[pkg-apparmor] Bug#1101071: apparmor-profiles chromium-browser profile removal in postinstall does not work
Alban Browaeys
prahal at yahoo.com
Sun Mar 30 23:38:03 BST 2025
I traced the dpkg-maintscript-helper calls and ended up on the fact if
the rm_cconfile second argument is a version below, the conffile
removal code is not called:
DPKG_DEBUG=1 DPKG_MAINTSCRIPT_PACKAGE=apparmor-profiles DPKG_MAINTSCRIPT_NAME=preinst dpkg-maintscript-helper rm_conffile "/etc/apparmor.d/usr.bin.chromium-browser" "2.10.95-8~" "apparmor-profiles" "--" "upgrade" "4.1.0~beta5-5"
+ set -e
+ version=1.22.18
+ DPKG_ROOT=
+ [ = / ]
+ export DPKG_ROOT
+ PKGDATADIR_DEFAULT=/usr/share/dpkg
+ PKGDATADIR=/usr/share/dpkg
+ . /usr/share/dpkg/sh/dpkg-error.sh
+ basename /usr/bin/dpkg-maintscript-helper
+ : dpkg-maintscript-helper
+ COLOR_NORMAL=
+ COLOR_RESET=
+ COLOR_BOLD=
+ COLOR_BLACK=
+ COLOR_RED=
+ COLOR_GREEN=
+ COLOR_YELLOW=
+ COLOR_BLUE=
+ COLOR_MAGENTA=
+ COLOR_CYAN=
+ COLOR_WHITE=
+ COLOR_BOLD_BLACK=
+ COLOR_BOLD_RED=
+ COLOR_BOLD_GREEN=
+ COLOR_BOLD_YELLOW=
+ COLOR_BOLD_BLUE=
+ COLOR_BOLD_MAGENTA=
+ COLOR_BOLD_CYAN=
+ COLOR_BOLD_WHITE=
+ : auto
+ [ -t 1 ]
+ _dpkg_use_colors=yes
+ [ yes = yes ]
+ _dpkg_color_clear=
+ _dpkg_color_prog=
+ _dpkg_color_hint=
+ _dpkg_color_info=
+ _dpkg_color_notice=
+ _dpkg_color_warn=
+ _dpkg_color_error=
+ _dpkg_fmt_prog=dpkg-maintscript-helper
+ command=rm_conffile
+ [ 7 -gt 0 ]
+ shift
+ rm_conffile /etc/apparmor.d/usr.bin.chromium-browser 2.10.95-8~ apparmor-profiles -- upgrade 4.1.0~beta5-5
+ local CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser
+ local LASTVERSION=2.10.95-8~
+ local PACKAGE=apparmor-profiles
+ [ 2.10.95-8~ = -- ]
+ [ apparmor-profiles = -- -o -z apparmor-profiles ]
+ [ /etc/apparmor.d/usr.bin.chromium-browser != -- -a 6 -gt 0 ]
+ shift
+ [ 2.10.95-8~ != -- -a 5 -gt 0 ]
+ shift
+ [ apparmor-profiles != -- -a 4 -gt 0 ]
+ shift
+ [ -- != -- -a 3 -gt 0 ]
+ [ 3 -gt 0 ]
+ shift
+ [ -n apparmor-profiles ]
+ [ -n upgrade ]
+ [ -n preinst ]
+ [ -n apparmor-profiles ]
+ [ /etc/apparmor.d/usr.bin.chromium-browser != etc/apparmor.d/usr.bin.chromium-browser ]
+ validate_optional_version 2.10.95-8~
+ local VERSION=2.10.95-8~
+ [ -z 2.10.95-8~ ]
+ dpkg --validate-version -- 2.10.95-8~
+ VERSIONCHECK=D000001: root= admindir=/var/lib/dpkg
+ debug Executing /usr/bin/dpkg-maintscript-helper rm_conffile in preinst of apparmor-profiles
+ [ -n 1 ]
+ echo dpkg-maintscript-helper: debug: Executing /usr/bin/dpkg-maintscript-helper rm_conffile in preinst of apparmor-profiles
dpkg-maintscript-helper: debug: Executing /usr/bin/dpkg-maintscript-helper rm_conffile in preinst of apparmor-profiles
+ debug CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser PACKAGE=apparmor-profiles LASTVERSION=2.10.95-8~ ACTION=upgrade PARAM=4.1.0~beta5-5
+ [ -n 1 ]
+ echo dpkg-maintscript-helper: debug: CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser PACKAGE=apparmor-profiles LASTVERSION=2.10.95-8~ ACTION=upgrade PARAM=4.1.0~beta5-5
dpkg-maintscript-helper: debug: CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser PACKAGE=apparmor-profiles LASTVERSION=2.10.95-8~ ACTION=upgrade PARAM=4.1.0~beta5-5
+ [ upgrade = install -o upgrade = upgrade ]
+ [ -n 4.1.0~beta5-5 ]
+ dpkg --compare-versions -- 4.1.0~beta5-5 le-nl 2.10.95-8~
D000001: root= admindir=/var/lib/dpkg
D000001: cmpversions a='0:4.1.0~beta5-5' b='0:2.10.95-8~' r=2
+ exit 0
On #debian-devel:matrix.debian.social I asked why and was told that:
> prior version should be the first version (with "~" appended) that
included the dpkg-maintscript invocation.
