[pkg-apparmor] Bug#1100546: Bug#1100546: apparmor-profiles: apparmor fails to start: /etc/apparmor.d/usr.bin.chromium-browser depends on removed abstraction
Alban Browaeys
prahal at yahoo.com
Tue Mar 18 01:31:14 GMT 2025
TLDR; can you confirm this issue is indeed obsolete (due to a pre
buster bug in apparmor-profiles postinst in my opinion, that is
2.10.95-8)? SO I know to close my bug report?
Or plain close it yourself?
Note that during this bug investigation I noticed taht
packages.debian.org still referenced these old 2016 conffile as in the
sid version of apparmor-profiles.
Might want to bug report the site.
Le lundi 17 mars 2025 à 10:00 +0100, intrigeri a écrit :
> Control: tag -1 + moreinfo
>
> Hi Alban,
>
> Alban Browaeys (2025-03-15):
> > mars 15 06:13:49 cyclope apparmor.systemd[1736]: Erreur de
> > l'analyseur AppArmor pour /etc/apparmor.d in profile
> > /etc/apparmor.d/usr.bin.chromium-browser
>
> AFAICT no Debian package ships
> /etc/apparmor.d/usr.bin.chromium-browser anymore, so it seems like
> you
> might have chosen to keep the obsolete leftover conffile during an
> upgrade in the past (likely because your local version had been
> modified, otherwise I believe you would not have even offered to keep
> it).
>
I did not change this usr.bin.chromium-browser conffile. Ie see further
on the md5sum from my copy of the conffile and the ones from the 2016
apparmor-profiles package.
But I confirm that on another similar x86-64 box (also Debian trixie,
the one where I edited the conffiles before reverting the changes later
on) I don't have this conffile. With the same apparmor-profiles amd64
4.1.0~beta5-3 on both boxes. The non buggy box is a pretty new install,
only a few years old.
Still, on the affected box, dpkg tells me this conffile is part of
apparmor-profiles.
dpkg -S /etc/apparmor.d/usr.bin.chromium-browser
apparmor-profiles: /etc/apparmor.d/usr.bin.chromium-browser
apt policy apparmor-profiles
apparmor-profiles:
Installé : 4.1.0~beta5-3
Candidat : 4.1.0~beta5-3
Table de version :
4.1.0~beta5-4 90
90 http://ftp.debian.org/debian sid/main amd64 Packages
90 http://ftp.debian.org/debian sid/main i386 Packages
*** 4.1.0~beta5-3 500
500 http://deb.debian.org/debian trixie/main amd64 Packages
500 http://deb.debian.org/debian trixie/main i386 Packages
100 /var/lib/dpkg/status
3.0.8-3 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
500 http://deb.debian.org/debian bookworm/main i386 Packages
debsums -a apparmor-profiles
(...)
/etc/apparmor.d/usr.bin.chromium-browser OK
(...)
https://packages.debian.org/search?suite=sid&arch=any&mode=path&searchon=contents&keywords=%2Fetc%2Fapparmor.d%2Fusr.bin.chromium-browser
shows unstable has this file but I cannot find in any older distribution.
NB: see later on, this seems to be a bug in the packages.debian.org site, but only affect the sid section.
> I'm not closing just yet in case I'm missing something: could you
> please check if a package manages that file on your system, and if
> so,
> which package that is?
