Package: libqt5network5
Version: 5.9.1+dfsg-9
Severity: important
Tags: upstream
Dear Maintainer,
There is a recent upstream bug report QTBUG-64742 [0] which I believe
can be considered as security issue introducing at least DoS.
[0] https://bugreports.qt.io/browse/QTBUG-64742
-- System
Looks like ubuntu-browsers abstraction is fixed in upstream:
https://gitlab.com/apparmor/apparmor/commit/ff66ca90390d14fa710ac28cc20728f934152724
On 2017.11.23 19:31, intrigeri wrote:
What are the practical consequences of this bug?
Do you think we should cherry-pick the fix into the Debian packaging?
Thunderbird manages to produce alert sound even with this deny, so I doubt this
is critical.
Maybe it's enough to wait for next
After seeing https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882218 I changed
my mind. It's too complicated :( .
If Thunderbird profile path would be a AppArmor parser variable, that could be (somehow?) updated by
local/usr.bin.thunderbird, these kind of customizations could be dealt with by
On 2017.11.24 10:12, Philipp Kolmann wrote:
Adding
/usr/lib/firefox/firefox Cx -> sanitized_helper,
to /etc/apparmor.d/usr.bin.thunderbird didn't help. (after restarting
thunderbird. or do I need to do something else?)
Profile has to be reloaded with `sudo apparmor_parser -r -W
On 2017-12-03 19:00, Carsten Schoenert wrote:
_The question is_, will you agree to ship empty file
`/etc/apparmor.d/local/tunables/usr.bin.thunderbird`? We do not have
"#include_if_exists" or similar mechanism in AppArmor parser to avoid that
yet.
I'm not against to ship such a empty file.
Regarding denied access to `.config/pulse/*.conf` files, I proposed fix for
that upstream:
https://gitlab.com/apparmor/apparmor/merge_requests/38
Hi,
Please note that AppArmor profiles are extendable by modifying `local` files,
in this case, please try editing this file:
sudo vim/nano/whatever /etc/apparmor.d/local/usr.bin.totem
Add a line:
/media/** r,
Also maybe this line, depending on where your mounts are:
/mnt/** r,
Or in one
On 2017-12-01 19:17, Vincas Dargis wrote:
Or in one go:
/{media,mnt,srv,wherever/mounts/are}/**
Sorry, it is a mistake, it should have been :
/{media,mnt,srv,wherever/mounts/are}/** r,
(was missing `r,`)
sudo apparmor_parser -r /etc/apparmor.d/local/usr.bin.totem
This should have been
Package: thunderbird
Version: 1:52.5.0-1~deb8u1
Severity: normal
Tags: upstream
User: pkg-apparmor-t...@lists.alioth.debian.org
Usertags: help-needed
Dear Maintainer,
I have tried to use latest upstream Thunderbird profile available in
Debin VCS-Git on Debian Jessie (where this profile will ship
On 2017-12-14 19:21, Joachim Wuttke wrote:
Could you check what packages on your system have installed have shipped
AppArmor profile, and so maybe causing the issue, like this:
dpkg -S /etc/apparmor.d/
# dpkg -S /etc/apparmor.d/
apparmor-profiles-extra, apparmor: /etc/apparmor.d
Thanks,
On Wed, 13 Dec 2017 14:19:13 +0100 Joachim Wuttke
wrote:
> How did you draw the conclusion that this system
> hang was caused by deinstalling the apparmor package?
After the Grub chooser, on default boot mode, I got
a black text screen, then one line, saying that
On Wed, 13 Dec 2017 11:17:41 +0100 =?utf-8?B?RsOpbGl4?= Sipma
wrote:
I found the following lines in my logs:
Dec 13 11:03:05 kernel: audit: type=1400 audit(1513159385.786:224): apparmor="ALLOWED" operation="signal"
profile="/usr/sbin/dovecot" pid=30693 comm="dovecot"
Simon, could you take a look into my MR:
https://gitlab.com/apparmor/apparmor-profiles/merge_requests/6
Thanks!
