[pkg-apparmor] Bug#1100546: Bug#1100546: apparmor-profiles: apparmor fails to start: /etc/apparmor.d/usr.bin.chromium-browser depends on removed abstraction
Alban Browaeys
prahal at yahoo.com
Tue Mar 18 04:47:31 GMT 2025
I found what/when made this old conffile removal bug visible. That is
the chromium-browser abastraction removal, in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074408
apparmor 3.1.7-4
* Remove obsolete conffile
/etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
(Closes: #1074408)
Indeed apparmor service start to fail once I rebooted in the 14th of
March 2025 (while my previous boot was Feb 16th).
In the meantime I had an upgrade of apparmor from 3.1.7-2 to 3.1.7-4
the 23th of February 2025.
Do you know if I could have made a mistake that could have led to the
conffile remaining in 2016 when the conffile was removed from the
apparmor-profiles package? Ie the conffile was unmodified (same md5 sum
as the old package version).
If it ends up being my bad then close this bug report.
If not, you might want to remove both the conffile and the abstraction
files at the same time.
Cheers,
Alban
Le mardi 18 mars 2025 à 02:31 +0100, Alban Browaeys a écrit :
> TLDR; can you confirm this issue is indeed obsolete (due to a pre
> buster bug in apparmor-profiles postinst in my opinion, that is
> 2.10.95-8)? SO I know to close my bug report?
> Or plain close it yourself?
>
> Note that during this bug investigation I noticed taht
> packages.debian.org still referenced these old 2016 conffile as in
> the
> sid version of apparmor-profiles.
> Might want to bug report the site.
>
> Le lundi 17 mars 2025 à 10:00 +0100, intrigeri a écrit :
> > Control: tag -1 + moreinfo
> >
> > Hi Alban,
> >
> > Alban Browaeys (2025-03-15):
> > > mars 15 06:13:49 cyclope apparmor.systemd[1736]: Erreur de
> > > l'analyseur AppArmor pour /etc/apparmor.d in profile
> > > /etc/apparmor.d/usr.bin.chromium-browser
> >
> > AFAICT no Debian package ships
> > /etc/apparmor.d/usr.bin.chromium-browser anymore, so it seems like
> > you
> > might have chosen to keep the obsolete leftover conffile during an
> > upgrade in the past (likely because your local version had been
> > modified, otherwise I believe you would not have even offered to
> > keep
> > it).
> >
>
> I did not change this usr.bin.chromium-browser conffile. Ie see
> further
> on the md5sum from my copy of the conffile and the ones from the 2016
> apparmor-profiles package.
>
>
>
> But I confirm that on another similar x86-64 box (also Debian trixie,
> the one where I edited the conffiles before reverting the changes
> later
> on) I don't have this conffile. With the same apparmor-profiles amd64
> 4.1.0~beta5-3 on both boxes. The non buggy box is a pretty new
> install,
> only a few years old.
>
> Still, on the affected box, dpkg tells me this conffile is part of
> apparmor-profiles.
>
> dpkg -S /etc/apparmor.d/usr.bin.chromium-browser
> apparmor-profiles: /etc/apparmor.d/usr.bin.chromium-browser
>
> apt policy apparmor-profiles
> apparmor-profiles:
> Installé : 4.1.0~beta5-3
> Candidat : 4.1.0~beta5-3
> Table de version :
> 4.1.0~beta5-4 90
> 90 http://ftp.debian.org/debian sid/main amd64 Packages
> 90 http://ftp.debian.org/debian sid/main i386 Packages
> *** 4.1.0~beta5-3 500
> 500 http://deb.debian.org/debian trixie/main amd64 Packages
> 500 http://deb.debian.org/debian trixie/main i386 Packages
> 100 /var/lib/dpkg/status
> 3.0.8-3 500
> 500 http://deb.debian.org/debian bookworm/main amd64 Packages
> 500 http://deb.debian.org/debian bookworm/main i386 Packages
>
>
> debsums -a apparmor-profiles
> (...)
> /etc/apparmor.d/usr.bin.chromium-
> browser OK
> (...)
>
>
> https://packages.debian.org/search?suite=sid&arch=any&mode=path&searchon=contents&keywords=%2Fetc%2Fapparmor.d%2Fusr.bin.chromium-browser
> shows unstable has this file but I cannot find in any older
> distribution.
> NB: see later on, this seems to be a bug in the packages.debian.org
> site, but only affect the sid section.
>
>
> > I'm not closing just yet in case I'm missing something: could you
> > please check if a package manages that file on your system, and if
> > so,
> > which package that is?
