Bug#883099: libqt5network5: QDnsLookup crash on unix when DNS response is over 512 byte

Package: libqt5network5 Version: 5.9.1+dfsg-9 Severity: important Tags: upstream Dear Maintainer, There is a recent upstream bug report QTBUG-64742 [0] which I believe can be considered as security issue introducing at least DoS. [0] https://bugreports.qt.io/browse/QTBUG-64742 -- System

Bug#882043: Firefox wont open from thunderbird

Looks like ubuntu-browsers abstraction is fixed in upstream: https://gitlab.com/apparmor/apparmor/commit/ff66ca90390d14fa710ac28cc20728f934152724

Bug#882070: apparmor: AppArmor should allow to read /etc/pulse subdirectories

On 2017.11.23 19:31, intrigeri wrote: What are the practical consequences of this bug? Do you think we should cherry-pick the fix into the Debian packaging? Thunderbird manages to produce alert sound even with this deny, so I doubt this is critical. Maybe it's enough to wait for next

Bug#882048: apparmor should let thunderbird use signatures from files

After seeing https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882218 I changed my mind. It's too complicated :( . If Thunderbird profile path would be a AppArmor parser variable, that could be (somehow?) updated by local/usr.bin.thunderbird, these kind of customizations could be dealt with by

Bug#882043: Firefox wont open from thunderbird

On 2017.11.24 10:12, Philipp Kolmann wrote: Adding   /usr/lib/firefox/firefox Cx -> sanitized_helper, to /etc/apparmor.d/usr.bin.thunderbird didn't help. (after restarting thunderbird. or do I need to do something else?) Profile has to be reloaded with `sudo apparmor_parser -r -W

Bug#882218: thunderbird: Apparmor doesn't allow personal profiles outside of ~/.{thunderbird,icedove}

On 2017-12-03 19:00, Carsten Schoenert wrote: _The question is_, will you agree to ship empty file `/etc/apparmor.d/local/tunables/usr.bin.thunderbird`? We do not have "#include_if_exists" or similar mechanism in AppArmor parser to avoid that yet. I'm not against to ship such a empty file.

Bug#882122: thunderbird: Thunderbird can't connect to X server, fails to start

Regarding denied access to `.config/pulse/*.conf` files, I proposed fix for that upstream: https://gitlab.com/apparmor/apparmor/merge_requests/38

Bug#883256: apparmor-profiles-extra: Totem can't access files outside $HOME

Hi, Please note that AppArmor profiles are extendable by modifying `local` files, in this case, please try editing this file: sudo vim/nano/whatever /etc/apparmor.d/local/usr.bin.totem Add a line: /media/** r, Also maybe this line, depending on where your mounts are: /mnt/** r, Or in one

Bug#883256: Re: apparmor-profiles-extra: Totem can't access files outside $HOME

On 2017-12-01 19:17, Vincas Dargis wrote: Or in one go: /{media,mnt,srv,wherever/mounts/are}/** Sorry, it is a mistake, it should have been : /{media,mnt,srv,wherever/mounts/are}/** r, (was missing `r,`) sudo apparmor_parser -r /etc/apparmor.d/local/usr.bin.totem This should have been

Bug#884217: thunderbird: Latest VCS-Git AppArmor profile (will) break aa-enfroce usage on Jessie

Package: thunderbird Version: 1:52.5.0-1~deb8u1 Severity: normal Tags: upstream User: pkg-apparmor-t...@lists.alioth.debian.org Usertags: help-needed Dear Maintainer, I have tried to use latest upstream Thunderbird profile available in Debin VCS-Git on Debian Jessie (where this profile will ship

Bug#884278: prevent deinstallation of boot-critical package

On 2017-12-14 19:21, Joachim Wuttke wrote: Could you check what packages on your system have installed have shipped AppArmor profile, and so maybe causing the issue, like this: dpkg -S /etc/apparmor.d/ # dpkg -S /etc/apparmor.d/ apparmor-profiles-extra, apparmor: /etc/apparmor.d Thanks,

Bug#884278: prevent deinstallation of boot-critical package

On Wed, 13 Dec 2017 14:19:13 +0100 Joachim Wuttke wrote: > How did you draw the conclusion that this system > hang was caused by deinstalling the apparmor package? After the Grub chooser, on default boot mode, I got a black text screen, then one line, saying that