On 2017.11.14 02:49, Scott Kitterman wrote:
Looks like `demime` is no longer supported [0].
[0] https://lists.gt.net/exim/users/107794#107794
Did using the new value mentioned in the linked message solve your problem?
I actually just skipped that mime configuration part at all, I just
On 2017.11.16 22:34, Sebastian Andrzej Siewior wrote:
Looks like `demime` is no longer supported [0].
as per [0] it looks like the "demime = *" needs to go. Everything else
(that "malware = *" line acl data) is okay. So I drop that line and we
are good again.
[0]
On 2017.11.18 04:07, Ben Caradoc-Davies wrote:
when apparmor is enabled, thunderbird signatures from files disappear. For
example, one account uses: "Attach the signature from a file instead":
/home/ben/.signature-...@transient.nz
You mean, signatures are not loaded into Thunderbird, or these
On 2017.11.18 03:20, Ben Caradoc-Davies wrote:
profile="thunderbird" name="/usr/bin/viewnior" pid=27896 comm="thunderbird"
profile="thunderbird" name="/usr/bin/thunar" pid=27901 comm="exo-helper-1"
Hi,
All these `/usr/bin` executions should be fixed (also mentioned in your other bug
Thunderbird fails to read signature even on complain mode, because AFAIK
complain mode does still mediate `deny` clauses:
sudo sysdig "fd.name contains signature"
271543 15:19:14.386997890 6 thunderbird (3680) < open fd=-13(EACCES) name=/home/vincas/.signature-...@example.com
flags=1(O_RDONLY)
Looks like the culprit is this line in usr.bin.thunderbird [0]:
```
deny @{HOME}/.* r,
```
I am not a maintainer of Thunderbird, but I _guess_ that the story is like this:
1. AppArmor profiles denies everything what's not allowed by default.
2. Thunderbird profile has only some dot-direcories
Package: apparmor
Version: 2.11.1-3
Severity: normal
Tags: upstream
Dear Maintainer,
I have discovered this DENIED message on Debian Sid with Thundebird:
type=AVC msg=audit(1511012066.035:570): apparmor="DENIED" operation="open"
profile="thunderbird"
On 2017.11.12 18:57, Luca Boccassi wrote:
No need to purge many packages - just removing libgl1-nvidia-glx[:i386]
and nvidia-driver-libs[:i386] and trying to reinstall just nvidia-
driver-libs and nvidia-driver-libs:i386 is enough. The theory is that
they should bring in the gl packages.
Since network mediation is reverted from 4.14 (sorry have no link to cite), is this still a blocker? Do we need to
"sprint" for 4.14-possibly-introducing issues?
On 2017.11.12 17:55, Luca Boccassi wrote:
libgl1-nvidia-glx is missing - install nvidia-driver-libs and it should
bring it in
I got error:
```
sudo apt install nvidia-driver-libs
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not
Could you elaborate how that feature pining works?
If there's machine running RC7 and `features-files=` line is commented out,
what that state actually means?
On 2017.11.12 18:37, Luca Boccassi wrote:
Have you tried to install both nvidia-driver-libs and nvidia-driver-
libs:i386 ? Maybe it's due to multiarch
I do not recall installing nvidia-driver-libs before your suggestion. I only installed primus-libs:i386, what's
concerning multiarch. But I
OK so I've seen that there were some nvidia ang GL-related upgrades for my Testing machine, so I have attempted to retry
by reinstalling related packages.
First I've purged:
```
sudo apt purge --autoremove bumblebee primus primus-libs nvidia-*
```
After reboot:
```
glxgears -info
Running
On 2017.11.12 17:30, Luca Boccassi wrote:
```
sudo apt install bumblebee-nvidia primus primus-libs:i386
```
What did this actually install?
This is copy-paste from /var/log/apt/history.log, does this help?
