.14 is now in sid so I think this makes this bug RC. Cheers, -- intrigeri

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

Adam D. Barratt: > Please go ahead, bearing in mind that the window for getting fixes into > the 9.3 point release closes during this weekend. Thanks, uploaded. Cheers, -- intrigeri

Bug#883069: linux-image-4.14.0-trunk-amd64: Please consider enabling CONFIG_SLAB_FREELIST_HARDENED

/security trade-off for Debian? If it helps making a decision I could hunt for benchmark results (the KSPP people tend to attach these to their pull requests when it matters). [0] https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/ Cheers, -- intrigeri

Bug#882597: libreoffice: Failed to start when apparmor is running because of user rights

directly edit it so it looks like this: /usr/bin/irssi flags=(complain) { Cheers, -- intrigeri

Bug#882937: apparmor: cupsd profile blocks creation of PDF files with printer-driver-cups-pdf

e :) Cheers, -- intrigeri

Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's

y problem. Now that AppArmor is enabled by default in testing/sid, I suspect more users of Stretch may want to try it out. So it would really be nice to avoid breaking things for them in case they need a kernel from backports, e.g. to support newer hardware. Cheers, -- intrigeri

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

in recent kernels. + + -- intrigeri <intrig...@debian.org> Sat, 25 Nov 2017 18:04:05 + + apparmor (2.11.0-3) unstable; urgency=medium * Fix CVE-2017-6507: don't unload unknown profiles during package diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features --- apparmor-

Bug#882672: thunderbird: Disable the AppArmor profile by default

intrigeri: > Yes. You can delete intrigeri/bugfix-882672 right away, and delete > intrigeri/bugfix-882672-v2 after you've merged or cherry-picked > its commits. You can now delete both. > So I'll merge my branch myself once I've tested a package built > from it :) I've rebased m

Bug#882672: thunderbird: Disable the AppArmor profile by default

the Thunderbird AppArmor profile. Good idea! I've added a link to the corresponding doc on wiki.d.o (commit d8dcde6daa on my branch). > You mean both branches are to delete later? Yes. You can delete intrigeri/bugfix-882672 right away, and delete intrigeri/bugfix-882672-v2 after you've merg

Bug#882672: [pkg-apparmor] Bug#882672: thunderbird: Disable the AppArmor profile by default

Control: tag -1 + patch Hi Carsten, please review and merge the intrigeri/bugfix-882672-v2 branch (in Vcs-Git). It would be great to include this change in the next upload to sid, so that we stop breaking Thunderbird UX with AppArmor :) I'm now building a package to test my changes, but it'll

Bug#882043: Firefox wont open from thunderbird

Control: reassign -1 apparmor Control: affects -1 thunderbird Control: tag -1 + upstream Control: tag -1 + fixed-upstream Control: tag -1 - moreinfo Vincas Dargis: > Looks like ubuntu-browsers abstraction is fixed in upstream: >

Bug#880424: thunderbird: apparmor should allow the execution of the configured browser

Control: severity -1 minor Once AppArmor profile for Thunderbird is disabled by default (#882672), this bug will only affect users who opt-in.

Bug#882672: thunderbird: Disable the AppArmor profile by default

right away. FTR the two other people who've been actively working on this profile recently agree with this proposal: - Simon Deziel: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882218#25 - Vincas Dargis: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882048#50 Cheers, -- intrigeri

Bug#882218: thunderbird: Apparmor doesn't allow personal profiles outside of ~/.{thunderbird,icedove}

ide whether it's good enough or we should ship this profile disabled by default. Cheers, -- intrigeri

Bug#882048: apparmor should let thunderbird use signatures from files

void for years. I'm very tempted to propose we simply disable this profile by default: I have very little hope at this point that we can make it open enough to avoid breaking all kinds of corner cases, while keeping it strict enough to be meaningful at all. Opinions? Cheers, -- intrigeri

