Bug#1101071: apparmor-profiles chromium-browser profile removal in postinstall does not work

Mon, 31 Mar 2025 13:48:17 -0700 

On Mon, 31 Mar 2025 00:38:03 +0200 Alban Browaeys <pra...@yahoo.com>
wrote:
> On #debian-devel:matrix.debian.social I asked why and was told that:
> prior version should be the first version (with "~" appended) that
included the dpkg-maintscript invocation.

Confirmed by man 1 dpkg-maintscript-helper
                   If the conffile has not been shipped for several versions, 
and you are now modifying the maintainer scripts to clean up the obsolete file, 
prior-version should be based on the version of the  package
                   that you are now preparing, not the first version of the 
package that lacked the conffile.  This applies to all other actions in the 
same way.

                   For  example,  for  a  conffile removed in version 2.0-1 of 
a package, prior-version should be set to 2.0-1~.  This will cause the conffile 
to be removed even if the user rebuilt the previous version
                   1.0-1 as 1.0-1local1.  Or a package switching a path from a 
symlink (shipped in version 1.0-1) to a directory (shipped in version 2.0-1), 
but only performing  the  actual  switch  in  the  maintainer
                   scripts in version 3.0-1, should set prior-version to 3.0-1~


> I am still not confident installing a version above the one where the
dpkg-maintscript rm_conffile was included will triggers the conffile
removal code. But the version to pass should at least be the one where
the conffile removal was introduced, ie at least 4.1.0~beta5-5, and
maybe the version with the rm_conffile invocation with the correct
version passed to it (so maybe the next version).

I tried setting the prior-version for usr.bin.chromium-browser to the
first version to introduce the rm_conffile (but with the wrong
version), that is "4.1.0~beta5-5~" and it still fails to remove the
conffile. It probably requires the version to be a not yet installed
one, ie the next release "4.1.0~beta5-6~" or alike.

Later I tried to tset the rm_conffile versoin to the version I was
building, that is "4.1.0~beta5-6~" for version "4.1.0~beta5-6.1" and no
better, that is:


+ set -e
+ version=1.22.18
+ DPKG_ROOT=
+ [  = / ]
+ export DPKG_ROOT
+ PKGDATADIR_DEFAULT=/usr/share/dpkg
+ PKGDATADIR=/usr/share/dpkg
+ . /usr/share/dpkg/sh/dpkg-error.sh
+ basename /usr/bin/dpkg-maintscript-helper
+ : dpkg-maintscript-helper
+ COLOR_NORMAL=
+ COLOR_RESET=
+ COLOR_BOLD=
+ COLOR_BLACK=
+ COLOR_RED=
+ COLOR_GREEN=
+ COLOR_YELLOW=
+ COLOR_BLUE=
+ COLOR_MAGENTA=
+ [  = / ]
+ export DPKG_ROOT
+ PKGDATADIR_DEFAULT=/usr/share/dpkg
+ PKGDATADIR=/usr/share/dpkg
+ . /usr/share/dpkg/sh/dpkg-error.sh
+ basename /usr/bin/dpkg-maintscript-helper
+ : dpkg-maintscript-helper
+ COLOR_NORMAL=
+ COLOR_RESET=
+ COLOR_BOLD=
+ COLOR_BLACK=
+ COLOR_RED=
+ COLOR_GREEN=
+ COLOR_YELLOW=
+ COLOR_BLUE=
+ COLOR_MAGENTA=
+ COLOR_CYAN=
+ COLOR_GREEN=
+ COLOR_YELLOW=
+ COLOR_BLUE=
+ COLOR_MAGENTA=
+ COLOR_CYAN=
+ COLOR_WHITE=
+ COLOR_BOLD_BLACK=
+ COLOR_BOLD_RED=
+ COLOR_BOLD_GREEN=
+ COLOR_BOLD_YELLOW=
+ COLOR_BOLD_BLUE=
+ COLOR_BOLD_MAGENTA=
+ COLOR_BOLD_CYAN=
+ COLOR_BOLD_WHITE=
+ : auto
+ [ -t 1 ]
+ _dpkg_use_colors=yes
+ [ yes = yes ]
+ _dpkg_color_clear=
+ _dpkg_color_prog=
+ _dpkg_color_hint=
+ _dpkg_color_info=
+ _dpkg_color_notice=
+ _dpkg_color_warn=
+ _dpkg_color_error=
+ _dpkg_fmt_prog=dpkg-maintscript-helper
+ command=rm_conffile
+ [ 7 -gt 0 ]
+ shift
+ rm_conffile /etc/apparmor.d/usr.bin.chromium-browser 4.1.0~beta5-6~ -- 
upgrade 4.1.0~beta5-5 4.1.0~beta5-6.1
+ local CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser
+ local LASTVERSION=4.1.0~beta5-6~
+ local PACKAGE=--
+ [ 4.1.0~beta5-6~ = -- ]
+ [  = / ]
+ export DPKG_ROOT
+ PKGDATADIR_DEFAULT=/usr/share/dpkg
+ PKGDATADIR=/usr/share/dpkg
+ . /usr/share/dpkg/sh/dpkg-error.sh
+ basename /usr/bin/dpkg-maintscript-helper
+ : dpkg-maintscript-helper
+ COLOR_NORMAL=
+ COLOR_RESET=
+ COLOR_BOLD=
+ COLOR_BLACK=
+ COLOR_RED=
+ COLOR_GREEN=
+ COLOR_YELLOW=
+ COLOR_BLUE=
+ COLOR_MAGENTA=
+ COLOR_CYAN=
+ dpkg --validate-version -- 4.1.0~beta5-6~
+ VERSIONCHECK=
+ debug Executing /usr/bin/dpkg-maintscript-helper rm_conffile in preinst of 
apparmor-profiles
+ [ -n  ]
+ debug CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser 
PACKAGE=apparmor-profiles:all LASTVERSION=4.1.0~beta5-6~ ACTION=upgrade 
PARAM=4.1.0~beta5-5
+ [ -n  ]
+ [ upgrade = install -o upgrade = upgrade ]
+ [ -n 4.1.0~beta5-5 ]
+ dpkg --compare-versions -- 4.1.0~beta5-5 le-nl 4.1.0~beta5-6~
+ prepare_rm_conffile /etc/apparmor.d/usr.bin.chromium-browser 
apparmor-profiles:all
+ local CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser
+ local PACKAGE=apparmor-profiles:all
+ [ -e /etc/apparmor.d/usr.bin.chromium-browser ]
+ ensure_package_owns_file apparmor-profiles:all 
/etc/apparmor.d/usr.bin.chromium-browser
+ local PACKAGE=apparmor-profiles:all
+ local FILE=/etc/apparmor.d/usr.bin.chromium-browser
+ dpkg-query -L apparmor-profiles:all
+ grep -F -q -x /etc/apparmor.d/usr.bin.chromium-browser
+ debug File '/etc/apparmor.d/usr.bin.chromium-browser' not owned by package  
'apparmor-profiles:all', skipping rm_conffile
+ [ -n  ]
+ return 1
+ return 0
+ exit 0

as:
dpkg src/dpkg-maintscript-helper.sh
93 prepare_rm_conffile() {
 94   local CONFFILE="$1"
 95   local PACKAGE="$2"
 96 
 97   [ -e "$DPKG_ROOT$CONFFILE" ] || return 0
 98   ensure_package_owns_file "$PACKAGE" "$CONFFILE" || return 0
 99   
100   local md5sum old_md5sum
101   md5sum="$(md5sum "$DPKG_ROOT$CONFFILE" | sed -e 's/ .*//')"
102   old_md5sum="$(dpkg-query -W -f='${Conffiles}' "$PACKAGE" | \
103     sed -n -e "\\'^ $CONFFILE ' { s/ obsolete$//; s/.* //; p }")"
104   if [ "$md5sum" != "$old_md5sum" ]; then
105     mv -f "$DPKG_ROOT$CONFFILE" "$DPKG_ROOT$CONFFILE.dpkg-backup"
106   else
107     mv -f "$DPKG_ROOT$CONFFILE" "$DPKG_ROOT$CONFFILE.dpkg-remove"
108   fi
109 }

= returns early if ensure_package_owns_file fails to find the conffile into the 
apparmor-profiles.list file.