```
Start-Date: 2017-11-12 16:52:27
Commandline: apt install bumblebee-nvidia
On 2017.11.12 19:14, intrigeri wrote:
Rules that are not supported by the running kernel are ignored even if
they're explicitly listed via the features-file setting. In other
words, features-file caps the feature set, but it doesn't require the
kernel to support all listed features.
Thanks,
On 2017.11.12 19:21, Luca Boccassi wrote:
Ok, thanks for trying. Buster and Sid have the same versions right now
so it's ok. I'll try to have a look at why apt is failing like that.
Feel free to let me know when some testing is needed.
Package: clamav
Version: 0.99.3~beta1+dfsg-2
Severity: minor
Dear Maintainer,
I have edited Exim4 configuration as READE.Debian.gz suggested:
```
Then add the following to your data time acl:
deny message = This message contains a virus: ($malware_name) please scan
your system.
Relevant NEWS entry:
```
pulseaudio (11.1-2) unstable; urgency=medium
* Since this version, pulseaudio disables autospawn by default on linux
systems, and replaces that with systemd socket activation. If you are not
using systemd, then please edit or remove
Package: apparmor
Version: 2.11.1-3
Severity: normal
Tags: upstream patch
Control: forward -1 https://gitlab.com/apparmor/apparmor/merge_requests/13
Dear Maintainer,
I have discovered that java abstraction is outdated, see forwarded MR for more
info.
-- System Information:
Debian Release:
On 2017.11.18 23:24, Ben Caradoc-Davies wrote:>> Anyway, I believe change to allow Thunderbird to read arbitrary
dot-files or directories will not gonna happen,
But surely a rule for ~/.signature* is an exception? The use of ~/.signature is an ancient convention, the default for
many email
On 2017.11.12 19:21, Luca Boccassi wrote:
Please note it's on Testing, not Sid if that makes difference.
Ok, thanks for trying. Buster and Sid have the same versions right now
so it's ok. I'll try to have a look at why apt is failing like that.
Sorry for little off-topic, but what's
Control: tags -1 +patch
Control: user pkg-apparmor-t...@lists.alioth.debian.org
Control: usertags -1 +modify-profile
I see that /etc/mysql/mariadb.cnf deny is fixed in Vcs-Git, though there are
two more additional denies:
type=AVC msg=audit(1509645650.114:137): apparmor="DENIED"
Please try with guest additions 5.2.1 image [0] from
https://www.virtualbox.org/wiki/Downloads
There was various issues [1] and for me that updated image fixed. It works on
rc7 guest.
[0]
https://www.virtualbox.org/download/testcase/VBoxGuestAdditions_5.2.1-118918.iso
[1]
It started working for me after I have used new Guest Additions iso [0][1].
Found it through ticket #17163 [2]
[0]
https://www.virtualbox.org/download/testcase/VBoxGuestAdditions_5.2.1-118918.iso
[1] https://www.virtualbox.org/wiki/Downloads
[2] https://www.virtualbox.org/ticket/17163
Maybe we need TODO inside a profile for the future, to not forget that we need abstraction or explicit rules for
xul-ext-editor, when we fix that too-permissive `/usr/bin/* Cx -> sanitized_helper`?
On 2017-12-04 21:19, Carsten Schoenert wrote:
GUI stuff where users can easily inspect the current enabled
profile
Yeah, I miss some sort of convenient auditing tool too.
If we add the now possible @{thunderbird_user_dirs} directive we need to
think about some migration scenario too. The
Although updated AppArmor profile fixes this (and similar) issue, please note that current Thunderbird profile state is
pretty poor security-wise. Decision was made to make it much more permissive in order not to break usability as
Thunderbird profile was enabled by default. Some work in seeded
Please remind be to test and possibly update AppArmor profile when this reaches
experimental.
