Closed
Bug 1884980
Opened 7 months ago
Closed 6 months ago
Add an apparmor profile to fix userns in the .deb package
Categories
(Release Engineering :: General, defect, P1)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: gabriel, Assigned: gabriel)
References
(Blocks 1 open bug)
Details
Attachments
(3 obsolete files)
Lets set up AppArmor in the .deb package asap.
Assignee | ||
Updated•7 months ago
|
Assignee | ||
Updated•7 months ago
|
Assignee | ||
Updated•7 months ago
|
Assignee | ||
Updated•7 months ago
|
Severity: -- → S2
Type: enhancement → defect
Priority: -- → P1
Summary: Ship an AppArmor profile in the .deb package → Add apparmor profile to fix userns
Assignee | ||
Updated•7 months ago
|
Summary: Add apparmor profile to fix userns → Add an apparmor profile to fix userns in the .deb package
Assignee | ||
Updated•7 months ago
|
Assignee: nobody → gabriel
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•7 months ago
|
||
Assignee | ||
Comment 2•7 months ago
|
||
Depends on D204409
Assignee | ||
Comment 3•7 months ago
|
||
Depends on D204552
Updated•7 months ago
|
Attachment #9391123 -
Attachment description: WIP: Bug 1884980 - Add dh-apparmor to the debian-repackage image → Bug 1884980 - Add dh-apparmor to the debian-repackage image r?jcristau,#releng-reviewers
Updated•7 months ago
|
Attachment #9390840 -
Attachment description: WIP: Bug 1884980 - Add an AppArmor profile to fix userns in the .deb package → Bug 1884980 - Add an AppArmor profile to fix userns in the .deb package r?jcristau,#releng-reviewers
Updated•7 months ago
|
Attachment #9391137 -
Attachment description: WIP: Bug 1884980 - Update test_deb.py to reflect changes in deb.py → Bug 1884980 - Update test_deb.py to reflect changes in deb.py r?jcristau,#releng-reviewers
Updated•7 months ago
|
Attachment #9391137 -
Attachment is obsolete: true
Assignee | ||
Comment 4•6 months ago
|
||
Looks like /etc/apparmor.d/firefox
was patched to match beta, devedition, and nightly.
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile firefox /usr/lib/firefox{,-esr,-beta,-devedition,-nightly}/firefox{,-esr,-bin} flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/firefox>
}
Assignee | ||
Comment 5•6 months ago
|
||
So, I keep checking on the 24.04 daily build and I don't see this change yet. I wonder when it will land. I am hesitant to land the changes we were baking to fix this because I dunno how they will interact with this /usr/lib/firefox{,-esr,-beta,-devedition,-nightly}/firefox
profile. Not sure what policy would apply to the binary (same reason we were going to leave firefox
and firefox-esr
out of the patch.)
Assignee | ||
Comment 6•6 months ago
|
||
I was able to confirm Ubuntu's fix landed on the Noble Numbat Daily Build :)
ubuntu@ubuntu:~$ cd /etc/apparmor.d/
ubuntu@ubuntu:/etc/apparmor.d$ cat firefox
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile firefox /usr/lib/firefox{,-esr,-beta,-devedition,-nightly}/firefox{,-esr,-bin} flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/firefox>
}
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → WONTFIX
Updated•6 months ago
|
Attachment #9390840 -
Attachment is obsolete: true
Updated•6 months ago
|
Attachment #9391123 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•