** Description changed: [ Impact ] This SRU contains fixes for a number of bugs: - * The unprivileged_userns profile did not have access to the root directory (LP: #2110616) - * lsblk could not list DASD devices on IBM System Z (LP: #2107402) - * Various commands segfaulted when run from a confined context due to missing permissions on the binary execution path (LP: #2107455, LP: #2110628) - * The plasmashell profile was missing new path to QtWebEngineProcess, causing breakage of Web Browser widget (LP: #2107723) - * fusermount3 lacked permissions to mount to /cvmfs (LP: #2110624) - * openvpn lacked permissions to manage DNS settings for pushed DHCP settings (LP: #2107596) - * openvpn lacked permissions to perform mDNS lookups (LP: #2109029) - * remmina broke due to missing permissions (LP: #2107723) - * fusermount3 lacked permissions to mount with noatime, needed for fuse_overlayfs (LP: #2110626) - * iotop-c failed to launch at all due to permission denials in nl_init (LP: #2107727) - * The parser did not handle the norelatime mount flag correctly (LP: #2110688) - * The apparmor.d man page contained incorrect information about the combination of mount options=(list) options in (list) - (LP: #2110630) - * This SRU also includes a regression test update (https://gitlab.com/apparmor/apparmor/-/merge_requests/1672) that is not part of the built package but that 1) ensures that the documented behavior lines up with the actual behavior, and 2) serves as a test for the parser patch + * The unprivileged_userns profile did not have access to the root directory (LP: #2110616) + * lsblk could not list DASD devices on IBM System Z (LP: #2107402) + * Various commands segfaulted when run from a confined context due to missing permissions on the binary execution path (LP: #2107455, LP: #2110628) + * The plasmashell profile was missing new path to QtWebEngineProcess, causing breakage of Web Browser widget (LP: #2107723) + * fusermount3 lacked permissions to mount to /cvmfs (LP: #2110624) + * openvpn lacked permissions to manage DNS settings for pushed DHCP settings (LP: #2107596) + * openvpn lacked permissions to perform mDNS lookups (LP: #2109029) + * remmina broke due to missing permissions (LP: #2107723) + * fusermount3 lacked permissions to mount with flags needed for fuse_overlayfs and sshfs via fstab (LP: #2110626, LP: #2111807) + * iotop-c failed to launch at all due to permission denials in nl_init (LP: #2107727) + * The parser did not handle the norelatime mount flag correctly (LP: #2110688) + * The apparmor.d man page contained incorrect information about the combination of mount options=(list) options in (list) + (LP: #2110630) + * This SRU also includes a regression test update (https://gitlab.com/apparmor/apparmor/-/merge_requests/1672) that is not part of the built package but that 1) ensures that the documented behavior lines up with the actual behavior, and 2) serves as a test for the parser patch [ Test Plan ] Bug-specific test plans can be found in their respective LP bug entries. - + Generic test plan (for all AppArmor changes, not specific to this SRU): AppArmor is also extensively tested via its QRT test suite, which includes execution of the AppArmor test suite. - * To prepare the QRT test suite (can be done on any machine): - - `git clone https://git.launchpad.net/qa-regression-testing` - - `./scripts/make-test-tarball ./scripts/test-apparmor.py` - * To run the QRT test suite: - - Copy the tarball onto the machine with the new AppArmor installed and extract it - - `sudo ./install-packages test-apparmor.py` - - Reboot after dependency installation - - `sudo ./test-apparmor.py -v` + * To prepare the QRT test suite (can be done on any machine): + - `git clone https://git.launchpad.net/qa-regression-testing` + - `./scripts/make-test-tarball ./scripts/test-apparmor.py` + * To run the QRT test suite: + - Copy the tarball onto the machine with the new AppArmor installed and extract it + - `sudo ./install-packages test-apparmor.py` + - Reboot after dependency installation + - `sudo ./test-apparmor.py -v` [ Where problems could occur ] - All the profile changes in this SRU are loosening confinement on a profile. However, if a user manually modified the installed profiles, then the package upgrade would cause conflicts, and rejection of the incoming changes (either by hand during an interactive upgrade or automatically during an batch unattended upgrade) would result in end users not getting the complete set of packaged fixes. However, as each of the files updated are independent of each other, a partially fixed state will not be more broken than an unfixed (before upgrade) state. - - Remmina profile specific: If a user set up custom profiles that use "peer=remmina" IPC rules, then these rules would break upon the upgrade removing the remmina profile. However, none of the officially shipped profiles include such rules. + All the profile changes in this SRU are loosening confinement on a + profile. However, if a user manually modified the installed profiles, + then the package upgrade would cause conflicts, and rejection of the + incoming changes (either by hand during an interactive upgrade or + automatically during an batch unattended upgrade) would result in end + users not getting the complete set of packaged fixes. However, as each + of the files updated are independent of each other, a partially fixed + state will not be more broken than an unfixed (before upgrade) state. + + Remmina profile specific: If a user set up custom profiles that use + "peer=remmina" IPC