The main issue is that I still wasn't able to reproduce it locally.
Dan, could you check if this issue still happens with the unprivileged user
namespace restriction disabled?
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
Please note that this makes your setup vulnerable, so I
I have updated the description with the information of the SRU version
4.0.1really4.0.1-0ubuntu0.24.04.3
The Test Plan is updated with detailed instructions and I also added an
analysis of why the regression happened for the previous SRU. Note that since
we have removed the enablement by
As I understand these changes are only waiting to be sponsored to
proposed, correct?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065915
Title:
[SRU] Add multiarch lines for each architecture we
Here's my proposed fix for oracular. It disables the bwrap profile so we can do
further tests. As was done on noble, it does require a reboot.
It's also available on this ppa:
https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu2
** Patch added: "apparmor_4.0.1-0ubuntu2.debdiff"
@Robie Basak:
I ran QRT and the tests passed:
georgia@ubuntu:~/qrt-test-apparmor$ sudo ./install-packages test-apparmor.py
georgia@ubuntu:~/qrt-test-apparmor$ sudo ./test-apparmor.py
...
--
Ran 62 tests in 1974.585s
OK
Hi Scarlett,
No worries, that log should be enough to understand what's going on. That is a
bug in the snapd interface because the AppArmor policy specified the peer_label
as unconfined, but that's no longer the case for plasmashell. I'll reach out to
the snapd team and report the issue.
Thank
Hi Changqing Li,
Thanks for your report. Unfortunately, as John has stated in this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2063976/comments/3
We are not able to ship a profile for bitbake running in a writable location of
an unprivileged user because it could be used to
As per the discussion in
https://irclogs.ubuntu.com/2024/07/09/%23ubuntu-security.txt
The recommendation from the security team is to not revert to the
"flags=(unconfined)" profile if the profile is already confined. That means
that we should only fix the multiarch issue.
Scarlett, you're
Added to QRT in MR https://code.launchpad.net/~georgiag/qa-regression-
testing/+git/qa-regression-testing/+merge/468941
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062138
Title:
test-logprof.py
** Tags removed: verification-needed-jammy-linux-lowlatency-hwe-6.8
** Tags added: verification-done-jammy-linux-lowlatency-hwe-6.8
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2032602
Title:
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
Verification done as part of Bug 2064672
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification
Verification done as part of Bug 2064672
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Verification done as part of Bug 2064672
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Thanks for the verification, John. I updated the tags based on the
results of your tests.
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
Thanks for reviewing, Chris. I have updated the test plan with your
suggestions, and I also updated the ppa containing a new version of the
package with the wike profile location fixed. I'll also make sure to
comment on the bugs in the changelog that verification is not required.
** Description
** Description changed:
[ Impact ]
This SRU has several fixes:
add unconfined profile for tuxedo-control-center (Bug 2046844)
fix issues appointed by coverity
fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386)
fix redefinition of _ which caused an issue with
** Tags removed: verification-needed-noble-linux-oracle
** Tags added: verification-done-noble-linux-oracle
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2032602
Title:
[FFe] apparmor-4.0.0-alpha2
Fix committed in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1251
** Changed in: apparmor (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061113
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056696
Title:
All Snaps are denied the ability to use DBus for notifications and
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2057927
Title:
lxd vga console throws "Operation not permitted" error
To manage
This is probably happening because before 24.04 plasmashell was not
confined, therefore it had the "unconfined" label. But now that it is
confined, we need a rule to allow peer_label="plasmashell"
** Also affects: snapd (Ubuntu)
Importance: Undecided
Status: New
--
You received this
** Tags removed: verification-needed-jammy-linux-nvidia-6.8
verification-needed-noble-linux-gke
** Tags added: verification-done-jammy-linux-nvidia-6.8
verification-done-noble-linux-gke
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Tags removed: verification-needed-jammy-linux-nvidia-6.8
verification-needed-noble-linux-gke
** Tags added: verification-done-jammy-linux-nvidia-6.8
verification-done-noble-linux-gke
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Tags removed: verification-needed-jammy-linux-nvidia-6.8
verification-needed-noble-linux-gke
** Tags added: verification-done-jammy-linux-nvidia-6.8
verification-done-noble-linux-gke
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Tags removed: verification-needed-jammy-linux-nvidia-6.8
verification-needed-noble-linux-gke
** Tags added: verification-done-jammy-linux-nvidia-6.8
verification-done-noble-linux-gke
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Tags removed: verification-needed-noble-linux-gke
** Tags added: verification-done-noble-linux-gke
** Tags removed: verification-needed-noble-linux-gcp
** Tags added: verification-done-noble-linux-gcp
** Tags removed: verification-needed-noble-linux-azure
** Tags added:
** Tags removed: verification-needed-noble-linux-lowlatency
** Tags added: verification-done-noble-linux-lowlatency
** Tags removed: verification-needed-noble-linux-ibm
** Tags added: verification-done-noble-linux-ibm
--
You received this bug notification because you are a member of Ubuntu
This bug corresponds to the userspace components of AppArmor but it was
added in some kernel patches along with Bug 2028253. Verification should
be completed in Bug 2028253
** Tags removed: verification-needed-jammy-linux-aws-6.5
verification-needed-jammy-linux-azure-6.5
Hi Simon,
The use of --unshare=network does not cause a regression with the bwrap profile.