Bug#882043: apparmor should allow thunderbird to open links with firefox via exo-helper on xfce

uot;x" denied_mask="x" fsuid=1000 ouid=0 > Firefox is set as the preferred web browser under xfce "Preferred > Applications". Thanks for this bug report! Could you please try reproducing this with thunderbird 1:52.4.0-2~exp1 or newer, currently available in Debian experimental? Cheers, -- intrigeri

Bug#882044: apparmor should allow thunderbird to open text files with geany under xfce

Control: reassign -1 thunderbird Control: fixed -1 1:52.4.0-2~exp1 Hi, Ben Caradoc-Davies: > opening a text attachment in thunderbird under xfce results in an error > dialog: > Failed to execute default File Manager. > Failed to execute child process “/usr/bin/Thunar” (Permission denied).

Bug#882045: [pkg-apparmor] Bug#882045: apparmor should let thunderbird open images with viewnior

/anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/tree/debian/apparmor/usr.bin.thunderbird Reassigning accordingly. Note that the fix is already in Debian experimental :) Cheers, -- intrigeri

Bug#882135: apparmor: Update AppArmor abstractions for Java 8 and 9

g the fix (once merged upstream) into the Debian packaging, in your opinion? Cheers, -- intrigeri

Bug#882070: apparmor: AppArmor should allow to read /etc/pulse subdirectories

Hi! Vincas Dargis: > I have discovered this DENIED message on Debian Sid with Thundebird: > type=AVC msg=audit(1511012066.035:570): apparmor="DENIED" operation="open" > profile="thunderbird" > name="/etc/pulse/client.conf.d/00-disable-autospawn.conf" > pid=4507 comm="thunderbird"

Bug#882103: python-pkg-resources: crashing with "ImportError: No module named load_entry_point"

requested_mask="c" denied_mask="c" fsuid=1002 ouid=1002 Nov 21 18:45:11 ensifera kernel: audit: type=1400 audit(1511286311.333:1879): apparmor="DENIED" operation="open" profile="/usr/bin/obfsproxy" name="/proc/6975/mounts" pid=6975 comm="obfsproxy" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002 I could not see the error Marc is reporting, because I don't know how exactly I should run obfsproxy to trigger it. Marc, could you please share the exact command line you're running? Lunar, unless you disagree I'll do a team upload that disables this profile by default. We can re-enable it if/once someone feels like keeping it up-to-date and working. What do you think? Cheers, -- intrigeri

Bug#881496: [Pkg-privacy-maintainers] Bug#881496: Bug#881496: onioncircuits: current python3/testing breaks onioncircuits

Sascha Steinbiss: > Can anyone else in the team reproduce this issue or probably comment? I can't reproduce this on current sid.

Bug#881936: apparmor: support usrmerge

make sense if you would send your proposed changes directly upstream :) Cheers, -- intrigeri

Bug#880532: thunderbird: tries to exec nvidia-modprobe which is denied by apparmor

the next upload of Thunderbird to sid so I went ahead and submitted a MR upstream: https://gitlab.com/apparmor/apparmor-profiles/merge_requests/4 Simon, can you please review it and report back there? Cheers, -- intrigeri

Bug#880078: Re: Bug#880078: apparmor: Bump pinned feature set to Linux 4.14's

n my > part), > although if feature set pining is working fine on 4.14, we have still have > some time, > I guess..? Yes :) Cheers, -- intrigeri

Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP

Hi, Gabriel Filion: > intrigeri: > thanks for the super clear explanation for changing the status :) :) >> If you came across instructions that told you to enforce such profiles >> and that did not point you to the aforementioned warning, then I'm >> very sorry! I'l

Bug#880078: apparmor: Bump pinned feature set to Linux 4.14's

it Debian users. Enthusiastic users are of course welcome to do the same if they wish to give a hand: they'll notice issues and report bugs that we would not notice in other environments (yeah, CI and all that). Cheers, -- intrigeri

<    4   5   6   7   8   9   10   11   12   13   >