>
I already had, that is how I decided to bug report apparmor
(by dpkg -S /etc/apparmor.d/usr.bin.chromium-browser)
/var/lib/dpkg/status indicates this conffile is indeed marked as
obsolete
Package: apparmor-profiles
Status: install ok installed
Priority: extra
Section: admin
Installed-Size: 365
Maintainer: Debian AppArmor Team <pkg-apparmor-team at lists.alioth.debian.org>
Architecture: all
Source: apparmor
Version: 4.1.0~beta5-3
Depends: apparmor
Conffiles:
/etc/apparmor.d/apache2.d/phpsysinfo 5ffc1b7c25b9101eaeae8fa81e22237e
/etc/apparmor.d/bin.ping 073d4fac9abaaca8c3b3790f20a460d5
/etc/apparmor.d/php-fpm 781494deb6468af0e722a4b59db247bb
/etc/apparmor.d/samba-bgqd b4fb40401884c6f849c287d927274f3c
/etc/apparmor.d/samba-dcerpcd 88bbd254394e0f3b5a19dfe27cb053aa
/etc/apparmor.d/samba-rpcd 848812e80e144cf37521976379effa76
/etc/apparmor.d/samba-rpcd-classic c75617aedebff928eeb295ff303eeb0a
/etc/apparmor.d/samba-rpcd-spoolss ea69eea9e4af63337f44598bc14264da
/etc/apparmor.d/sbin.klogd 7f461526f43f3b5dd38840d79d094143
/etc/apparmor.d/sbin.syslog-ng feed48e34698498222c5393be2da2d6f
/etc/apparmor.d/sbin.syslogd 3ae85b75cbe58f269746ff768a54e513
/etc/apparmor.d/usr.sbin.avahi-daemon aab5dc7c3d3b38721095ce7979b9b37c
/etc/apparmor.d/usr.sbin.dnsmasq 057af6a62645c74d0c7ae02cfef19f16
/etc/apparmor.d/usr.sbin.identd e726186ba64833212664b499155f3627
/etc/apparmor.d/usr.sbin.mdnsd 554e3b95fb84d268ed736dac5899047d
/etc/apparmor.d/usr.sbin.nmbd fdb5c84fdbe9937e3f8f0c35bac6aae4
/etc/apparmor.d/usr.sbin.nscd 3bcdbd38cfa890c2030625f6f4987fcf
/etc/apparmor.d/usr.sbin.smbd e9cbfe9c12779195d7731bce19d8500b
/etc/apparmor.d/usr.sbin.smbldap-useradd ec215e6c503cd5bd4d6434ad197c5e33
/etc/apparmor.d/usr.sbin.traceroute 8b31eb65d8bc2b5d3434c905ff99628b
/etc/apparmor.d/usr.bin.chromium-browser 8776649e465b5b5b0ffd1a5c792ce03e obsolete
/etc/apparmor.d/zgrep 51feb0a03c41df3480734736b8982308 obsolete
Description: experimental profiles for AppArmor security policies
apparmor-profiles provides various experimental AppArmor profiles.
Do not expect these profiles to work out-of-the-box.
.
These profiles are not mature enough to be shipped in enforce mode by
default on Debian. They are shipped in complain mode so that users
can test them, choose which are desired, and help improve them
upstream if needed.
.
Some even more experimental profiles are included in
/usr/share/doc/apparmor-profiles/extras/.
Homepage: https://apparmor.net/
The conffile is not modified if as I believe the /var/lib/dpkg/status
Conffiles entries shows the unmodied md5sum of the conffile.
md5sum /etc/apparmor.d/usr.bin.chromium-browser
8776649e465b5b5b0ffd1a5c792ce03e /etc/apparmor.d/usr.bin.chromium-browser
And if I check this new apparmor-profiles sid version still in incoming
https://incoming.debian.org/debian-buildd/pool/main/a/apparmor/apparmor-profiles_4.1.0~beta5-4_all.deb
it also do not have this chromium-browser conffile.
Mind this debian install dates back from 2014.
stat /etc/apparmor.d/usr.bin.chromium-browser
Fichier : /etc/apparmor.d/usr.bin.chromium-browser
Taille : 8243 Blocs : 24 Blocs d'E/S : 4096 fichier
Périphérique : 0/29 Inœud : 5643 Liens : 1
Accès : (0644/-rw-r--r--) UID : ( 0/ root) GID : ( 0/ root)
Accès : 2024-12-19 04:53:35.262286179 +0100
Modif. : 2016-03-30 01:07:06.000000000 +0200
Changt : 2024-12-19 04:53:35.262286179 +0100
Créé : 2024-12-19 04:53:35.262286179 +0100
from the date it would be https://snapshot.debian.org/package/apparmor/2.10-4/#apparmor-profiles_2.10-4
which indeed has this chromium-browser conffile with the same md5sum 8776649e465b5b5b0ffd1a5c792ce03e.
this conffile was already shipped in https://snapshot.debian.org/package/apparmor/2.6.1-2/#apparmor-profiles_2.6.1-2
Seen in debian on 2011-04-29 03:56:00 in /pool/main/a/apparmor.
this conffile was last shipped in https://snapshot.debian.org/package/apparmor/2.10.95-7/#apparmor-profiles_2.10.95-7
with the same 8776649e465b5b5b0ffd1a5c792ce03e md5sum.
and with postinst "
197 if [ "$1" = "configure" ]; then
198 APP_PROFILE="/etc/apparmor.d/usr.bin.chromium-browser"
199 if [ -f "$APP_PROFILE" ]; then
200 # Add the local/ include
201 LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.bin.chromium-browser"
202
203 test -e "$LOCAL_APP_PROFILE" || {
204 tmp=`mktemp`
205 cat <<EOM > "$tmp"
206 # Site-specific additions and overrides for usr.bin.chromium-browser.