Bug#884280: apparmor-profiles: dovecot denied_mask="send"

On Wed, 13 Dec 2017 11:17:41 +0100 =?utf-8?B?RsOpbGl4?= Sipma wrote: I found the following lines in my logs: Dec 13 11:03:05 kernel: audit: type=1400 audit(1513159385.786:224): apparmor="ALLOWED" operation="signal" profile="/usr/sbin/dovecot" pid=30693 comm="dovecot"

Bug#882122: thunderbird: Thunderbird can't connect to X server, fails to start

Simon, could you take a look into my MR: https://gitlab.com/apparmor/apparmor-profiles/merge_requests/6 Thanks!

Bug#881634: [Pkg-clamav-devel] Bug#881634: clamav: Exim4 configuration documentation is outdated (demine is deprecated)

On 2017.11.14 02:49, Scott Kitterman wrote: Looks like `demime` is no longer supported [0]. [0] https://lists.gt.net/exim/users/107794#107794 Did using the new value mentioned in the linked message solve your problem? I actually just skipped that mime configuration part at all, I just

Bug#881634: [Pkg-clamav-devel] Bug#881634: clamav: Exim4 configuration documentation is outdated (demine is deprecated)

On 2017.11.16 22:34, Sebastian Andrzej Siewior wrote: Looks like `demime` is no longer supported [0]. as per [0] it looks like the "demime = *" needs to go. Everything else (that "malware = *" line acl data) is okay. So I drop that line and we are good again. [0]

Bug#882048: [pkg-apparmor] Bug#882048: apparmor should let thunderbird use signatures from files

On 2017.11.18 04:07, Ben Caradoc-Davies wrote: when apparmor is enabled, thunderbird signatures from files disappear. For example, one account uses: "Attach the signature from a file instead": /home/ben/.signature-...@transient.nz You mean, signatures are not loaded into Thunderbird, or these

Bug#882045: [pkg-apparmor] Bug#882045: apparmor should let thunderbird open images with viewnior

On 2017.11.18 03:20, Ben Caradoc-Davies wrote: profile="thunderbird" name="/usr/bin/viewnior" pid=27896 comm="thunderbird" profile="thunderbird" name="/usr/bin/thunar" pid=27901 comm="exo-helper-1" Hi, All these `/usr/bin` executions should be fixed (also mentioned in your other bug

Bug#882048: apparmor should let thunderbird use signatures from files

Thunderbird fails to read signature even on complain mode, because AFAIK complain mode does still mediate `deny` clauses: sudo sysdig "fd.name contains signature" 271543 15:19:14.386997890 6 thunderbird (3680) < open fd=-13(EACCES) name=/home/vincas/.signature-...@example.com flags=1(O_RDONLY)

Bug#882048: apparmor should let thunderbird use signatures from files

Looks like the culprit is this line in usr.bin.thunderbird [0]: ``` deny @{HOME}/.* r, ``` I am not a maintainer of Thunderbird, but I _guess_ that the story is like this: 1. AppArmor profiles denies everything what's not allowed by default. 2. Thunderbird profile has only some dot-direcories

Bug#882070: apparmor: AppArmor should allow to read /etc/pulse subdirectories

Package: apparmor Version: 2.11.1-3 Severity: normal Tags: upstream Dear Maintainer, I have discovered this DENIED message on Debian Sid with Thundebird: type=AVC msg=audit(1511012066.035:570): apparmor="DENIED" operation="open" profile="thunderbird"

Bug#879030: 375.82-5: glxgears segmentation fault in glXCreateContext

On 2017.11.12 18:57, Luca Boccassi wrote: No need to purge many packages - just removing libgl1-nvidia-glx[:i386] and nvidia-driver-libs[:i386] and trying to reinstall just nvidia- driver-libs and nvidia-driver-libs:i386 is enough. The theory is that they should bring in the gl packages.

Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

Since network mediation is reverted from 4.14 (sorry have no link to cite), is this still a blocker? Do we need to "sprint" for 4.14-possibly-introducing issues?

Bug#879030: 375.82-5: glxgears segmentation fault in glXCreateContext

On 2017.11.12 17:55, Luca Boccassi wrote: libgl1-nvidia-glx is missing - install nvidia-driver-libs and it should bring it in I got error: ``` sudo apt install nvidia-driver-libs Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not

Bug#880078: apparmor: Bump pinned feature set to Linux 4.14's

Could you elaborate how that feature pining works? If there's machine running RC7 and `features-files=` line is commented out, what that state actually means?