Hi,
This bug seems duplicate of:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882048
Please test my WIP patch:
https://gitlab.com/Talkless/apparmor-profiles/blob/fix-thunderbird-signature/ubuntu/18.04/usr.bin.thunderbird
On Thu, 7 Dec 2017 06:37:35 -0600 "Schofield, Eric James"
wrote:
Looking into usr.bin.thunderbird, it seems like the line that blocks
.Xauthority is line 113:
deny @{HOME}/.* r
Changing this line to:
deny @{HOME}/.[^X]* r
allows thunderbird to start as normal for me.
On Fri, 1 Dec 2017 18:05:49 +0100 Jack Henschel wrote:
$ grep deny /etc/apparmor.d/usr.bin.thunderbird
27
I was really hoping there would be a more convenient way of debugging this ...
I'll see when I get around to doing it.
sysdig can be used for that:
```
sudo apt
Ben, could you try my WIP patch for fixing this (and similar) issue:
https://gitlab.com/Talkless/apparmor-profiles/blob/fix-thunderbird-signature/ubuntu/18.04/usr.bin.thunderbird
After doing like this:
```
wget -O /tmp/usr.bin.thunderbird /etc/apparmor.d/usr.bin.thunderbird
On 2017-12-07 21:58, Schofield, Eric James wrote:
(thunderbird:20247): Gtk-WARNING **: Attempting to read the recently used resources file at
'/home/e/.local/share/recently-used.xbel', but the parser failed: Failed to open file
“/home/e/.local/share/recently-used.xbel”: Permission denied.
On 2017-12-07 21:58, Schofield, Eric James wrote:
Using the file above does allow thunderbird to open up on my system. Going through the file -> open steps produced the
following output in dmesg:
Thanks for testing!
[skipping STATUS entries...]
[Thu Dec 7 13:50:03 2017] audit: type=1400
On 2017-12-10 11:39, Philipp Huebner wrote:
Since Debian has ongoing experiment to have AppArmor enabled by default in
Buster, I believe
it would be usefull to have AppArmor profile made good enought to be enabled by
default for
this internet-facing daemon too. Maybe this suggestion could make
That's pretty bad.
I guess we need some sort of workflow to test packages on experimental before
they ship to the masses.
Package: ejabberd
Version: 17.08-3
Severity: wishlist
User: pkg-apparmor-t...@lists.alioth.debian.org
Usertags: new-profile
Dear Maintainer,
I have seen call for help maintaining this package [0], and thought that one way
to help with that is by upstreaming AppAmror profile to
Package: apparmor
Version: 2.11.1-4
Severity: wishlist
Dear Maintainer,
Currently `tunables/xdg-user-dirs` has only english versions of common
user directories:
```
@{XDG_DESKTOP_DIR}="Desktop"
@{XDG_DOWNLOAD_DIR}="Downloads"
@{XDG_TEMPLATES_DIR}="Templates"
...
```
This means that
Package: ejabberd
Version: 17.08-3
Severity: normal
Tags: patch
Dear Maintainer,
I have discovered number of DENIED messages produced by AppArmor, due to the
fact that I have `usrmerge` package installed, and some additional rules
missing:
```
type=AVC msg=audit(1512580362.337:361):
On 2017-12-02 01:26, Seth Arnold wrote:
So a rule such as
/{media,mnt,srv,wherever/mounts/are}/ r,
would be useful.
Thanks for fixing this!
But.. wait...
There are rules for browsing all directories and reading from common mount
points in abstractions/totem already:
/**/ r, [1]
On 2017-11-28 03:36, Seth Arnold wrote:
Can sysdig grab stacktraces at the time of the open() call? It might be
educational to find out what exactly is doing the reading.
After installing `libglib2.0-0-dbgsym` package from `unstable-debug`
repository, I get these backtraces:
```
Thread 91
Dear Maintainer,
I am suggesting to fix this issue by providing @{thunderbird_user_dirs} variable, that could be modified by the user to
add addition paths, such `/home/me/Archives` or `/mnt/foo`. This kind of functionality is discussed in AppArmor mailing
list [0].
