The fixes landed in questing in
https://bugs.launchpad.net/ubuntu/+source/apparmor/4.1.0~beta5-0ubuntu15
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: apparmor (Ubuntu Plucky)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2110236
Title:
[SRU] fixes for AppArmor in Plucky
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Plucky:
Fix Committed
Bug description:
[ Impact ]
This SRU contains fixes for a number of bugs:
* The unprivileged_userns profile did not have access to the root directory
(LP: #2110616)
* lsblk could not list DASD devices on IBM System Z (LP: #2107402)
* Various commands segfaulted when run from a confined context due to
missing permissions on the binary execution path (LP: #2107455, LP: #2110628)
* The plasmashell profile was missing new path to QtWebEngineProcess,
causing breakage of Web Browser widget (LP: #2107723)
* fusermount3 lacked permissions to mount to /cvmfs (LP: #2110624)
* openvpn lacked permissions to manage DNS settings for pushed DHCP settings
(LP: #2107596)
* openvpn lacked permissions to perform mDNS lookups (LP: #2109029)
* remmina broke due to missing permissions (LP: #2107723)
* fusermount3 lacked permissions to mount with flags needed for
fuse_overlayfs and sshfs via fstab (LP: #2110626, LP: #2111807)
* iotop-c failed to launch at all due to permission denials in nl_init (LP:
#2107727)
* The parser did not handle the norelatime mount flag correctly (LP:
#2110688)
* The apparmor.d man page contained incorrect information about the
combination of mount options=(list) options in (list)
(LP: #2110630)
* This SRU also includes a regression test update
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1672) that is not part
of the built package but that 1) ensures that the documented behavior lines up
with the actual behavior, and 2) serves as a test for the parser patch
[ Test Plan ]
Bug-specific test plans can be found in their respective LP bug
entries.
Generic test plan (for all AppArmor changes, not specific to this
SRU):
AppArmor is also extensively tested via its QRT test suite, which includes
execution of the AppArmor test suite.
* To prepare the QRT test suite (can be done on any machine):
- `git clone https://git.launchpad.net/qa-regression-testing`
- `./scripts/make-test-tarball ./scripts/test-apparmor.py`
* To run the QRT test suite:
- Copy the tarball onto the machine with the new AppArmor installed and
extract it
- `sudo ./install-packages test-apparmor.py`
- Reboot after dependency installation
- `sudo ./test-apparmor.py -v`
[ Where problems could occur ]
All the profile changes in this SRU are loosening confinement on a
profile. However, if a user manually modified the installed profiles,
then the package upgrade would cause conflicts, and rejection of the
incoming changes (either by hand during an interactive upgrade or
automatically during an batch unattended upgrade) would result in end
users not getting the complete set of packaged fixes. However, as each
of the files updated are independent of each other, a partially fixed
state will not be more broken than an unfixed (before upgrade) state.
Remmina profile specific: If a user set up custom profiles that use
"peer=remmina" IPC rules, then these rules would break upon the
upgrade removing the remmina profile. However, none of the officially
shipped profiles include such rules.
The man page update is a documentation-only change. The risk exists
that the new packaged man page could be malformed, but this is
unlikely since the man page is generated by pod2man, and such issues
can be caught during testing by attempting to open the man page after
installation of the new version.
The parser fix changes the behavior of mount rules that explicitly
specify the norelatime flag. In particular, a custom profile
containing `mount options in (norelatime)` will have different, more
permissive behavior than before (reducing regression risk as compared
to tightening behavior). However, this flag is not used in any of the
commonly used profiles (including the ones in our repo and the profile
fragments used by snapd), so this will not change the behavior of most
profiles being used.
[ Other Info ]
The attached debdiff has a subset of the changes in the Questing
AppArmor package (4.1.0~beta5-0ubuntu14..4.1.0~beta5-0ubuntu16), with
the exception of the changelog.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110236/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