Bug#879030: 375.82-5: glxgears segmentation fault in glXCreateContext

On 2017.11.12 18:37, Luca Boccassi wrote: Have you tried to install both nvidia-driver-libs and nvidia-driver- libs:i386 ? Maybe it's due to multiarch I do not recall installing nvidia-driver-libs before your suggestion. I only installed primus-libs:i386, what's concerning multiarch. But I

Bug#879030: 375.82-5: glxgears segmentation fault in glXCreateContext

OK so I've seen that there were some nvidia ang GL-related upgrades for my Testing machine, so I have attempted to retry by reinstalling related packages. First I've purged: ``` sudo apt purge --autoremove bumblebee primus primus-libs nvidia-* ``` After reboot: ``` glxgears -info Running

Bug#879030: 375.82-5: glxgears segmentation fault in glXCreateContext

On 2017.11.12 17:30, Luca Boccassi wrote: ``` sudo apt install bumblebee-nvidia primus primus-libs:i386 ``` What did this actually install? This is copy-paste from /var/log/apt/history.log, does this help? ``` Start-Date: 2017-11-12 16:52:27 Commandline: apt install bumblebee-nvidia

Bug#880078: Re: Bug#880078: apparmor: Bump pinned feature set to Linux 4.14's

On 2017.11.12 19:14, intrigeri wrote: Rules that are not supported by the running kernel are ignored even if they're explicitly listed via the features-file setting. In other words, features-file caps the feature set, but it doesn't require the kernel to support all listed features. Thanks,

Bug#879030: 375.82-5: glxgears segmentation fault in glXCreateContext

On 2017.11.12 19:21, Luca Boccassi wrote: Ok, thanks for trying. Buster and Sid have the same versions right now so it's ok. I'll try to have a look at why apt is failing like that. Feel free to let me know when some testing is needed.

Bug#881634: clamav: Exim4 configuration documentation is outdated (demine is deprecated)

Package: clamav Version: 0.99.3~beta1+dfsg-2 Severity: minor Dear Maintainer, I have edited Exim4 configuration as READE.Debian.gz suggested: ``` Then add the following to your data time acl: deny message = This message contains a virus: ($malware_name) please scan your system.

Bug#882070: apparmor: AppArmor should allow to read /etc/pulse subdirectories

Relevant NEWS entry: ``` pulseaudio (11.1-2) unstable; urgency=medium * Since this version, pulseaudio disables autospawn by default on linux systems, and replaces that with systemd socket activation. If you are not using systemd, then please edit or remove

Bug#882135: apparmor: Update AppArmor abstractions for Java 8 and 9

Package: apparmor Version: 2.11.1-3 Severity: normal Tags: upstream patch Control: forward -1 https://gitlab.com/apparmor/apparmor/merge_requests/13 Dear Maintainer, I have discovered that java abstraction is outdated, see forwarded MR for more info. -- System Information: Debian Release:

Bug#882048: apparmor should let thunderbird use signatures from files

On 2017.11.18 23:24, Ben Caradoc-Davies wrote:>> Anyway, I believe change to allow Thunderbird to read arbitrary dot-files or directories will not gonna happen, But surely a rule for ~/.signature* is an exception? The use of ~/.signature is an ancient convention, the default for many email

Bug#879030: 375.82-5: glxgears segmentation fault in glXCreateContext

On 2017.11.12 19:21, Luca Boccassi wrote: Please note it's on Testing, not Sid if that makes difference. Ok, thanks for trying. Buster and Sid have the same versions right now so it's ok. I'll try to have a look at why apt is failing like that. Sorry for little off-topic, but what's

Bug#869865: usr.sbin.mysqld-akonadi: denied access to /etc/mysql/mariadb.cnf

Control: tags -1 +patch Control: user pkg-apparmor-t...@lists.alioth.debian.org Control: usertags -1 +modify-profile I see that /etc/mysql/mariadb.cnf deny is fixed in Vcs-Git, though there are two more additional denies: type=AVC msg=audit(1509645650.114:137): apparmor="DENIED"

