Hello Thomas, or anyone else affected, Accepted apparmor into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/3.0.0-0ubuntu7.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: apparmor (Ubuntu Hirsute) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-hirsute -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1934005 Title: abstractions/X: Possible regression of X session functionality by removing 'w' from /tmp/.X11-unix/* line? Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Hirsute: Fix Committed Status in apparmor source package in Impish: Fix Released Bug description: [Impact] Any application that requires access to X11 sockets for the Display may want to include abstractions/X in the AppArmor rules, which usually will include rules that we would want for access to the Display socket for X. However, an upstream regression was made by changes to the abstractions/X to remove the 'w' and leave it read only. This doesn't work - X11 needs readwrite on the sockets for it to properly interact with X11. This is a fundamental regression that has been fixed upstream. [Test Plan] Any application that needs X11 integration with apparmor rules should `#include <abstractions/X>` This is the problem with https://bugs.launchpad.net/ubuntu/+source /torbrowser-launcher/+bug/1933886 - while the fix for that would be to add `#include <abstractions/X>` in the ruleset, it will not function with the existing abstractions. This is our test case in Impish: - add `#include <abstractions/X>` into `/etc/apparmor.d/torbrowser.Browser.firefox` and the apparmor rule. - `sudo systemctl restart apparmor.service` - Attempt to run torbrowser with torbrowser-launcher, which should now properly work with the revisions. Without, torbrowser-launcher 'starts' Tor Browser but then it just segfaults and stops running. We don't have a full test case for Hirsute at this time. [Where problems could occur] Based on my understanding of X11 and the upstream AppArmor bugs on this (refer to comments), there is no breakage introduced by this, in fact the breakage was already introduced upstream, so this simply fixes and removes the breakage when an apparmor rule includes these X abstractions and need to write to the socket but can't. Therefore, I don't believe there are any 'problems' that can occur with this change. [Original Description] In Focal, abstractions/X has the following section in it: # the unix socket to use to connect to the display /tmp/.X11-unix/* rw, unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), However, in Impish, this seems to have changed: # the unix socket to use to connect to the display /tmp/.X11-unix/* r, unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), This in turn breaks torbrowser-launcher's Firefox from launching, even if we include the X abstractions, because the display sockets in /tmp/.X11-unix/* (X0 for Display :0 for example) are not read/write. This looks like a MAJOR regression by removing the permissions. Or has Impish apparmor not been updated for any Ubuntu specific changes? ProblemType: Bug DistroRelease: Ubuntu 21.10 Package: apparmor 3.0.0-0ubuntu8 ProcVersionSignature: Ubuntu 5.11.0-20.21+21.10.1-generic 5.11.21 Uname: Linux 5.11.0-20-generic x86_64 ApportVersion: 2.20.11-0ubuntu67 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: LXQt Date: Tue Jun 29 14:39:00 2021 InstallationDate: Installed on 2021-06-29 (0 days ago) InstallationMedia: Lubuntu 21.10 "Impish Indri" - Alpha amd64 (20210628) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.11.0-20-generic root=UUID=d042602b-0900-4b2e-acb1-f67436e9805f ro quiet splash vt.handoff=7 SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1934005/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
