Ubuntu
apparmor package

Bug #2064672
Activity log

Activity log for bug #2064672

Date	Who	What changed	Old value	New value	Message
2024-05-02 21:12:44	Georgia Garcia	bug			added bug
2024-05-02 21:14:28	Georgia Garcia	description	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1868.839s OK (skipped=4) [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1
2024-05-02 21:21:10	Georgia Garcia	description	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1868.839s OK (skipped=4) [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1868.839s OK (skipped=4) $ apt-cache policy apparmor apparmor: Installed: 4.0.1-0ubuntu1 Candidate: 4.0.1-0ubuntu1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1
2024-05-07 18:46:38	Georgia Garcia	description	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1868.839s OK (skipped=4) $ apt-cache policy apparmor apparmor: Installed: 4.0.1-0ubuntu1 Candidate: 4.0.1-0ubuntu1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1861.933s OK (skipped=4) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.1 Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1-redo
2024-05-23 17:07:44	Simon Déziel	bug			added subscriber Simon Déziel
2024-05-27 20:07:34	Georgia Garcia	description	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1861.933s OK (skipped=4) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.1 Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor-4.0.1-redo	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1855.366s OK (skipped=4) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.1 Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.1
2024-05-27 20:09:27	Georgia Garcia	description	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1855.366s OK (skipped=4) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.1 Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.1	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1855.366s OK (skipped=4) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.1 Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.1
2024-05-29 11:00:09	Georgia Garcia	description	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1855.366s OK (skipped=4) $ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.1 Candidate: 4.0.1-0ubuntu0.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.1	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1855.366s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.1 Candidate: 4.0.1-0ubuntu0.24.04.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.1
2024-05-29 18:11:33	Launchpad Janitor	apparmor (Ubuntu): status	New	Confirmed
2024-05-30 02:54:59	Alex Murray	apparmor (Ubuntu): status	Confirmed	In Progress
2024-05-31 07:46:06	fossfreedom	bug			added subscriber fossfreedom
2024-06-19 16:49:04	Georgia Garcia	description	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1855.366s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.1 Candidate: 4.0.1-0ubuntu0.24.04.1 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.1	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1989.948s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.2
2024-06-19 17:21:56	Georgia Garcia	description	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1989.948s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.2	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1989.948s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 Run additional tests: 1. Install wike and make sure the wike window opens when executed: $ sudo apt install wike $ wike 2. Install foliate, download test epub and make sure it opens as expected: $ sudo apt install foliate $ wget https://github.com/daisy/epub-accessibility-tests/releases/download/fundamental-2.0/Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub $ foliate Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub 3. Install transmission and make sure it starts properly: $ sudo apt install transmission $ transmission-gtk 4. bwrap profile tests: - Install setzer and check if it opens as expected: $ sudo apt install setzer $ setzer - Check if flatpak option --unshare=network works, the Recipes app window should open: $ sudo apt install flatpak $ flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo $ flatpak install flathub org.gnome.Recipes $ flatpak run --unshare=network org.gnome.Recipes [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.2
2024-06-25 04:43:40	Chris Halse Rogers	apparmor (Ubuntu Noble): status	New	Fix Committed
2024-06-25 04:43:43	Chris Halse Rogers	bug			added subscriber Ubuntu Stable Release Updates Team
2024-06-25 04:43:49	Chris Halse Rogers	bug			added subscriber SRU Verification
2024-06-25 04:44:02	Chris Halse Rogers	tags		verification-needed verification-needed-noble
2024-07-08 12:16:37	Georgia Garcia	tags	verification-needed verification-needed-noble	verification-done verification-done-noble
2024-07-09 18:00:23	Launchpad Janitor	apparmor (Ubuntu Noble): status	Fix Committed	Fix Released
2024-07-09 18:01:15	Brian Murray	removed subscriber Ubuntu Stable Release Updates Team
2024-07-16 17:11:22	Robie Basak	apparmor (Ubuntu Noble): status	Fix Released	Triaged