Bug#880068: virtualbox: Doesn't build on kernel linux-4.14-rc6

Please try with guest additions 5.2.1 image [0] from https://www.virtualbox.org/wiki/Downloads There was various issues [1] and for me that updated image fixed. It works on rc7 guest. [0] https://www.virtualbox.org/download/testcase/VBoxGuestAdditions_5.2.1-118918.iso [1]

Bug#878310: linux-image-4.14.0-rc3-amd64: VirtualBox additions module fails to build

It started working for me after I have used new Guest Additions iso [0][1]. Found it through ticket #17163 [2] [0] https://www.virtualbox.org/download/testcase/VBoxGuestAdditions_5.2.1-118918.iso [1] https://www.virtualbox.org/wiki/Downloads [2] https://www.virtualbox.org/ticket/17163

Bug#880381: apparmor profile breaks xul-ext-exteditor

Maybe we need TODO inside a profile for the future, to not forget that we need abstraction or explicit rules for xul-ext-editor, when we fix that too-permissive `/usr/bin/* Cx -> sanitized_helper`?

Bug#882218: thunderbird: Apparmor doesn't allow personal profiles outside of ~/.{thunderbird,icedove}

On 2017-12-04 21:19, Carsten Schoenert wrote: GUI stuff where users can easily inspect the current enabled profile Yeah, I miss some sort of convenient auditing tool too. If we add the now possible @{thunderbird_user_dirs} directive we need to think about some migration scenario too. The

Bug#883245: thunderbird: Fail to open URI in configured web browser "Permission denied"

Although updated AppArmor profile fixes this (and similar) issue, please note that current Thunderbird profile state is pretty poor security-wise. Decision was made to make it much more permissive in order not to break usability as Thunderbird profile was enabled by default. Some work in seeded

Bug#858919: Crash reporter doesn't get symbols, even with -dbg installed

Please remind be to test and possibly update AppArmor profile when this reaches experimental.

Bug#882348: signatures are not attached to emails any more

Hi, This bug seems duplicate of: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882048 Please test my WIP patch: https://gitlab.com/Talkless/apparmor-profiles/blob/fix-thunderbird-signature/ubuntu/18.04/usr.bin.thunderbird

Bug#882122: Your mail

On Thu, 7 Dec 2017 06:37:35 -0600 "Schofield, Eric James" wrote: Looking into usr.bin.thunderbird, it seems like the line that blocks .Xauthority is line 113: deny @{HOME}/.* r Changing this line to: deny @{HOME}/.[^X]* r allows thunderbird to start as normal for me.

Bug#882122: thunderbird: Thunderbird can't connect to X server, fails to start

On Fri, 1 Dec 2017 18:05:49 +0100 Jack Henschel wrote: $ grep deny /etc/apparmor.d/usr.bin.thunderbird 27 I was really hoping there would be a more convenient way of debugging this ... I'll see when I get around to doing it. sysdig can be used for that: ``` sudo apt

Bug#882048: apparmor should let thunderbird use signatures from files

Ben, could you try my WIP patch for fixing this (and similar) issue: https://gitlab.com/Talkless/apparmor-profiles/blob/fix-thunderbird-signature/ubuntu/18.04/usr.bin.thunderbird After doing like this: ``` wget -O /tmp/usr.bin.thunderbird /etc/apparmor.d/usr.bin.thunderbird

Bug#882122: Re: Your mail

On 2017-12-07 21:58, Schofield, Eric James wrote: (thunderbird:20247): Gtk-WARNING **: Attempting to read the recently used resources file at '/home/e/.local/share/recently-used.xbel', but the parser failed: Failed to open file “/home/e/.local/share/recently-used.xbel”: Permission denied.

Bug#882122: Re: Your mail

On 2017-12-07 21:58, Schofield, Eric James wrote: Using the file above does allow thunderbird to open up on my system. Going through the file -> open steps produced the following output in dmesg: Thanks for testing! [skipping STATUS entries...] [Thu Dec  7 13:50:03 2017] audit: type=1400

Bug#883944: ejabberd: Upstream AppArmor profile

On 2017-12-10 11:39, Philipp Huebner wrote: Since Debian has ongoing experiment to have AppArmor enabled by default in Buster, I believe it would be usefull to have AppArmor profile made good enought to be enabled by default for this internet-facing daemon too. Maybe this suggestion could make

Bug#883561: thunderbird: AppArmor profile is not applied after opting-in due to new binary path

That's pretty bad. I guess we need some sort of workflow to test packages on experimental before they ship to the masses.