rules, then these rules would break upon the upgrade + removing the remmina profile. However, none of the officially shipped + profiles include such rules. The man page update is a documentation-only change. The risk exists that the new packaged man page could be malformed, but this is unlikely since the man page is generated by pod2man, and such issues can be caught during testing by attempting to open the man page after installation of the new version. The parser fix changes the behavior of mount rules that explicitly specify the norelatime flag. In particular, a custom profile containing `mount options in (norelatime)` will have different, more permissive behavior than before (reducing regression risk as compared to tightening behavior). However, this flag is not used in any of the commonly used profiles (including the ones in our repo and the profile fragments used by snapd), so this will not change the behavior of most profiles being used. [ Other Info ] - The attached debdiff is identical to the one for the package uploaded to - Questing, with the exception of the changelog. + The attached debdiff has a subset of the changes in the Questing + AppArmor package (4.1.0~beta5-0ubuntu14..4.1.0~beta5-0ubuntu16), with + the exception of the changelog.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2110236 Title: [SRU] fixes for AppArmor in Plucky Status in apparmor package in Ubuntu: New Status in apparmor source package in Plucky: In Progress Bug description: [ Impact ] This SRU contains fixes for a number of bugs: * The unprivileged_userns profile did not have access to the root directory (LP: #2110616) * lsblk could not list DASD devices on IBM System Z (LP: #2107402) * Various commands segfaulted when run from a confined context due to missing permissions on the binary execution path (LP: #2107455, LP: #2110628) * The plasmashell profile was missing new path to QtWebEngineProcess, causing breakage of Web Browser widget (LP: #2107723) * fusermount3 lacked permissions to mount to /cvmfs (LP: #2110624) * openvpn lacked permissions to manage DNS settings for pushed DHCP settings (LP: #2107596) * openvpn lacked permissions to perform mDNS lookups (LP: #2109029) * remmina broke due to missing permissions (LP: #2107723) * fusermount3 lacked permissions to mount with flags needed for fuse_overlayfs and sshfs via fstab (LP: #2110626, LP: #2111807) * iotop-c failed to launch at all due to permission denials in nl_init (LP: #2107727) * The parser did not handle the norelatime mount flag correctly (LP: #2110688) * The apparmor.d man page contained incorrect information about the combination of mount options=(list) options in (list) (LP: #2110630) * This SRU also includes a regression test update (https://gitlab.com/apparmor/apparmor/-/merge_requests/1672) that is not part of the built package but that 1) ensures that the documented behavior lines up with the actual behavior, and 2) serves as a test for the parser patch [ Test Plan ] Bug-specific test plans can be found in their respective LP bug entries. Generic test plan (for all AppArmor changes, not specific to this SRU): AppArmor is also extensively tested via its QRT test suite, which includes execution of the AppArmor test suite. * To prepare the QRT test suite (can be done on any machine): - `git clone https://git.launchpad.net/qa-regression-testing` - `./scripts/make-test-tarball ./scripts/test-apparmor.py` * To run the QRT test suite: - Copy the tarball onto the machine with the new AppArmor installed and extract it - `sudo ./install-packages test-apparmor.py` - Reboot after dependency installation - `sudo ./test-apparmor.py -v` [ Where problems could occur ] All the profile changes in this SRU are loosening confinement on a profile. However, if a user manually modified the installed profiles, then the package upgrade would cause conflicts, and rejection of the incoming changes (either by hand during an interactive upgrade or automatically during an batch unattended upgrade) would result in end users not getting the complete set of packaged fixes. However, as each of the files updated are independent of each other, a partially fixed state will not be more broken than an unfixed (before upgrade) state. Remmina profile specific: If a user set up custom profiles that use "peer=remmina" IPC rules, then these rules would break upon the upgrade removing the remmina profile. However, none of the officially shipped profiles include such rules. The man page update is a documentation-only change. The risk exists that the new packaged man page could be malformed, but this is unlikely since the man page is generated by pod2man, and such issues can be caught during testing by attempting to open the man page after installation of the new version. The parser fix changes the behavior of mount rules that explicitly specify the norelatime flag. In particular, a custom profile containing `mount options in (norelatime)` will have different, more permissive behavior than before (reducing regression risk as compared to tightening behavior). However, this flag is not used in any of the commonly used profiles (including the ones in our repo and the profile fragments used by snapd), so this will not change the behavior of most profiles being used. [ Other Info ] The attached debdiff has a subset of the changes in the Questing AppArmor package (4.1.0~beta5-0ubuntu14..4.1.0~beta5-0ubuntu16), with the exception of the changelog. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110236/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
