[pkg-apparmor] BTS housekeeping and severity adjustments

Christian Boltz debian-bugs at cboltz.de
Sat Jul 22 20:32:41 BST 2023 

Hello,

Am Freitag, 21. Juli 2023, 15:05:52 CEST schrieb Stefano Rivera:
> > severity 932501 serious
> 
> I'm wondering if this bug should really be serious. Squid's apparmor
> config is shipped disabled, so one has to manually enable it to
> trigger this bug.
> 
> I would have gone for normal/important.
> 
> I don't know what the correct solution to this bug is. Presumably one
> has to get the squid profile to include the abstraction that
> squid-deb-proxy provides. I don't know how this is usually done in a
> Debian package. Maybe one of the apparmor team can comment.

The interesting part is that the abstraction is shipped in squid-deb-
proxy, while the squid profile comes from another package (I didn't check 
which one).

I guess the best you can have is to add
    include if exists <abstractions/squid-deb-proxy>
in the squid profile so that it will include the abstraction if it 
exists, and doesn't complain if it doesn't.

Note that the AppArmor profile cache is only timestamp-based [1], so if 
you install squid-deb-proxy (and had the squid AppArmor profile loaded 
before), it might happen that the cache file is never than the squid-deb-
proxy abstraction, with the result that the cache doesn't get updated.
(Workaround: delete the cache file, then reload the profile.)


The alternative is to add the rules needed for squid-deb-proxy directly 
to the squid profile. This adds some "superfluous" rules for people who 
don't use squid-deb-proxy, but on the positive side it avoids the cache 
issue.


BTW: https://packages.debian.org/sid/all/squid-deb-proxy/filelist says 
the abstraction is packaged as
    /etc/apparmor.d/abstractions/squid-deb-proxy/squid-deb-proxy
which looks slightly wrong ;-)  It should just be
    /etc/apparmor.d/abstractions/squid-deb-proxy
(assuming no other files get deployed to
/etc/apparmor.d/abstractions/squid-deb-proxy/ )

Bonus points if you add
    include if exists <abstractions/squid-deb-proxy.d>
to the abstraction ;-)


For the records:   include if exists   needs AppArmor >= 3.0 userspace.


Regards,

Christian Boltz

[1] Using a better cache validation method like checking the checksum of 
    the text profile is on the TODO list upstream, but not implemented 
    yet.
-- 
[SuSE vs. SUSE] As a friend of mine elsewhere remarked, the picky
spelling capitalization scheme reinforces the idea that Linux is
case-sensitive, so these are "sensitive" issues and certainly worth
discussing (for us, at least)! :)   [Shriramana Sharma in opensuse]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20230722/b1055f14/attachment.sig>

More information about the pkg-apparmor-team mailing list