This is the full profile:
https://gitlab.com/apparmor/apparmor/-/blob/aa74b9b12d9ed55909489403a0c2514b9ea6a95f/profiles/apparmor/profiles/extras/bwrap-userns-restrict
If you look at the bwrap profile
** Package changed: apparmor (Ubuntu) => snapd (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067564
Title:
Syslog is flooded with messages when watching videos on Youtube
To manage
*** This bug is a duplicate of bug 2064144 ***
https://bugs.launchpad.net/bugs/2064144
Hi Mikko. Thanks for the report. This seems to be a duplicate of Bug
2064144, which has the fix on its way to noble.
** This bug has been marked a duplicate of bug 2064144
lxc ships apparmor config
** Description changed:
[ Impact ]
This SRU has several fixes:
add unconfined profile for tuxedo-control-center (Bug 2046844)
fix issues appointed by coverity
fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386)
fix redefinition of _ which caused an issue with
** Description changed:
[ Impact ]
This SRU has several fixes:
add unconfined profile for tuxedo-control-center (Bug 2046844)
fix issues appointed by coverity
fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386)
fix redefinition of _ which caused an issue with
Thanks. That version should have the nautilus profile that makes the
thumbnails appear, so we will need to dig a bit deeper.
Could you paste the results of the following command? This will show us if
there is a profile for nautilus loaded and it should look something like this
$ sudo aa-status
*** This bug is a duplicate of bug 2046844 ***
https://bugs.launchpad.net/bugs/2046844
Hello! Thanks for tagging apparmor. Yes, this is a duplicate of bug
2046844. We are working on an update that introduces a profile for bwrap
which would allow setzer (and several other applications) to work
If you're still running into this issue, do you mind sharing which AppArmor
version are you running? For that you can run
apt-cache policy apparmor
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
[ Impact ]
This SRU has several fixes:
add unconfined profile for tuxedo-control-center (Bug 2046844)
fix issues appointed by coverity
fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386)
fix redefinition of _ which caused an issue with
I added the suggested patch to QRT:
https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/465526
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062138
Title:
** Description changed:
[ Impact ]
This SRU has several fixes:
add unconfined profile for tuxedo-control-center (Bug 2046844)
fix issues appointed by coverity
fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386)
fix redefinition of _ which caused an issue with
Public bug reported:
[ Impact ]
This SRU has several fixes:
add unconfined profile for tuxedo-control-center (Bug 2046844)
fix issues appointed by coverity
fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386)
fix redefinition of _ which caused an issue with translation, failing
The mqueue patches are present in jammy-linux-gcp-fips: commits
6e7ff802c7b10 and b4ebbcfebd4d3
** Tags removed: verification-needed-jammy-linux-gcp-fips
** Tags added: verification-done-jammy-linux-gcp-fips
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
The fix is similar for privoxy. I attached the debdiff that fixes it.
** Patch added: "privoxy_3.0.34-3ubuntu2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/cups-browsed/+bug/2058866/+attachment/5759689/+files/privoxy_3.0.34-3ubuntu2.debdiff
--
You received this bug notification
Ah, sorry, Łukasz. I didn't see you were working on it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2058866
Title:
proposed-migration for cups-browsed 2.0.0-0ubuntu8
To manage notifications
Erich Eickmeyer, I don't have a Tuxedo Computer to test, so could you
please check if the following profile works for you?
$ echo "# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi ,
include
profile
This issue should be fixed by apparmor 4.0.0~beta2-0ubuntu3 which is
currently in -proposed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2047256
Title:
Ubuntu 24.04 Some image thumbnails no longer
Verification in mantic was successful:
georgia@sec-mantic-amd64:~$ uname -a
Linux sec-mantic-amd64 6.5.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar
7 18:21:00 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-mantic-amd64:~$ cat
/sys/kernel/security/apparmor/features/mount/move_mount
*** This bug is a duplicate of bug 2051932 ***
https://bugs.launchpad.net/bugs/2051932
** This bug has been marked a duplicate of bug 2051932
attach_disconnected test from test_regression_testsuite of
ubuntu_qrt_apparmor failed with "Unable to run test sub-executable" on Mantic
--
You
*** This bug is a duplicate of bug 2032851 ***
https://bugs.launchpad.net/bugs/2032851
** This bug has been marked a duplicate of bug 2032851
package apparmor 2.12-4ubuntu5.3 failed to install/upgrade: new apparmor
package pre-installation script subprocess returned error exit status 1
The mqueue patches are present in jammy-linux-mtk: commits 6e7ff802c7b10
and b4ebbcfebd4d3
** Tags removed: verification-needed-jammy-linux-mtk
** Tags added: verification-done-jammy-linux-mtk
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
The mqueue patches are present in linux-azure-fips: commits
6e7ff802c7b10 and b4ebbcfebd4d3
** Tags removed: verification-needed-jammy-linux-azure-fips
** Tags added: verification-done-jammy-linux-azure-fips
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
The mqueue patches are present in linux-nvidia-tegra: commits
6e7ff802c7b10 and b4ebbcfebd4d3
** Tags removed: verification-needed-jammy-linux-nvidia-tegra
** Tags added: verification-done-jammy-linux-nvidia-tegra
--
You received this bug notification because you are a member of Ubuntu
Bugs,
I can confirm that the mqueue patches are present in linux-xilinx-
zynqmp: commits 6e7ff802c7b10 and b4ebbcfebd4d3
** Tags removed: verification-needed-jammy-linux-xilinx-zynqmp
** Tags added: verification-done-jammy-linux-xilinx-zynqmp
--
You received this bug notification because you are a
@Sebastien, yes, I asked people from the security team to sponsor it but
we are still reviewing the snap_browsers abstraction. We are denying
access to /run/user/[0-9]*/gdm/Xauthority in the policy but if that was
the case, then the browser should not have been able to open, but it
does open so we
** Patch added: "apparmor_2.12-4ubuntu5.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581885/+files/apparmor_2.12-4ubuntu5.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@Sebastien, yes, just did. Thank you!