Bug#883944: ejabberd: Upstream AppArmor profile

Package: ejabberd Version: 17.08-3 Severity: wishlist User: pkg-apparmor-t...@lists.alioth.debian.org Usertags: new-profile Dear Maintainer, I have seen call for help maintaining this package [0], and thought that one way to help with that is by upstreaming AppAmror profile to

Bug#883948: apparmor: xdg-user-dirs should have localized directory names

Package: apparmor Version: 2.11.1-4 Severity: wishlist Dear Maintainer, Currently `tunables/xdg-user-dirs` has only english versions of common user directories: ``` @{XDG_DESKTOP_DIR}="Desktop" @{XDG_DOWNLOAD_DIR}="Downloads" @{XDG_TEMPLATES_DIR}="Templates" ... ``` This means that

Bug#883930: ejabberd: Update AppArmor profile for usrmerge and more

Package: ejabberd Version: 17.08-3 Severity: normal Tags: patch Dear Maintainer, I have discovered number of DENIED messages produced by AppArmor, due to the fact that I have `usrmerge` package installed, and some additional rules missing: ``` type=AVC msg=audit(1512580362.337:361):

Bug#883256: [pkg-apparmor] Bug#883256: Bug#883256: Re: apparmor-profiles-extra: Totem can't access files outside $HOME

On 2017-12-02 01:26, Seth Arnold wrote: So a rule such as /{media,mnt,srv,wherever/mounts/are}/ r, would be useful. Thanks for fixing this! But.. wait... There are rules for browsing all directories and reading from common mount points in abstractions/totem already: /**/ r, [1]

Bug#882048: [pkg-apparmor] Bug#882048: Bug#882048: Re: Bug#882048: apparmor should let thunderbird use signatures from files

On 2017-11-28 03:36, Seth Arnold wrote: Can sysdig grab stacktraces at the time of the open() call? It might be educational to find out what exactly is doing the reading. After installing `libglib2.0-0-dbgsym` package from `unstable-debug` repository, I get these backtraces: ``` Thread 91

Bug#882218: thunderbird: Apparmor doesn't allow personal profiles outside of ~/.{thunderbird,icedove}

Dear Maintainer, I am suggesting to fix this issue by providing @{thunderbird_user_dirs} variable, that could be modified by the user to add addition paths, such `/home/me/Archives` or `/mnt/foo`. This kind of functionality is discussed in AppArmor mailing list [0]. I have tested with

Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced

On 2017.10.25 10:26, intrigeri wrote: Indeed, it might be that the specific rules about evince & totem you're quoting from my patch above are not needed. It would be nice if we could drop them (and the maintenance cost of hard-coding a list of exceptions) so I'm hoping your testing confirms your

Bug#876333: thunderbird: AppArmor profile allows mmap executables from user writable directories

I just removed those 2 lines and ran some tests (calendar, enigmail, etc) and saw no denials. Do you plan to fix this as part of your MR upstream for #855346? Cheers, I totally forgot bout this bug, I guess I could push this in same MR.

Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced

On 2017.10.25 10:26, intrigeri wrote: Also, if sanitized_helper contains: `/{usr/,}bin/* Pixr,` Doesn't this automatically mean that this line in usr.bin.thunderbird profile `/{usr/,}bin/* Cx -> sanitized_helper,` will in result launch /usr/bin/totem with it's *P*rofile? I wonder,

Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced

Patch snippet: + # Allow opening attachments + /{usr/,}bin/* Cx -> sanitized_helper, + /{usr/,}sbin/* Cx -> sanitized_helper, + /usr/local/{bin,sbin}/* Cx -> sanitized_helper, + /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper, + /usr/bin/evince Pix, + /usr/bin/totem Pix, Do

Bug#855346: (no subject)

I've started to work on patch on comment #60. Notifying to avoid work duplication.

