[pkg-apparmor] Bug#1101071: apparmor-profiles chromium-browser profile removal in postinstall does not work
alban.browaeys at gmail.com
alban.browaeys at gmail.com
Mon Mar 31 21:47:36 BST 2025
On Mon, 31 Mar 2025 00:38:03 +0200 Alban Browaeys <prahal at yahoo.com>
wrote:
> On #debian-devel:matrix.debian.social I asked why and was told that:
> prior version should be the first version (with "~" appended) that
included the dpkg-maintscript invocation.
Confirmed by man 1 dpkg-maintscript-helper
If the conffile has not been shipped for several versions, and you are now modifying the maintainer scripts to clean up the obsolete file, prior-version should be based on the version of the package
that you are now preparing, not the first version of the package that lacked the conffile. This applies to all other actions in the same way.
For example, for a conffile removed in version 2.0-1 of a package, prior-version should be set to 2.0-1~. This will cause the conffile to be removed even if the user rebuilt the previous version
1.0-1 as 1.0-1local1. Or a package switching a path from a symlink (shipped in version 1.0-1) to a directory (shipped in version 2.0-1), but only performing the actual switch in the maintainer
scripts in version 3.0-1, should set prior-version to 3.0-1~
> I am still not confident installing a version above the one where the
dpkg-maintscript rm_conffile was included will triggers the conffile
removal code. But the version to pass should at least be the one where
the conffile removal was introduced, ie at least 4.1.0~beta5-5, and
maybe the version with the rm_conffile invocation with the correct
version passed to it (so maybe the next version).
I tried setting the prior-version for usr.bin.chromium-browser to the
first version to introduce the rm_conffile (but with the wrong
version), that is "4.1.0~beta5-5~" and it still fails to remove the
conffile. It probably requires the version to be a not yet installed
one, ie the next release "4.1.0~beta5-6~" or alike.
Later I tried to tset the rm_conffile versoin to the version I was
building, that is "4.1.0~beta5-6~" for version "4.1.0~beta5-6.1" and no
better, that is:
+ set -e
+ version=1.22.18
+ DPKG_ROOT=
+ [ = / ]
+ export DPKG_ROOT
+ PKGDATADIR_DEFAULT=/usr/share/dpkg
+ PKGDATADIR=/usr/share/dpkg
+ . /usr/share/dpkg/sh/dpkg-error.sh
+ basename /usr/bin/dpkg-maintscript-helper
+ : dpkg-maintscript-helper
+ COLOR_NORMAL=
+ COLOR_RESET=
+ COLOR_BOLD=
+ COLOR_BLACK=
+ COLOR_RED=
+ COLOR_GREEN=
+ COLOR_YELLOW=
+ COLOR_BLUE=
+ COLOR_MAGENTA=
+ [ = / ]
+ export DPKG_ROOT
+ PKGDATADIR_DEFAULT=/usr/share/dpkg
+ PKGDATADIR=/usr/share/dpkg
+ . /usr/share/dpkg/sh/dpkg-error.sh
+ basename /usr/bin/dpkg-maintscript-helper
+ : dpkg-maintscript-helper
+ COLOR_NORMAL=
+ COLOR_RESET=
+ COLOR_BOLD=
+ COLOR_BLACK=
+ COLOR_RED=
+ COLOR_GREEN=
+ COLOR_YELLOW=
+ COLOR_BLUE=
+ COLOR_MAGENTA=
+ COLOR_CYAN=
+ COLOR_GREEN=
+ COLOR_YELLOW=
+ COLOR_BLUE=
+ COLOR_MAGENTA=
+ COLOR_CYAN=
+ COLOR_WHITE=
+ COLOR_BOLD_BLACK=
+ COLOR_BOLD_RED=
+ COLOR_BOLD_GREEN=
+ COLOR_BOLD_YELLOW=
+ COLOR_BOLD_BLUE=
+ COLOR_BOLD_MAGENTA=
+ COLOR_BOLD_CYAN=
+ COLOR_BOLD_WHITE=
+ : auto
+ [ -t 1 ]
+ _dpkg_use_colors=yes
+ [ yes = yes ]
+ _dpkg_color_clear=
+ _dpkg_color_prog=
+ _dpkg_color_hint=
+ _dpkg_color_info=
+ _dpkg_color_notice=
+ _dpkg_color_warn=
+ _dpkg_color_error=
+ _dpkg_fmt_prog=dpkg-maintscript-helper
+ command=rm_conffile
+ [ 7 -gt 0 ]
+ shift
+ rm_conffile /etc/apparmor.d/usr.bin.chromium-browser 4.1.0~beta5-6~ -- upgrade 4.1.0~beta5-5 4.1.0~beta5-6.1
+ local CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser
+ local LASTVERSION=4.1.0~beta5-6~
+ local PACKAGE=--
+ [ 4.1.0~beta5-6~ = -- ]
+ [ = / ]
+ export DPKG_ROOT
+ PKGDATADIR_DEFAULT=/usr/share/dpkg
+ PKGDATADIR=/usr/share/dpkg
+ . /usr/share/dpkg/sh/dpkg-error.sh
+ basename /usr/bin/dpkg-maintscript-helper
+ : dpkg-maintscript-helper
+ COLOR_NORMAL=
+ COLOR_RESET=
+ COLOR_BOLD=
+ COLOR_BLACK=
+ COLOR_RED=
