Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#60069 - [apparmor] Doesn't allow named profiles without attachment

Attached to Project: Community Packages
Opened by somewhere15 (somewhere15) - Saturday, 15 September 2018, 20:43 GMT
Last edited by David Runge (dvzrv) - Tuesday, 02 October 2018, 21:56 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To David Runge (dvzrv)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
AppArmor doesn't allow named profiles without attachment due to a regression in 2.13, which is causing many profiles to break suck as firejail-default.

Additional info:

AppArmor version: apparmor 2.13.0-4.
I'm using linux-hardened: 4.18.7.a-1-hardened.

Steps to reproduce:
1- Compile firejail with AppArmor support.
2- Enable the firejail AppArmor profile by executing sudo aa-enforce firejail-default.
3- AppArmor will throw the following error:
"ERROR: Path doesn't start with / or variable: firejail-default"

To fix this, a patch was released here:
https://gitlab.com/apparmor/apparmor/merge_requests/142
This task depends upon

Closed by  David Runge (dvzrv)
Tuesday, 02 October 2018, 21:56 GMT
Reason for closing:  Upstream
Additional comments about closing:  Firejail seems to work as intended: https://github.com/netblue30/firejail/is sues/2116#issuecomment-422054973

Apparmor might ship something that fixes other arbitrary things in an upcoming release: https://gitlab.com/apparmor/apparmor/mer ge_requests/142
Comment by David Runge (dvzrv) - Tuesday, 02 October 2018, 21:54 GMT
@somewhere15: Did you open the issue with firejail [1]?
Additionally: What are the "many profiles", that you claim are breaking?
Firejail is currently in the AUR (which means unsupported). If indeed any other (shipped) profiles break, reopen this ticket.
I see no reason to include the upstream patch, if there is no problem with any supported package in conjunction with apparmor.

[1] https://github.com/netblue30/firejail/issues/2116

Loading...