207 # For more details, please see /etc/apparmor.d/local/README.
208 EOM
209 mkdir `dirname "$LOCAL_APP_PROFILE"` 2>/dev/null || true
210 mv -f "$tmp" "$LOCAL_APP_PROFILE"
211 chmod 644 "$LOCAL_APP_PROFILE"
212 }
213
214 # Reload the profile, including any abstraction updates
215 if aa_is_enabled; then
216 apparmor_parser -r -T -W "$APP_PROFILE" || true
217 fi
218 fi
219 fi
220 # End automatically added section
"
and was removed in https://snapshot.debian.org/package/apparmor/2.10.95-8/#apparmor-profiles_2.10.95-8
Seen in debian on 2016-12-17 21:25:34 in /pool/main/a/apparmor.
with this changelog "
apparmor (2.10.95-8) unstable; urgency=medium
* Stop applying add-chromium-browser.patch: it's been broken for
years
on Debian, and nobody ever bothered to upstream this profile in a
way
that makes it work cross-distro (Closes: #742829).
* r3441-sshd-blacklist.patch: new patch, cherry-picked from upstream
(Closes: #821881).
* r3497-add-ld.so.preload-to-abstractions-base.patch: new patch,
cherry-picked from upstream.
* r3600-usrmerge.patch: new patch, cherry-picked from upstream
(resolves the parts of #843461 that can be handled in this
package).
-- intrigeri <intrigeri at debian.org> Sat, 17 Dec 2016 11:25:27 +0000
" bug I see
All in all I believe that the usr.bin.chromium-browser conffile removal
from December 2016 was buggy in not removing the not modified conffile,
but I might have only noticed recently because I got an error that the
chromium abstraction was missing as this leftover profile was including
the abstraction.
Somehow "recently" this abstraction was renamed from chromium-browser
to chromium-browser.dpkg-old. Or maybe I had apparmor broken for years
on this box.
this abstraction was installed via apparmor-profiles postinst, ie not a
conffile.
23 case "$1" in
24 configure)
25 if [ ! -e /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser ]; then
26 cp /usr/share/apparmor-profiles/abstractions/ubuntu-browsers.d/chromium-browser /etc/apparmor.d/abstractions/ubuntu-browsers.d || true
27 fi
28 ;;
29 esac
this code was last in postinst in apparmor-profiles_2.10.95-8_all.deb
but was not in apparmor-profiles_2.11.0-1_all.deb postinst anymore.
I really don't know why and when this /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
was renamed to /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser.dpkg-old
but this is how I noticed this month that this leftover conffile was not removed
as it should have been in December 2016.
Likely an obsolete issue, ie from a distro before buster, so
unsupported.
NB: something is broken in https://packages.debian.org as this conffile
is marked as shipped by apparmor-profiles from sid while it is not
(be it the incoming.debian.org apparmor-profiles_4.1.0~beta5-4_all.deb
or the previous sid apparmor-profiles_4.1.0~beta5-3_all.deb)
at
https://packages.debian.org/search?suite=sid&arch=any&mode=path&searchon=contents&keywords=%2Fetc%2Fapparmor.d%2Fusr.bin.chromium-browser
same for the chromium-browser abstraction see
https://packages.debian.org/search?suite=sid&arch=any&mode=path&searchon=contents&keywords=%2Fusr%2Fshare%2Fapparmor-profiles%2Fabstractions%2Fubuntu-browsers.d%2Fchromium-browser
This issue is not obsolete. COuld you report it to the appropriate
debian tracker? I am afraid I don't have any clue
as to why the packages.debian.org site still references these long
removed conffiles.
Cheers
Alban
More information about the pkg-apparmor-team
mailing list