I am still not confident installing a version above the one where the
dpkg-maintscript rm_conffile was included will triggers the conffile
removal code. But the version to pass should at least be the one where
the conffile removal was introduced, ie at least 4.1.0~beta5-5, and
maybe the version with the rm_conffile invocation with the correct
version passed to it (so maybe the next version).
Best Regards,
Alban
On Sat, 22 Mar 2025 21:31:49 +0100 Alban Browaeys <prahal at yahoo.com>
wrote:
> Package: apparmor-profiles
> Version: 4.1.0~beta5-5
> Severity: important
>
> Dear Maintainer,
> After the upgrade of apparmor-profiles from 4.1.0~beta5-4 to
4.1.0~beta5-5
> the /etc/apparmor.d/usr.bin.chromium-browser
> The file is unmodified and its timestamp is from original install:
>
> # md5sum /etc/apparmor.d/usr.bin.chromium-browser
> 8776649e465b5b5b0ffd1a5c792ce03e /etc/apparmor.d/usr.bin.chromium-
browser
> # ls -l /etc/apparmor.d/usr.bin.chromium-browser
> -rw-r--r-- 1 root root 8243 30 mars 2016
/etc/apparmor.d/usr.bin.chromium-browser
>
> upgrade: "
> # apt upgrade
> Upgrading:
> apparmor apparmor-profiles cpp-12 g++-12 gcc-12-
base libapparmor1 libstdc++-12-dev login.defs python3-
apparmor ruby-public-suffix wine-staging wine-staging-
i386:i386
> apparmor-notify apparmor-utils dh-apparmor gcc-12
libapparmor-dev libgcc-12-dev libsubid5 passwd python3-
libapparmor uidmap wine-staging-amd64
>
> Summary:
> Upgrading: 23, Installing: 0, Removing: 0, Not Upgrading: 0
> Download size: 0 B / 269 MB
> Space needed: 7 288 kB / 815 GB available
>
> Continue? [O/n]
> Récupération des rapports de bogue… Fait
> Analyse des informations Trouvé/Corrigé… Fait
> apt-listchanges : Lecture des fichiers de modifications (« changelog
»)...
> Préconfiguration des
paquets...
> (Lecture de la base de données... 1197085 fichiers et répertoires
déjà installés.)
> Préparation du dépaquetage de .../wine-staging_10.4~bookworm-
1_amd64.deb ...
> Dépaquetage de wine-staging (10.4~bookworm-1) sur (10.3~bookworm-1)
...
> Préparation du dépaquetage de .../wine-staging-i386_10.4~bookworm-
1_i386.deb ...
> Dépaquetage de wine-staging-i386:i386 (10.4~bookworm-1) sur
(10.3~bookworm-1) ...
> Préparation du dépaquetage de .../wine-staging-amd64_10.4~bookworm-
1_amd64.deb ...
> Dépaquetage de wine-staging-amd64 (10.4~bookworm-1) sur
(10.3~bookworm-1) ...
> Préparation du dépaquetage de .../login.defs_1%3a4.17.3-2_all.deb ...
> Dépaquetage de login.defs (1:4.17.3-2) sur (1:4.17.3-1) ...
> Paramétrage de login.defs (1:4.17.3-2) ...
> (Lecture de la base de données... 1197101 fichiers et répertoires
déjà installés.)
> Préparation du dépaquetage de .../passwd_1%3a4.17.3-2_amd64.deb ...
> Dépaquetage de passwd (1:4.17.3-2) sur (1:4.17.3-1) ...
> Paramétrage de passwd (1:4.17.3-2) ...
> (Lecture de la base de données... 1197101 fichiers et répertoires
déjà installés.)
> Préparation du dépaquetage de .../00-apparmor_4.1.0~beta5-5_amd64.deb
...
> Dépaquetage de apparmor (4.1.0~beta5-5) sur (4.1.0~beta5-4) ...
> Préparation du dépaquetage de .../01-apparmor-utils_4.1.0~beta5-
5_all.deb ...
> Dépaquetage de apparmor-utils (4.1.0~beta5-5) sur (4.1.0~beta5-4) ...
> Préparation du dépaquetage de .../02-libapparmor-dev_4.1.0~beta5-
5_amd64.deb ...
> Dépaquetage de libapparmor-dev:amd64 (4.1.0~beta5-5) sur
(4.1.0~beta5-4) ...
> Préparation du dépaquetage de .../03-libapparmor1_4.1.0~beta5-
5_amd64.deb ...
> Dépaquetage de libapparmor1:amd64 (4.1.0~beta5-5) sur (4.1.0~beta5-4)
...
> Préparation du dépaquetage de .../04-python3-libapparmor_4.1.0~beta5-
5_amd64.deb ...
> Dépaquetage de python3-libapparmor (4.1.0~beta5-5) sur (4.1.0~beta5-
4) ...
> Préparation du dépaquetage de .../05-python3-apparmor_4.1.0~beta5-
5_all.deb ...
> Dépaquetage de python3-apparmor (4.1.0~beta5-5) sur (4.1.0~beta5-4)
...
> Préparation du dépaquetage de .../06-apparmor-notify_4.1.0~beta5-
5_all.deb ...
> Dépaquetage de apparmor-notify (4.1.0~beta5-5) sur (4.1.0~beta5-4)
...
> Préparation du dépaquetage de .../07-apparmor-profiles_4.1.0~beta5-
5_all.deb ...
More information about the pkg-apparmor-team
mailing list