Package: redshift
Version: 1.12-3
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi myself!
The AppArmor profile for redshift is broken under Wayland.
Since Wayland support just got added in this version, this is not a problem
for existing users of the package, but I should fix this ASAP.
The log message is pretty straightforward:
> kernel: audit: type=1400 audit(1607788832.946:72): apparmor="DENIED"
> operation="mknod" profile="/usr/bin/redshift"
> name="/run/user/1000/redshift-shared-DbzWVS" pid=1511436 comm="redshift"
> requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
abstractions/wayland authorises manipulating /run/user/*/${name}-shared-*,
when the file is owned by the user, and ${name} belongs to a whitelist
(mesa, mutter, sdl, wayland-cursor, weston, or xwayland).
I do not know whether the rule in the abstraction should be made more flexible,
if redshift implements the wayland parts wrong (this is implemented from a patch
that upstream hasn't merged yet), or something else, so I am just going to add
this specific path pattern in redshift's AppArmor profile.
Best,
nicoo
- -- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages redshift depends on:
ii init-system-helpers 1.59
ii libc6 2.31-5
ii libdrm2 2.4.103-2
ii libglib2.0-0 2.66.3-2
ii libwayland-client0 1.18.0-2~exp1.1
ii libx11-6 2:1.6.12-1
ii libxcb-randr0 1.14-2
ii libxcb1 1.14-2
ii libxxf86vm1 1:1.1.4-1+b2
Versions of packages redshift recommends:
ii geoclue-2.0 2.5.6-1
redshift suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl/U6vMRHG5pY29vQGRl
Ymlhbi5vcmcACgkQ5vmO4pLV7MvFbQ//ZYK3m0Qk40ATjCAjZKX8I3c6HCcrAzym
x5IOy0GfvAtrYh1VpWuuHC6fEu+FrDJYZSVGth+HSBrrmJaF90RuRbr3+SXM2Zwk
EBqwccfDnE7GSvgARQ8k5MRZs1+iGFTuriY1H3UuJT4QnWtX9tpuAR+NYLlDSgZP
yTBk0PIvVAMXlWDoO3Zo/UFjq0qHfRw5UNzRUs9nBiM+iLvF5l8nnkAWK/jXsLNI
NldGXGN3A8V0biveJgbCR0S+QSfTr1dHd/eDc8KimL1ZitFP9NZ4Qd5kjRG3JSbj
ltEGgXUS/IJa7fJe3urwLrahfGN5kGVBqpMjGIzQDEWsTvuRTWY58/a63AUswu+w
EEfI6/jXzooCjnS2butv1YcFpqhaze4fbN/35enoxBFDHwPOLE0FrijwdDhjXzCP
Tv86jb6RZCJcwnlVRxhXEbuOyd7PKNHknyGTdV9GcEPXtPam4DdJGffuKqUPidlM
L9neBqhkhk7IdD7JJb+yDcyrgBMbOz9ai/gplTmOTuoasVAsRYXokBZlsy2QVwF8
SGmOQuFTNXZ+L2fmmmAasF/O54qsxznXAFqBItjQiX1V/rgZeFUrFBVJGmm/9DMW
trbHrsLFUrc5H6kIcmvunG/j63pvYVV/g+0RnfZu2e4Tx8h6h9khFWnOplCJXvox
UHcmK9eSthI=
=XkJv
-----END PGP SIGNATURE-----