Bug#898330: vlc: Building package with address sanitizer fails

On Fri, 11 May 2018 15:12:55 +0200 Sebastian Ramacher <sramac...@debian.org> wrote: > On 2018-05-10 06:43:34, Vincas Dargis wrote: > > If I export these variables: > > > > export DEB_BUILD_MAINT_OPTIONS=sanitize=+address,+undefined > > You'll need t

Bug#898428: vlc-plugin-base: memory corruption in vlc_module_unload -> avcodec_close

I have manged to rebuild vlc and libavcodec packages with address sanitizer. I still had problems to make llvm-symbolizer work... but anyway, it's double-free: ``` libvlc: removing module "avcodec" = ==3782==ERROR: AddressSanitizer:

Bug#898330: vlc: Building package with address sanitizer fails

Package: src:vlc Version: 2.2.7-1~deb9u1 Severity: normal Dear Maintainer, I wanted to build vlc with address sanitizer enabled to catch some strange crashes, but strangely ASAN interferes with build process. If I export these variables: export

Bug#898428: vlc-plugin-base: memory corruption in vlc_module_unload -> avcodec_close

Package: src:vlc Version: 2.2.7-1~deb9u1 Severity: normal Dear Maintainer, We are developing application using VLC-Qt, that uses libvlc, libvlcore libraries from Debian repository for displaying RTSP streams. Everything was OK while application was running on Jessie amd64 machine. When running

Bug#883944: ejabberd: Upstream AppArmor profile

On 5/8/18 10:31 PM, Philipp Huebner wrote: Hi, what's the status here? Regards, Sorry, I have this task still on hold, because I'm having too much TODO's in my AppArmor contribution list already, and I considered other tasks being higher priority. Although anyone could just create pull

Bug#900840: thunderbird: does not start with apparmor errors and breaks X session

On 6/10/18 1:41 PM, intrigeri wrote: Control: found -1 1:60.0~b2-11:60.0~b6-1 Control: merge 895563 -1 Vincas Dargis: The problem is, that I should have reported this bug much earlier Actually you did notice and report this bug earlier (#895563) but for some reason, once the fix was applied

Bug#901023: vlc: Hadware decoding does not work with 3.0.2

Package: src:vlc Version: 3.0.2-0+deb9u1 Severity: normal Dear Maintainer, It seems that hardware decoding no longer works after Stretch got VLC v3. This is example from Debian Jessia VLC, when playing RTSP stream (acceleration works): ``` [7f372800e0a8] avcodec decoder debug: available

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

On 6/13/18 6:00 PM, intrigeri wrote: For the record, with 2.13-1 I see a different error: # aa-complain thunderbird Setting /usr/bin/thunderbird to complain mode. ERROR: Path doesn't start with / or variable: gpg i.e. aa-complain chokes on the "gpg" named child profile. Cheers,

Bug#901470: apparmor-utils: aa-logprof prints a lot of garbage with "Error: Unknown line found in file"

Package: apparmor-utils Version: 2.13-1 Severity: normal Dear Maintainer, This is what I get with `aa-logprof` after installing 2.13 from experimental (no reboot yet): ``` ERROR: Syntax Error: Unknown line found in file cache.d/b64c78f3.0/usr.bin.dragon line 1455: version

Bug#901471: thunderbird: AppArmor denies access to ~/.cache/mesa_shader_cache/index after recent Mesa update

Package: thunderbird Version: 1:60.0~b6-1 Severity: normal Tags: upstream Dear Maintainer, I've noticed new DENIED message after recent pack of Sid updates, where some new Mesa packages where received: ``` type=AVC msg=audit(1528914778.433:521): apparmor="DENIED" operation="open"

Bug#901559: apparmor fails to start with empty features-file=

Package: apparmor Version: 2.13-1 Severity: normal Dear Maintainer, AppArmor 2.13 fails to start if I set `features-file=` in parser.conf: ``` # systemctl status apparmor ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor

Bug#901563: bumblebee: using optirun introduces segfault in i965_dri.so

Package: bumblebee Version: 3.2.1-17 Severity: normal Dear Maintainer, Looks like after recent Mesa update in Sid, I cannot use optirun any more on laptop with i7-4710HQ and GM107M [GeForce GTX 860M] as it introduces crash for application run under it. Launching `optirun glxgears` makes

Bug#901470: apparmor-utils: aa-logprof prints a lot of garbage with "Error: Unknown line found in file"

On 6/14/18 12:16 PM, intrigeri wrote: At first glance this looks like: https://gitlab.com/apparmor/apparmor/merge_requests/110 Can you please confirm that MR fixes this problem for you? If it does I'll import it into debian/patches. Yes, it fixed.