529 ensure_package_owns_file() {
530   local PACKAGE="$1"
531   local FILE="$2"
532     
533   if ! dpkg-query -L "$PACKAGE" | grep -F -q -x "$FILE"; then
534     debug "File '$FILE' not owned by package " \
535           "'$PACKAGE', skipping $command"
536     return 1
537   fi
538   return 0
539 } 

dpkg-query -L, that is list_files:

dpkg src/query/main.c
  479 static int
  480 list_files(const char *const *argv)
  481 {
  482   const char *thisarg;
  483   struct fsys_namenode_list *file;
  484   struct pkginfo *pkg;
  485   struct fsys_namenode *namenode;
  486   int misses = 0;
  487 
  488   if (!*argv)
  489     badusage(_("--%s needs at least one package name argument"), 
cipaction->olong);
  490 
  491   modstatdb_open(msdbrw_readonly);
  492 
  493   while ((thisarg = *argv++) != NULL) {
  494     pkg = dpkg_options_parse_pkgname(cipaction, thisarg);
  495 
  496     switch (pkg->status) {
  497     case PKG_STAT_NOTINSTALLED:
  498       notice(_("package '%s' is not installed"),
  499              pkg_name(pkg, pnaw_nonambig));
  500       misses++;
  501       break;
  502     default:
  503       ensure_packagefiles_available(pkg);
  504       ensure_diversions();
  505       file = pkg->files;
  506       if (!file) {
  507         printf(_("Package '%s' does not contain any files (!)\n"),
  508                pkg_name(pkg, pnaw_nonambig));
  509       } else {
  510         while (file) {
  511           namenode = file->namenode;
  512           puts(namenode->name);


= print the pkg->files list to stdout

this list from: 

dpkg lib/dpkg/db-fsys-files.c
 115 void
  116 ensure_packagefiles_available(struct pkginfo *pkg)
  117 {

  134   filelistfile = pkg_infodb_get_file(pkg, &pkg->installed, LISTFILE);
= returns "apparmor-profiles.list"

  138   if (file_slurp(filelistfile, &buf, &err) < 0) {
= read this "apparmor-profiles.list" into buf

  156     fsys_list_parse_buffer(&buf, pkg);


dpkg lib/dpkg/db-fsys-files.c
   71 static void
   72 fsys_list_parse_buffer(struct varbuf *vb, struct pkginfo *pkg)
   73 {

   79   files_tail = &pkg->files;

  105     files_tail = pkg_files_add_file(pkg, namenode, files_tail);

= add each lines of the apparmor-profiles.list file into pkg->files a
list.



I am at loss as to how to get the conffile
/etc/apparmor.d/usr.bin.chromium-browser removed as it is not list in
apparmor-profiles.list and fopr good reason as far as I know, or is
apparmor-profiles.list supposed to contain the list of conffiles even
if not shipped by the package? (ie the computer filesystem status).
If so it could be the rm_conffile with the incorrect prior-version (ie
the prior-version set to the 2016 version that stopped shipping the
conffile (2.10.95-8~) instead of the apparmor-profiles version that add
the rm_conffile code (4.1.0~beta5-5~), removed the conffile from the
apparmor-profiles.list as it did in /var/lib/dpkg/status Conffiles:
list for the apparmor-profiles package entry?
that is even if the conffile was not removed from the filesystem the
entry from the dpkg status db file
" /etc/apparmor.d/usr.bin.chromium-browser 8776649e465b5b5b0ffd1a5c792ce03e 
obsolete"
 was removed under "Conffiles:")

Best Regards,
Alban

Reply via email to