I also attached the debdiffs for evince and apparmor for bionic, focal, impish
and jammy. They were also uploaded into the Security Proposed PPA:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=apparmor
** Patch added: "apparmor_3.0.3-0ubuntu1.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581883/+files/apparmor_3.0.3-0ubuntu1.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "apparmor_2.13.3-7ubuntu5.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581884/+files/apparmor_2.13.3-7ubuntu5.2.debdiff
** Patch removed: "apparmor_3.0.3-0ubuntu1.1.debdiff"
** Patch added: "apparmor_3.0.3-0ubuntu1.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581882/+files/apparmor_3.0.3-0ubuntu1.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "apparmor_3.0.4-2ubuntu3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581881/+files/apparmor_3.0.4-2ubuntu3.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "evince_3.28.4-0ubuntu1.3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581880/+files/evince_3.28.4-0ubuntu1.3.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "evince_3.36.10-0ubuntu1.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581879/+files/evince_3.36.10-0ubuntu1.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "evince_40.4-2ubuntu0.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581878/+files/evince_40.4-2ubuntu0.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "evince_42.1-3ubuntu1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581877/+files/evince_42.1-3ubuntu1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
- This is related to bug #1792648. After fixing that one (see discussion
- at https://salsa.debian.org/gnome-team/evince/merge_requests/1),
- clicking a hyperlink in a PDF opens it correctly if the default browser
- is a well-known application (such as /usr/bin/firefox),
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794064
Title:
Clicking a hyperlink in a PDF fails to o
I'm working on a SRU for apparmor and evince to introduce the snap_browsers
abstraction on apparmor as a workaround for this issue.
It is based on these two merge requests from upstream:
https://gitlab.com/apparmor/apparmor/-/merge_requests/806
I was able to reproduce this issue on focal and bionic but not on
impish. I'm still investigating why, since I don't see any changes in
policies that might affect this issue, but I could have missed
something.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
** Changed in: evince (Ubuntu)
Assignee: (unassigned) => Georgia Garcia (georgiag)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794064
Title:
Clicking a hyperlink in a PDF fails to o
Tested on -proposed by causing the leak and checking the memory used
with "free", since CONFIG_DEBUG_KMEMLEAK is not set. It worked as
expected - the memory used shown in "free" after removing the profile
was in an expected range.
** Tags removed: verification-needed-bionic
** Description changed:
There's a memory leak in the kernel when removing a profile.
A simple reproducible example:
root@ubuntu:~# echo "profile foo {}" > profile
root@ubuntu:~# apparmor_parser profile
root@ubuntu:~# apparmor_parser -R profile
root@ubuntu:~# echo scan >
Tested on bionic-proposed using the test binary that can be obtained in
the old description and it worked as expected:
root@ubuntu:~# gcc ./readlink-ns.c && sudo apparmor_parser -r
./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
** Tags added: hirsute
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1918410
Title:
isc-dhcp-client denied by apparmor
To manage notifications about this bug go to:
*** This bug is a duplicate of bug 1918410 ***
https://bugs.launchpad.net/bugs/1918410
This is likely a duplicate of bug #1918410
** This bug has been marked a duplicate of bug 1918410
isc-dhcp-client denied by apparmor
--
You received this bug notification because you are a member of
From the commits mentioned that solve the issue, 338d0be437ef was not
available on 4.15 kernels. The cherry-pick was submitted to the kernel
team for approval.
** Description changed:
- Per 'man namespaces':
+ SRU Justification:
- "Permission to dereference or read (readlink(2)) these
After downloading the apparmor source from hirsute-proposed and running
the regression tests, I was able to confirm that the i18n test is now
passing for arm64.
** Tags removed: verification-needed verification-needed-hirsute
** Tags added: verification-done verification-done-hirsute
--
You
75 matches
Mail list logo