2024-07-18 22:21:23	Georgia Garcia	description	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1989.948s OK (skipped=4) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: Installed: 4.0.1-0ubuntu0.24.04.2 Candidate: 4.0.1-0ubuntu0.24.04.2 Run additional tests: 1. Install wike and make sure the wike window opens when executed: $ sudo apt install wike $ wike 2. Install foliate, download test epub and make sure it opens as expected: $ sudo apt install foliate $ wget https://github.com/daisy/epub-accessibility-tests/releases/download/fundamental-2.0/Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub $ foliate Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub 3. Install transmission and make sure it starts properly: $ sudo apt install transmission $ transmission-gtk 4. bwrap profile tests: - Install setzer and check if it opens as expected: $ sudo apt install setzer $ setzer - Check if flatpak option --unshare=network works, the Recipes app window should open: $ sudo apt install flatpak $ flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo $ flatpak install flathub org.gnome.Recipes $ flatpak run --unshare=network org.gnome.Recipes [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1-0ubuntu0.24.04.2	[ Impact ] This SRU has several fixes: add unconfined profile for tuxedo-control-center (Bug 2046844) fix issues appointed by coverity fix samba profile (https://gitlab.com/apparmor/apparmor/-/issues/386) fix redefinition of _ which caused an issue with translation, failing aa-enforce (https://gitlab.com/apparmor/apparmor/-/issues/387) add mount test for CVE-2016-1585 (Bug 1597017 and Bug 2023814) add network inet mediation documentation to apparmor.d fix inet conditionals to only generate rules for inet family (https://gitlab.com/apparmor/apparmor/-/issues/384) add unconfined wike profile (Bug 2060810) add unconfined foliate profile (Bug 2060767) fix chromium_browser profile (https://gitlab.com/apparmor/apparmor/-/merge_requests/1208) add profiles for Transmission family of Bittorrent clients add profile for unshare utility (Bug 2046844) add profile for bwrap utility (Bug 2046844) fix unconfined firefox profile to support mozilla.org download (Bug 2056297) fix getattr and setattr perm mapping on mqueue rules (https://gitlab.com/apparmor/apparmor/-/issues/377 and https://gitlab.com/apparmor/apparmor/-/issues/378) fix inet tests (https://gitlab.com/apparmor/apparmor/-/issues/376) fix sshd profile (Bug 2060100) fix apparmor tools to allow mount destination globbing (https://gitlab.com/apparmor/apparmor/-/issues/381) fix firefox profile (https://gitlab.com/apparmor/apparmor/-/issues/380) move pam-related permissions to abstractions/authentication (https://bugzilla.opensuse.org/show_bug.cgi?id=1220032) fix condition in policydb serialization to only encode xtable if kernel_supports_permstable32 relax mount rules in utils to fix use of virtiofs and other file-system types [ Test Plan ] * Make sure to reboot after upgrading (Bug 2072811) This has been extensively tested via the AppArmor regression test script in the QA Regression Testing repo: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package, as well as building and running the various upstream regression and other test suites against this installed package: - https://gitlab.com/apparmor/apparmor/-/tree/master/tests/regression/apparmor?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/utils/test?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/parser/tst?ref_type=heads - https://gitlab.com/apparmor/apparmor/-/tree/master/libraries/libapparmor/testsuite?ref_type=heads The final test output was: ---------------------------------------------------------------------- Ran 62 tests in 1977.045s OK (skipped=3) georgia@sec-noble-amd64:~$ apt policy apparmor apparmor: Installed: 4.0.1really4.0.1-0ubuntu0.24.04.3 Candidate: 4.0.1really4.0.1-0ubuntu0.24.04.3 Run additional tests: 1. Install wike and make sure the wike window opens when executed: $ sudo apt install wike $ wike 2. Install foliate, download test epub and make sure it opens as expected: $ sudo apt install foliate $ wget https://github.com/daisy/epub-accessibility-tests/releases/download/fundamental-2.0/Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub $ foliate Fundamental-Accessibility-Tests-Basic-Functionality-v2.0.0.epub 3. Install transmission and make sure it starts properly: $ sudo apt install transmission $ transmission-gtk 4. test bwrap profile is no longer enabled by default: - Install setzer and it will not open because the bwrap profile is not loaded: $ sudo apt install setzer $ setzer This is not a regression since it's the current behavior for 4.0.1really4.0.0-beta3-0ubuntu0.1 - Check if the following flatpak apps still work: $ sudo apt install flatpak $ sudo flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo $ sudo flatpak install flathub org.gnome.Recipes $ flatpak run --unshare=network org.gnome.Recipes $ sudo flatpak install org.keepassxc.KeePassXC $ flatpak run org.keepassxc.KeePassXC [ Where problems could occur ] There could still be more applications affected by the restriction of the creation of unpriviliged user namespaces. They might require the creation of new unconfined profiles which could be mitigated in a later SRU. [ Other Info ] The SRU is available in: https://launchpad.net/~georgiag/+archive/ubuntu/4.0.1really4.0.1-0ubuntu0.24.04.3 Note that the previous SRU was reverted because of the regression in Bug 2072811. This SRU has the same contents except for the enablement of the bwrap profile by default. The bwrap profile is available only under the apparmor-profiles package. The regression on the SRU version 4.0.1-0ubuntu0.24.04.2 happened because we don't have enough tests covering flatpak/bubblewrap. We created the profile to be as broad as possible for bwrap to work as expected but prevent applications running inside it to be able to bypass the unprivileged user namespace restriction. The profile worked for the applications we received reports for but unfortunately it wasn't as thorough, in terms of the variety of apps, as we would have liked.
2024-07-18 22:21:32	Georgia Garcia	tags	verification-done verification-done-noble
2024-07-19 02:13:56	Alex Murray	apparmor (Ubuntu Noble): status	Triaged	In Progress

Ubuntuapparmor package

Activity log for bug #2064672

Ubuntu
apparmor package