[pkg-apparmor] Bug#1030153: Bug#1030153: complaining

Mon Feb 6 14:49:04 GMT 2023

On 2023-02-06 14:20:32, Christian Boltz wrote:
> Hello,
>
> Am Mittwoch, 1. Februar 2023, 16:00:06 CET schrieb Antoine Beaupré:
>> On 2023-01-31 23:57:04, Christian Boltz wrote:
>> > I'm somewhat surprised about that because the upstream profile for
>> > sshd has the following rule since Dec 3 2016 :
>> >   /{usr/,}bin/bash     Uxr,
> [...]
>> > Now I wonder - does your sshd profile lack this line/rule?
>> > (If in doubt, please attach the complete profile.)
> [...]
>> I *think* those are some "extra" profiles I might have manually
>> deployed at some point.
>
> Possibly. That must have been years ago ;-)

Why yes it was! I'm old too! ;)

>> Now that I dig in the apparmor-profiles, I found a
>> /usr/share/apparmor/extra-profiles/ directory and there *is* a
>> usr.sbin.sshd profile in there. So I'm not sure what happened here,
>> maybe I deployed those by hand but they never got updated?
>
> Sounds like a valid explanation. The extra profiles never get copied to 
> /etc/apparmor.d/ automatically *), which also means they don't get 
> updated automatically.
>
> *) only exception: aa-genprof offers to use them as starting point when 
>    creating a _new_ profile

Yeah. So that's the thing here: it seems to me this is really error
prone! It's quite likely that someone will, like me, copy those profiles
over and then forget about it, and then they never get updated...

I think they should be moved to the profile-extras package instead.

>> I also am a little confused by apparmor-profiles shipping an
>> "extra-profiles" directory *and* having at the same time an
>> apparmor-profiles-extra that only ships a handful of profiles... It's
>> all very confusing...
>
> That's something one of the Debian packagers needs to answer. 
> (I use another distribution, see my signature ;-)

Gotcha.

>> Here's that old profile that was causing problems:
> [...]
>> /usr/sbin/sshd flags=(complain) {
> [...]
>>   /bin/bash rUx,
>
> That explains it - it doesn't allow /usr/bin/bash to be executed.
>
> I'd recommend to copy over the latest sshd profile from extra-profiles to 
> /etc/apparmor.d/.

Well right now I just disabled the profile altogether, since there's no
clean way to update it.

>> Using the internet since 28.8kbit. Yes, I'm 'old'.
> My first modem was 300 bits/sec, you young whipper snapper!  ;-)
> [> Yamaban and James Knott in opensuse-factory]

It took a while for me to get hooked up on the internet, but if my
memory is correct it was over 900 baud (strange to read those in bits,
actually)... Am I young now? :p

a.

-- 
During times of universal deceit, telling the truth becomes a
revolutionary act.       - Georges Orwell