[pkg-apparmor] Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Guillaume B.
ksurp0 at gmail.com
Tue Feb 28 07:01:02 GMT 2023
Start quote -> "
You mean Debian maintenance team, right? If you pulled in an Ubuntu
apparmor package, that's a different story (and we should close this
bug). If you're using Debian's apparmor-profiles package, then the bug
and fix should go there. Although, if you're pulling in an Ubuntu
package to get some kind of apparmor protection that Debian doesn't
have, you also might want to open a wishlist bug on the Debian package
asking for the feature so you don't have to mix-and-match packages
across different distributions."
///
I am, honestly, as confused as you. I've had profiles from the
apparmor-profiles and apparmor-profiles-extra packages for a long time.
This time around, though, I did not have either packages installed all the
while having active apparmor.d profiles.
Installing fresh sid profiles with both previously stated packages (version
3.0.8-3 and 1.35 respectively), I have not seen that specific mistake made.
It may have come from a loose AppArmor profile but, just to be sure, no
such open "/** r," found in latest sid-provided
apparmor-profiles/apparmor-profiles-extra Chromium AppArmor profile.
Cheers
On Mon, Feb 27, 2023, 20:45 Andres Salomon <dilinger at queued.net> wrote:
> Control: reassign -1 apparmor-profiles
>
>
>
> On Mon, Feb 27 2023 at 08:15:37 PM +0100, Guillaume B.
> <ksurp0 at gmail.com> wrote:
> > Hi,
> >
> > It seems that the previous emails in our exchange got nuked out my
> > account so apologies for not being able to reply using the usual
> > channels.
> >
> > The command 'find /etc/apparmor* -name "*hromium*" | xargs dpkg -S'
> > returns the following -> "dpkg-query: no path found matching pattern
> > /etc/apparmor.d/usr.bin.chromium
> > lightdm: /etc/apparmor.d/abstractions/lightdm_chromium-browser"
> >
> > ///
> >
> > I'm using AppArmor profiles found in the "apparmor-profiles" package.
> > Having recently updated from stable, I was able to keep the profiles
> > without the package being installed; i.e., the update couldn't have
> > come from an apparmor-profile package update.
>
>
> Ah, okay, that makes more sense. Reassigning to the apparmor-profiles
> package, then.
>
>
> >
> > Dealing with the issue, I have not made a backup of the updated
> > Chromium AppArmor profile but simply did some file comparison and
> > reverted to a previous profile, nuking the updated profile in the
> > copying process.
> >
> > The "updated" AppArmor profile was dated either january or february
> > of this year and had been modified by an Ubuntu email.
> >
> > TLDR; There was an update to the Chromium AppArmor profile, not sure
> > how, but it happened.
> >
> > I might just take it up with the Ubuntu Chromium AppArmor profile
> > maintenance team, in which case, sorry to have wasted your time.
> >
> > Regards
>
>
>
> You mean Debian maintenance team, right? If you pulled in an Ubuntu
> apparmor package, that's a different story (and we should close this
> bug). If you're using Debian's apparmor-profiles package, then the bug
> and fix should go there. Although, if you're pulling in an Ubuntu
> package to get some kind of apparmor protection that Debian doesn't
> have, you also might want to open a wishlist bug on the Debian package
> asking for the feature so you don't have to mix-and-match packages
> across different distributions.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20230228/a3988245/attachment.htm>
More information about the pkg-apparmor-team
mailing list