I have tested with
On 2017.10.25 10:26, intrigeri wrote:
Indeed, it might be that the specific rules about evince & totem
you're quoting from my patch above are not needed. It would be nice if
we could drop them (and the maintenance cost of hard-coding a list of
exceptions) so I'm hoping your testing confirms your
I just removed those 2 lines and ran some tests (calendar, enigmail,
etc) and saw no denials.
Do you plan to fix this as part of your MR upstream for #855346?
Cheers,
I totally forgot bout this bug, I guess I could push this in same MR.
On 2017.10.25 10:26, intrigeri wrote:
Also, if sanitized_helper contains:
`/{usr/,}bin/* Pixr,`
Doesn't this automatically mean that this line in usr.bin.thunderbird profile
`/{usr/,}bin/* Cx -> sanitized_helper,`
will in result launch /usr/bin/totem with it's *P*rofile?
I wonder,
Patch snippet:
+ # Allow opening attachments
+ /{usr/,}bin/* Cx -> sanitized_helper,
+ /{usr/,}sbin/* Cx -> sanitized_helper,
+ /usr/local/{bin,sbin}/* Cx -> sanitized_helper,
+ /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
+ /usr/bin/evince Pix,
+ /usr/bin/totem Pix,
Do
I've started to work on patch on comment #60. Notifying to avoid work
duplication.
On Fri, 11 May 2018 15:12:55 +0200 Sebastian Ramacher <sramac...@debian.org>
wrote:
> On 2018-05-10 06:43:34, Vincas Dargis wrote:
> > If I export these variables:
> >
> > export DEB_BUILD_MAINT_OPTIONS=sanitize=+address,+undefined
>
> You'll need t
I have manged to rebuild vlc and libavcodec packages with address
sanitizer. I still had problems to make llvm-symbolizer work... but anyway,
it's double-free:
```
libvlc: removing module "avcodec"
=
==3782==ERROR: AddressSanitizer:
Package: src:vlc
Version: 2.2.7-1~deb9u1
Severity: normal
Dear Maintainer,
I wanted to build vlc with address sanitizer enabled to catch some
strange crashes, but strangely ASAN interferes with build process.
If I export these variables:
export
Package: src:vlc
Version: 2.2.7-1~deb9u1
Severity: normal
Dear Maintainer,
We are developing application using VLC-Qt, that uses libvlc,
libvlcore libraries from Debian repository for displaying RTSP streams.
Everything was OK while application was running on Jessie amd64 machine.
When running
On 5/8/18 10:31 PM, Philipp Huebner wrote:
Hi,
what's the status here?
Regards,
Sorry, I have this task still on hold, because I'm having too much
TODO's in my AppArmor contribution list already, and I considered other
tasks being higher priority.
Although anyone could just create pull
On 6/10/18 1:41 PM, intrigeri wrote:
Control: found -1 1:60.0~b2-11:60.0~b6-1
Control: merge 895563 -1
Vincas Dargis:
The problem is, that I should have reported this bug much earlier
Actually you did notice and report this bug earlier (#895563) but for
some reason, once the fix was applied
Package: src:vlc
Version: 3.0.2-0+deb9u1
Severity: normal
Dear Maintainer,
It seems that hardware decoding no longer works after Stretch got
VLC v3.
This is example from Debian Jessia VLC, when playing RTSP stream
(acceleration works):
```
[7f372800e0a8] avcodec decoder debug: available
On 6/13/18 6:00 PM, intrigeri wrote:
For the record, with 2.13-1 I see a different error:
# aa-complain thunderbird
Setting /usr/bin/thunderbird to complain mode.
ERROR: Path doesn't start with / or variable: gpg
i.e. aa-complain chokes on the "gpg" named child profile.