> >
>
> I already had, that is how I decided to bug report apparmor
> (by dpkg -S /etc/apparmor.d/usr.bin.chromium-browser)
>
>
> /var/lib/dpkg/status indicates this conffile is indeed marked as
> obsolete
>
> Package: apparmor-profiles
> Status: install ok installed
> Priority: extra
> Section: admin
> Installed-Size: 365
> Maintainer: Debian AppArmor Team
> <pkg-apparmor-team at lists.alioth.debian.org>
> Architecture: all
> Source: apparmor
> Version: 4.1.0~beta5-3
> Depends: apparmor
> Conffiles:
> /etc/apparmor.d/apache2.d/phpsysinfo
> 5ffc1b7c25b9101eaeae8fa81e22237e
> /etc/apparmor.d/bin.ping 073d4fac9abaaca8c3b3790f20a460d5
> /etc/apparmor.d/php-fpm 781494deb6468af0e722a4b59db247bb
> /etc/apparmor.d/samba-bgqd b4fb40401884c6f849c287d927274f3c
> /etc/apparmor.d/samba-dcerpcd 88bbd254394e0f3b5a19dfe27cb053aa
> /etc/apparmor.d/samba-rpcd 848812e80e144cf37521976379effa76
> /etc/apparmor.d/samba-rpcd-classic c75617aedebff928eeb295ff303eeb0a
> /etc/apparmor.d/samba-rpcd-spoolss ea69eea9e4af63337f44598bc14264da
> /etc/apparmor.d/sbin.klogd 7f461526f43f3b5dd38840d79d094143
> /etc/apparmor.d/sbin.syslog-ng feed48e34698498222c5393be2da2d6f
> /etc/apparmor.d/sbin.syslogd 3ae85b75cbe58f269746ff768a54e513
> /etc/apparmor.d/usr.sbin.avahi-daemon
> aab5dc7c3d3b38721095ce7979b9b37c
> /etc/apparmor.d/usr.sbin.dnsmasq 057af6a62645c74d0c7ae02cfef19f16
> /etc/apparmor.d/usr.sbin.identd e726186ba64833212664b499155f3627
> /etc/apparmor.d/usr.sbin.mdnsd 554e3b95fb84d268ed736dac5899047d
> /etc/apparmor.d/usr.sbin.nmbd fdb5c84fdbe9937e3f8f0c35bac6aae4
> /etc/apparmor.d/usr.sbin.nscd 3bcdbd38cfa890c2030625f6f4987fcf
> /etc/apparmor.d/usr.sbin.smbd e9cbfe9c12779195d7731bce19d8500b
> /etc/apparmor.d/usr.sbin.smbldap-useradd
> ec215e6c503cd5bd4d6434ad197c5e33
> /etc/apparmor.d/usr.sbin.traceroute 8b31eb65d8bc2b5d3434c905ff99628b
> /etc/apparmor.d/usr.bin.chromium-browser
> 8776649e465b5b5b0ffd1a5c792ce03e obsolete
> /etc/apparmor.d/zgrep 51feb0a03c41df3480734736b8982308 obsolete
> Description: experimental profiles for AppArmor security policies
> apparmor-profiles provides various experimental AppArmor profiles.
> Do not expect these profiles to work out-of-the-box.
> .
> These profiles are not mature enough to be shipped in enforce mode
> by
> default on Debian. They are shipped in complain mode so that users
> can test them, choose which are desired, and help improve them
> upstream if needed.
> .
> Some even more experimental profiles are included in
> /usr/share/doc/apparmor-profiles/extras/.
> Homepage: https://apparmor.net/
>
>
> The conffile is not modified if as I believe the /var/lib/dpkg/status
> Conffiles entries shows the unmodied md5sum of the conffile.
>
> md5sum /etc/apparmor.d/usr.bin.chromium-browser
> 8776649e465b5b5b0ffd1a5c792ce03e /etc/apparmor.d/usr.bin.chromium-
> browser
>
>
>
> And if I check this new apparmor-profiles sid version still in
> incoming
> https://incoming.debian.org/debian-buildd/pool/main/a/apparmor/apparmor-profiles_4.1.0~beta5-4_all.deb
> it also do not have this chromium-browser conffile.
>
>
> Mind this debian install dates back from 2014.
>
> stat /etc/apparmor.d/usr.bin.chromium-browser
> Fichier : /etc/apparmor.d/usr.bin.chromium-browser
> Taille : 8243 Blocs : 24 Blocs d'E/S : 4096
> fichier
> Périphérique : 0/29 Inœud : 5643 Liens : 1
> Accès : (0644/-rw-r--r--) UID : ( 0/ root) GID : ( 0/
> root)
> Accès : 2024-12-19 04:53:35.262286179 +0100
> Modif. : 2016-03-30 01:07:06.000000000 +0200
> Changt : 2024-12-19 04:53:35.262286179 +0100
> Créé : 2024-12-19 04:53:35.262286179 +0100
>
> from the date it would be
> https://snapshot.debian.org/package/apparmor/2.10-4/#apparmor-profiles_2.10-4
> which indeed has this chromium-browser conffile with the same md5sum
> 8776649e465b5b5b0ffd1a5c792ce03e.
>
>
> this conffile was already shipped in
> https://snapshot.debian.org/package/apparmor/2.6.1-2/#apparmor-profiles_2.6.1-2
> Seen in debian on 2011-04-29 03:56:00 in /pool/main/a/apparmor.
