[pkg-apparmor] Bug#977210: redshift: AppArmor profile breaks under Wayland

nicoo nicoo at debian.org
Sat Dec 12 16:24:17 GMT 2020 

user pkg-apparmor-team at lists.alioth.debian.org
usertags 977210 + buggy-profile
tag 977210 + patch
thanks

I have a working patch on Salsa: https://salsa.debian.org/debian/redshift/-/merge_requests/4

Apologies for forgetting to CC the rest of the AppArmor team on this.

On Sat, Dec 12, 2020 at 05:08:22PM +0100, nicoo wrote:
> Package: redshift
> Version: 1.12-3
> Severity: important
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi myself!
> 
> The AppArmor profile for redshift is broken under Wayland.
> Since Wayland support just got added in this version, this is not a problem
> for existing users of the package, but I should fix this ASAP.
> 
> The log message is pretty straightforward:
> 
> > kernel: audit: type=1400 audit(1607788832.946:72): apparmor="DENIED" operation="mknod" profile="/usr/bin/redshift" name="/run/user/1000/redshift-shared-DbzWVS" pid=1511436 comm="redshift" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
> 
> abstractions/wayland authorises manipulating /run/user/*/${name}-shared-*,
> when the file is owned by the user, and ${name} belongs to a whitelist
> (mesa, mutter, sdl, wayland-cursor, weston, or xwayland).
> 
> I do not know whether the rule in the abstraction should be made more flexible,
> if redshift implements the wayland parts wrong (this is implemented from a patch
> that upstream hasn't merged yet), or something else, so I am just going to add
> this specific path pattern in redshift's AppArmor profile.
> 
> 
> Best,
> 
>   nicoo
> 
> 
> - -- System Information:
> Debian Release: bullseye/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages redshift depends on:
> ii  init-system-helpers  1.59
> ii  libc6                2.31-5
> ii  libdrm2              2.4.103-2
> ii  libglib2.0-0         2.66.3-2
> ii  libwayland-client0   1.18.0-2~exp1.1
> ii  libx11-6             2:1.6.12-1
> ii  libxcb-randr0        1.14-2
> ii  libxcb1              1.14-2
> ii  libxxf86vm1          1:1.1.4-1+b2
> 
> Versions of packages redshift recommends:
> ii  geoclue-2.0  2.5.6-1
> 
> redshift suggests no packages.
> 
> - -- no debconf information
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl/U6vMRHG5pY29vQGRl
> Ymlhbi5vcmcACgkQ5vmO4pLV7MvFbQ//ZYK3m0Qk40ATjCAjZKX8I3c6HCcrAzym
> x5IOy0GfvAtrYh1VpWuuHC6fEu+FrDJYZSVGth+HSBrrmJaF90RuRbr3+SXM2Zwk
> EBqwccfDnE7GSvgARQ8k5MRZs1+iGFTuriY1H3UuJT4QnWtX9tpuAR+NYLlDSgZP
> yTBk0PIvVAMXlWDoO3Zo/UFjq0qHfRw5UNzRUs9nBiM+iLvF5l8nnkAWK/jXsLNI
> NldGXGN3A8V0biveJgbCR0S+QSfTr1dHd/eDc8KimL1ZitFP9NZ4Qd5kjRG3JSbj
> ltEGgXUS/IJa7fJe3urwLrahfGN5kGVBqpMjGIzQDEWsTvuRTWY58/a63AUswu+w
> EEfI6/jXzooCjnS2butv1YcFpqhaze4fbN/35enoxBFDHwPOLE0FrijwdDhjXzCP
> Tv86jb6RZCJcwnlVRxhXEbuOyd7PKNHknyGTdV9GcEPXtPam4DdJGffuKqUPidlM
> L9neBqhkhk7IdD7JJb+yDcyrgBMbOz9ai/gplTmOTuoasVAsRYXokBZlsy2QVwF8
> SGmOQuFTNXZ+L2fmmmAasF/O54qsxznXAFqBItjQiX1V/rgZeFUrFBVJGmm/9DMW
> trbHrsLFUrc5H6kIcmvunG/j63pvYVV/g+0RnfZu2e4Tx8h6h9khFWnOplCJXvox
> UHcmK9eSthI=
> =XkJv
> -----END PGP SIGNATURE-----
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20201212/a17e316f/attachment.sig>

More information about the pkg-apparmor-team mailing list