Bug#901559: apparmor fails to start with empty features-file=

On 6/14/18 10:15 PM, intrigeri wrote: Can you try to reproduce on Stretch and sid? If behaviour has changed, it's a different matter :) It fails the same on Stretch, it's not a regression, so it's my mistake. Sorry for the noise. P.S. What's the right way to close BTS bug as invalid?

Bug#894245: Salt, Tornado Incompatibility, and ZMQ Timeline

On Wed, 2 May 2018 12:15:12 -0400 Jamie Bliss wrote: On Wed, May 2, 2018 at 11:34 AM, Jamie Bliss wrote: #896921. It was merged April 25 into 2017.7, so should make it into the next point releases for 2017.7 and 2018.3. 2017.7.6 is released now [0], could this fix the issue? [0]

Bug#712451: Please support AppArmor network rules

On Wed, 13 Jun 2018 19:44:58 +0200 intrigeri wrote: I'll be very busy until DebCamp so it's unlikely I do much on this front until then (best case I'll press the right buttons to enable this on my own system once 4.17 is in sid, but I won't have time to test software I don't use myself).

Bug#712451: Please support AppArmor network rules

On Wed, 13 Jun 2018 19:44:58 +0200 intrigeri wrote: Also, it would be nice to test Linux 4.17 with the feature-sets we ship in Stretch and testing/sid, in order to catch any bug like #883703 ASAP. Got ideas how could I install 4.17 on Stretch? ``` $ sudo apt install -t experimental

Bug#718272: [Pkg-bitcoin-devel] Bug#718272: Bitcoin still not ready for stable release in Debian

Any news after half a year? Why it's marked "fixed-upstream"?

Bug#901023: vlc: Hadware decoding does not work with 3.0.2

On Sun, 10 Jun 2018 18:47:04 +0200 Sebastian Ramacher wrote: > Please provide the full log of a run with vlc -vvv. It seems that you are using > an Intel GPU, so do you have i965-va-driver installed? -vvv output attached. Yes, va driver works: $ vainfo libva info: VA-API version 0.39.4 libva

Bug#900210: thunderbird: Thunderbird AppArmor config disables ability to send entirely

I've reproduced it. This is yet another sign how we need use more variables in AppArmor, and it needs to be fixed not only for Thunderbird, as $TMPDIR change will affect other confined applications too. I'll continue discussion in AppArmor mailing list to see how to approach it better.

Bug#900840: thunderbird: does not start with apparmor errors and breaks X session

On Tue, 05 Jun 2018 20:11:49 +0100 =?utf-8?q?Hannes_H=C3=B6rl?= wrote: Jun 5 19:04:27 pfah kernel: [22972.942931] audit: type=1400 audit(1528221867.305:54): apparmor="DENIED" operation="open" profile="thunderbird" name="/sys/devices/pci:00/:00:02.0/vendor" pid=13506

Bug#900210: thunderbird: Thunderbird AppArmor config disables ability to send entirely

On 5/28/18 11:01 PM, Carsten Schoenert wrote: Hello intri, hello Vincas, this looks like something you guys should have a look at please. Thanks! I'll take a look into this.

Bug#901471: thunderbird: AppArmor denies access to ~/.cache/mesa_shader_cache/index after recent Mesa update

I am proposing new abstraction for Mesa libraries: https://gitlab.com/apparmor/apparmor/merge_requests/137 Once it's in, I'll backport needed changes to Thunderbird profile.

Bug#855346: thunderbird: Can't open attachments with AppArmor profile enforced

On 2017.10.25 22:25, Simon Deziel wrote: Strange, preliminary test shows that totem is launched with it's profile, meanwhile evince is launched via thunderbird//sanitized_helper for unknown reason. I need to test some more. It's been that way for a long time, see [1]. Regards, Simon [1]

Bug#883948: [pkg-apparmor] Bug#883948: apparmor: xdg-user-dirs should have localized directory names

On 2018-01-07 13:11, intrigeri wrote: Hi, good catch! It would be interesting to know how other distros handle this. I already have Ubuntu and OpenSuse VM's (in addition to Debian), I could check that I guess.

Bug#882765: x2goserver fails to install on Sid

On Sun, 7 Jan 2018 14:08:59 +0100 Alexandre Detiste wrote: Hi, This does the trick: "sudo apt install x2goserver/experimental" No, but "sudo apt install -t experimental x2goserver" worked. I successfully connected from Testing machine, it works.