>
> this conffile was last shipped in
> https://snapshot.debian.org/package/apparmor/2.10.95-7/#apparmor-profiles_2.10.95-7
> with the same 8776649e465b5b5b0ffd1a5c792ce03e md5sum.
> and with postinst "
> 197 if [ "$1" = "configure" ]; then
> 198 APP_PROFILE="/etc/apparmor.d/usr.bin.chromium-browser"
> 199 if [ -f "$APP_PROFILE" ]; then
> 200 # Add the local/ include
> 201
> LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.bin.chromium-browser"
> 202
> 203 test -e "$LOCAL_APP_PROFILE" || {
> 204 tmp=`mktemp`
> 205 cat <<EOM > "$tmp"
> 206 # Site-specific additions and overrides for usr.bin.chromium-
> browser.
> 207 # For more details, please see /etc/apparmor.d/local/README.
> 208 EOM
> 209 mkdir `dirname "$LOCAL_APP_PROFILE"` 2>/dev/null ||
> true
> 210 mv -f "$tmp" "$LOCAL_APP_PROFILE"
> 211 chmod 644 "$LOCAL_APP_PROFILE"
> 212 }
> 213
> 214 # Reload the profile, including any abstraction updates
> 215 if aa_is_enabled; then
> 216 apparmor_parser -r -T -W "$APP_PROFILE" || true
> 217 fi
> 218 fi
> 219 fi
> 220 # End automatically added section
> "
>
>
> and was removed in
> https://snapshot.debian.org/package/apparmor/2.10.95-8/#apparmor-profiles_2.10.95-8
> Seen in debian on 2016-12-17 21:25:34 in /pool/main/a/apparmor.
>
> with this changelog "
>
> apparmor (2.10.95-8) unstable; urgency=medium
>
> * Stop applying add-chromium-browser.patch: it's been broken for
> years
> on Debian, and nobody ever bothered to upstream this profile in a
> way
> that makes it work cross-distro (Closes: #742829).
> * r3441-sshd-blacklist.patch: new patch, cherry-picked from
> upstream
> (Closes: #821881).
> * r3497-add-ld.so.preload-to-abstractions-base.patch: new patch,
> cherry-picked from upstream.
> * r3600-usrmerge.patch: new patch, cherry-picked from upstream
> (resolves the parts of #843461 that can be handled in this
> package).
>
> -- intrigeri <intrigeri at debian.org> Sat, 17 Dec 2016 11:25:27 +0000
>
> " bug I see
>
>
>
> All in all I believe that the usr.bin.chromium-browser conffile
> removal
> from December 2016 was buggy in not removing the not modified
> conffile,
> but I might have only noticed recently because I got an error that
> the
> chromium abstraction was missing as this leftover profile was
> including
> the abstraction.
> Somehow "recently" this abstraction was renamed from chromium-browser
> to chromium-browser.dpkg-old. Or maybe I had apparmor broken for
> years
> on this box.
>
> this abstraction was installed via apparmor-profiles postinst, ie not
> a
> conffile.
> 23 case "$1" in
> 24 configure)
> 25 if [ ! -e /etc/apparmor.d/abstractions/ubuntu-
> browsers.d/chromium-browser ]; then
> 26 cp /usr/share/apparmor-profiles/abstractions/ubuntu-
> browsers.d/chromium-browser /etc/apparmor.d/abstractions/ubuntu-
> browsers.d || true
> 27 fi
> 28 ;;
> 29 esac
> this code was last in postinst in apparmor-profiles_2.10.95-8_all.deb
> but was not in apparmor-profiles_2.11.0-1_all.deb postinst anymore.
>
> I really don't know why and when this
> /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
> was renamed to /etc/apparmor.d/abstractions/ubuntu-
> browsers.d/chromium-browser.dpkg-old
> but this is how I noticed this month that this leftover conffile was
> not removed
> as it should have been in December 2016.
>
>
>
> Likely an obsolete issue, ie from a distro before buster, so
> unsupported.
>
>
>
> NB: something is broken in https://packages.debian.org as this
> conffile
> is marked as shipped by apparmor-profiles from sid while it is not
> (be it the incoming.debian.org apparmor-profiles_4.1.0~beta5-
> 4_all.deb
> or the previous sid apparmor-profiles_4.1.0~beta5-3_all.deb)
> at
> https://packages.debian.org/search?suite=sid&arch=any&mode=path&searchon=contents&keywords=%2Fetc%2Fapparmor.d%2Fusr.bin.chromium-browser
> same for the chromium-browser abstraction see
> https://packages.debian.org/search?suite=sid&arch=any&mode=path&searchon=contents&keywords=%2Fusr%2Fshare%2Fapparmor-profiles%2Fabstractions%2Fubuntu-browsers.d%2Fchromium-browser
> This issue is not obsolete. COuld you report it to the appropriate
> debian tracker? I am afraid I don't have any clue
> as to why the packages.debian.org site still references these long
> removed conffiles.
>
> Cheers
> Alban
>
>
>
More information about the pkg-apparmor-team
mailing list