Cheers,
Package: apparmor-utils
Version: 2.13-1
Severity: normal
Dear Maintainer,
This is what I get with `aa-logprof` after installing 2.13 from
experimental (no reboot yet):
```
ERROR: Syntax Error: Unknown line found in file
cache.d/b64c78f3.0/usr.bin.dragon line 1455:
version
Package: thunderbird
Version: 1:60.0~b6-1
Severity: normal
Tags: upstream
Dear Maintainer,
I've noticed new DENIED message after recent pack of Sid updates, where
some new Mesa packages where received:
```
type=AVC msg=audit(1528914778.433:521): apparmor="DENIED" operation="open"
Package: apparmor
Version: 2.13-1
Severity: normal
Dear Maintainer,
AppArmor 2.13 fails to start if I set `features-file=` in parser.conf:
```
# systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor
Package: bumblebee
Version: 3.2.1-17
Severity: normal
Dear Maintainer,
Looks like after recent Mesa update in Sid, I cannot use optirun any
more on laptop with i7-4710HQ and GM107M [GeForce GTX 860M] as it
introduces crash for application run under it.
Launching `optirun glxgears` makes
On 6/14/18 12:16 PM, intrigeri wrote:
At first glance this looks like:
https://gitlab.com/apparmor/apparmor/merge_requests/110
Can you please confirm that MR fixes this problem for you?
If it does I'll import it into debian/patches.
Yes, it fixed.
On 6/14/18 10:15 PM, intrigeri wrote:
Can you try to reproduce on Stretch and sid? If behaviour has changed,
it's a different matter :)
It fails the same on Stretch, it's not a regression, so it's my mistake.
Sorry for the noise.
P.S. What's the right way to close BTS bug as invalid?
On Wed, 2 May 2018 12:15:12 -0400 Jamie Bliss
wrote:
On Wed, May 2, 2018 at 11:34 AM, Jamie Bliss
wrote:
#896921. It was merged April 25 into 2017.7, so should make it into the
next point releases for 2017.7 and 2018.3.
2017.7.6 is released now [0], could this fix the issue?
[0]
On Wed, 13 Jun 2018 19:44:58 +0200 intrigeri wrote:
I'll be very busy until DebCamp so it's unlikely I do much on this
front until then (best case I'll press the right buttons to enable
this on my own system once 4.17 is in sid, but I won't have time to
test software I don't use myself).
On Wed, 13 Jun 2018 19:44:58 +0200 intrigeri wrote:
Also, it would be nice to test Linux 4.17 with the feature-sets we
ship in Stretch and testing/sid, in order to catch any bug like
#883703 ASAP.
Got ideas how could I install 4.17 on Stretch?
```
$ sudo apt install -t experimental
Any news after half a year?
Why it's marked "fixed-upstream"?
On Sun, 10 Jun 2018 18:47:04 +0200 Sebastian Ramacher
wrote:
> Please provide the full log of a run with vlc -vvv. It seems that you are
using
> an Intel GPU, so do you have i965-va-driver installed?
-vvv output attached.
Yes, va driver works:
$ vainfo
libva info: VA-API version 0.39.4
libva
I've reproduced it.
This is yet another sign how we need use more variables in AppArmor, and
it needs to be fixed not only for Thunderbird, as $TMPDIR change will
affect other confined applications too.
I'll continue discussion in AppArmor mailing list to see how to approach
it better.
On Tue, 05 Jun 2018 20:11:49 +0100 =?utf-8?q?Hannes_H=C3=B6rl?=
wrote:
Jun 5 19:04:27 pfah kernel: [22972.942931] audit: type=1400 audit(1528221867.305:54): apparmor="DENIED" operation="open"
profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506
On 5/28/18 11:01 PM, Carsten Schoenert wrote:
Hello intri, hello Vincas,
this looks like something you guys should have a look at please. Thanks!
I'll take a look into this.
I am proposing new abstraction for Mesa libraries:
https://gitlab.com/apparmor/apparmor/merge_requests/137
Once it's in, I'll backport needed changes to Thunderbird profile.