Bug#884217: thunderbird: Latest VCS-Git AppArmor profile (will) break aa-enfroce usage on Jessie

On Fri, 5 Jan 2018 21:26:00 +0100 Carsten Schoenert wrote: Is this only happen on a Jessie system? I just ask for setting up the correct tags on this report. Yes, this happens only on Jessie, Stretch and Sid works OK. Sorry to reply so late, I missed this question

Bug#883944: ejabberd: Upstream AppArmor profile

I am still stuck on fixing some Thunderbird's AppArmor-related issues, holding this task back. Let's consider this a long-term wishlist, I might get to it so time later...

Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

For the record, these */uevent files are accessed by libdrm Here's breakpoint while opening `/sys/dev/char/226:0/device/ueven` file: ``` Thread 2.1 "soffice.bin" hit Catchpoint 1 (call to syscall openat), 0x7fa253f6961e in __libc_open64 (file=0x7ffe077e8900

Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

https://gerrit.libreoffice.org/#/c/48265/

Bug#887973: thunderbird: Black screen - Failed to lock new back buffer

Looks like it's enough to add: /dev/shm/org.chromium.* rw, To make Thunderbird 58 work again. I do see some more strange denies, that I've seen with other applications too: type=AVC msg=audit(1516647002.344:734): apparmor="DENIED" operation="file_mmap" profile="thunderbird"

Bug#888028: nvidia-driver: applications running with discrete NVIDIA graphics tries to create /home/user.nv/ directory

On 1/22/18 9:26 PM, Luca Boccassi wrote: type=AVC msg=audit(1516647002.968:744): apparmor="DENIED" operation="mkdir" profile="thunderbird" name="/home/vincas.nv/" pid=23705 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 type=SYSCALL msg=audit(1516647002.968:744):

Bug#887973: thunderbird: Black screen - Failed to lock new back buffer

Created merge request for fixing Thunderbird 58 graphics: https://gitlab.com/apparmor/apparmor-profiles/merge_requests/9 For `/etc/ld.so.conf` I believe there should be separate update for abstractions/base. And for all these mmap()ed `/tmp/.gl*` and NVIDIA issues, more research is needed.

Bug#887973: thunderbird: Black screen - Failed to lock new back buffer

MR for `ld.so.conf` issue: https://gitlab.com/apparmor/apparmor/merge_requests/62

Bug#884217: thunderbird: Latest VCS-Git AppArmor profile (will) break aa-enfroce usage on Jessie

May I provide `patches/fixes/fix-jessie-apparmor-parser-error.patch` for a `jessie` branch, or something like that?

Bug#883948: [pkg-apparmor] Bug#883948: apparmor: xdg-user-dirs should have localized directory names

Tried OpenSUSE Tumbleweed, and no, localized Downloads folder was not allowed when using `abstractions/user-download`.

Bug#883948: [pkg-apparmor] Bug#883948: apparmor: xdg-user-dirs should have localized directory names

Ubuntu does not handle handle localized directories too: ``` vincas@vincas-ubuntu1804:~$ foo ~/Atsiuntimai/fake.download foo: /home/vincas/Atsiuntimai/fake.download: Permission denied vincas@vincas-ubuntu1804:~$ cat /etc/apparmor.d/usr.local.bin.foo #include @{foo_executable} =

Bug#888028: nvidia-driver: applications running with discrete NVIDIA graphics tries to create /home/user.nv/ directory

I've managed to break on relevant mmap() and mkdir() syscalls, now I'll try to report to NVIDIA. mmap() where `prot=5` means read and exec, for /tmp/.gl* (with printed `stat` output on while on breakpoint): ``` Catchpoint 1 (call to syscall mmap), 0x7f5fdae27033 in __GI___mmap64

Bug#884217: thunderbird: Latest VCS-Git AppArmor profile (will) break aa-enfroce usage on Jessie

Control: forwarded -1 https://salsa.debian.org/mozilla-team/thunderbird/merge_requests/1 On 1/26/18 10:39 PM, Carsten Schoenert wrote: if you have something prepared and ready why not, I need to prepare jessie and stretch updates for 52.6.0 anyway this weekend. It would be good if one of the

<    1   2   3   4   5   >