On 2017.10.25 22:25, Simon Deziel wrote:
Strange, preliminary test shows that totem is launched with it's
profile, meanwhile evince is launched via thunderbird//sanitized_helper
for unknown reason. I need to test some more.
It's been that way for a long time, see [1].
Regards,
Simon
[1]
On 2018-01-07 13:11, intrigeri wrote:
Hi,
good catch! It would be interesting to know how other distros
handle this.
I already have Ubuntu and OpenSuse VM's (in addition to Debian), I could check
that I guess.
On Sun, 7 Jan 2018 14:08:59 +0100 Alexandre Detiste
wrote:
Hi,
This does the trick:
"sudo apt install x2goserver/experimental"
No, but "sudo apt install -t experimental x2goserver" worked.
I successfully connected from Testing machine, it works.
On Fri, 5 Jan 2018 21:26:00 +0100 Carsten Schoenert
wrote:
Is this only happen on a Jessie system?
I just ask for setting up the correct tags on this report.
Yes, this happens only on Jessie, Stretch and Sid works OK.
Sorry to reply so late, I missed this question
I am still stuck on fixing some Thunderbird's AppArmor-related issues, holding
this
task back.
Let's consider this a long-term wishlist, I might get to it so time later...
For the record, these */uevent files are accessed by libdrm
Here's breakpoint while opening `/sys/dev/char/226:0/device/ueven` file:
```
Thread 2.1 "soffice.bin" hit Catchpoint 1 (call to syscall openat), 0x7fa253f6961e in __libc_open64
(file=0x7ffe077e8900
https://gerrit.libreoffice.org/#/c/48265/
Looks like it's enough to add:
/dev/shm/org.chromium.* rw,
To make Thunderbird 58 work again.
I do see some more strange denies, that I've seen with other applications too:
type=AVC msg=audit(1516647002.344:734): apparmor="DENIED" operation="file_mmap" profile="thunderbird"
On 1/22/18 9:26 PM, Luca Boccassi wrote:
type=AVC msg=audit(1516647002.968:744): apparmor="DENIED"
operation="mkdir" profile="thunderbird" name="/home/vincas.nv/"
pid=23705 comm="thunderbird" requested_mask="c" denied_mask="c"
fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1516647002.968:744):
Created merge request for fixing Thunderbird 58 graphics:
https://gitlab.com/apparmor/apparmor-profiles/merge_requests/9
For `/etc/ld.so.conf` I believe there should be separate update for
abstractions/base.
And for all these mmap()ed `/tmp/.gl*` and NVIDIA issues, more research is
needed.
MR for `ld.so.conf` issue:
https://gitlab.com/apparmor/apparmor/merge_requests/62
May I provide `patches/fixes/fix-jessie-apparmor-parser-error.patch` for a
`jessie` branch, or something like that?
Tried OpenSUSE Tumbleweed, and no, localized Downloads folder was not allowed
when using `abstractions/user-download`.
Ubuntu does not handle handle localized directories too:
```
vincas@vincas-ubuntu1804:~$ foo ~/Atsiuntimai/fake.download
foo: /home/vincas/Atsiuntimai/fake.download: Permission denied
vincas@vincas-ubuntu1804:~$ cat /etc/apparmor.d/usr.local.bin.foo
#include
@{foo_executable} =
I've managed to break on relevant mmap() and mkdir() syscalls, now I'll try to
report to NVIDIA.
mmap() where `prot=5` means read and exec, for /tmp/.gl* (with printed `stat`
output on while on breakpoint):
```
Catchpoint 1 (call to syscall mmap), 0x7f5fdae27033 in __GI___mmap64
Control: forwarded -1
https://salsa.debian.org/mozilla-team/thunderbird/merge_requests/1
On 1/26/18 10:39 PM, Carsten Schoenert wrote:
if you have something prepared and ready why not, I need to prepare
jessie and stretch updates for 52.6.0 anyway this weekend.
It would be good if one of the
101 - 200 of 470 matches
Mail list logo