+ COLOR_GREEN=
+ COLOR_YELLOW=
+ COLOR_BLUE=
+ COLOR_MAGENTA=
+ COLOR_CYAN=
+ dpkg --validate-version -- 4.1.0~beta5-6~
+ VERSIONCHECK=
+ debug Executing /usr/bin/dpkg-maintscript-helper rm_conffile in preinst of apparmor-profiles
+ [ -n ]
+ debug CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser PACKAGE=apparmor-profiles:all LASTVERSION=4.1.0~beta5-6~ ACTION=upgrade PARAM=4.1.0~beta5-5
+ [ -n ]
+ [ upgrade = install -o upgrade = upgrade ]
+ [ -n 4.1.0~beta5-5 ]
+ dpkg --compare-versions -- 4.1.0~beta5-5 le-nl 4.1.0~beta5-6~
+ prepare_rm_conffile /etc/apparmor.d/usr.bin.chromium-browser apparmor-profiles:all
+ local CONFFILE=/etc/apparmor.d/usr.bin.chromium-browser
+ local PACKAGE=apparmor-profiles:all
+ [ -e /etc/apparmor.d/usr.bin.chromium-browser ]
+ ensure_package_owns_file apparmor-profiles:all /etc/apparmor.d/usr.bin.chromium-browser
+ local PACKAGE=apparmor-profiles:all
+ local FILE=/etc/apparmor.d/usr.bin.chromium-browser
+ dpkg-query -L apparmor-profiles:all
+ grep -F -q -x /etc/apparmor.d/usr.bin.chromium-browser
+ debug File '/etc/apparmor.d/usr.bin.chromium-browser' not owned by package 'apparmor-profiles:all', skipping rm_conffile
+ [ -n ]
+ return 1
+ return 0
+ exit 0
as:
dpkg src/dpkg-maintscript-helper.sh
93 prepare_rm_conffile() {
94 local CONFFILE="$1"
95 local PACKAGE="$2"
96
97 [ -e "$DPKG_ROOT$CONFFILE" ] || return 0
98 ensure_package_owns_file "$PACKAGE" "$CONFFILE" || return 0
99
100 local md5sum old_md5sum
101 md5sum="$(md5sum "$DPKG_ROOT$CONFFILE" | sed -e 's/ .*//')"
102 old_md5sum="$(dpkg-query -W -f='${Conffiles}' "$PACKAGE" | \
103 sed -n -e "\\'^ $CONFFILE ' { s/ obsolete$//; s/.* //; p }")"
104 if [ "$md5sum" != "$old_md5sum" ]; then
105 mv -f "$DPKG_ROOT$CONFFILE" "$DPKG_ROOT$CONFFILE.dpkg-backup"
106 else
107 mv -f "$DPKG_ROOT$CONFFILE" "$DPKG_ROOT$CONFFILE.dpkg-remove"
108 fi
109 }
= returns early if ensure_package_owns_file fails to find the conffile into the apparmor-profiles.list file.
529 ensure_package_owns_file() {
530 local PACKAGE="$1"
531 local FILE="$2"
532
533 if ! dpkg-query -L "$PACKAGE" | grep -F -q -x "$FILE"; then
534 debug "File '$FILE' not owned by package " \
535 "'$PACKAGE', skipping $command"
536 return 1
537 fi
538 return 0
539 }
dpkg-query -L, that is list_files:
dpkg src/query/main.c
479 static int
480 list_files(const char *const *argv)
481 {
482 const char *thisarg;
483 struct fsys_namenode_list *file;
484 struct pkginfo *pkg;
485 struct fsys_namenode *namenode;
486 int misses = 0;
487
488 if (!*argv)
489 badusage(_("--%s needs at least one package name argument"), cipaction->olong);
490
491 modstatdb_open(msdbrw_readonly);
492
493 while ((thisarg = *argv++) != NULL) {
494 pkg = dpkg_options_parse_pkgname(cipaction, thisarg);
495
496 switch (pkg->status) {
497 case PKG_STAT_NOTINSTALLED:
498 notice(_("package '%s' is not installed"),
499 pkg_name(pkg, pnaw_nonambig));
500 misses++;
501 break;
502 default:
503 ensure_packagefiles_available(pkg);
504 ensure_diversions();
505 file = pkg->files;
506 if (!file) {
507 printf(_("Package '%s' does not contain any files (!)\n"),
508 pkg_name(pkg, pnaw_nonambig));
509 } else {
510 while (file) {
511 namenode = file->namenode;
512 puts(namenode->name);
= print the pkg->files list to stdout
this list from:
dpkg lib/dpkg/db-fsys-files.c
115 void
116 ensure_packagefiles_available(struct pkginfo *pkg)
117 {
134 filelistfile = pkg_infodb_get_file(pkg, &pkg->installed, LISTFILE);
= returns "apparmor-profiles.list"
138 if (file_slurp(filelistfile, &buf, &err) < 0) {
= read this "apparmor-profiles.list" into buf
156 fsys_list_parse_buffer(&buf, pkg);
dpkg lib/dpkg/db-fsys-files.c
71 static void
72 fsys_list_parse_buffer(struct varbuf *vb, struct pkginfo *pkg)
73 {
79 files_tail = &pkg->files;
105 files_tail = pkg_files_add_file(pkg, namenode, files_tail);
= add each lines of the apparmor-profiles.list file into pkg->files a
list.
I am at loss as to how to get the conffile
/etc/apparmor.d/usr.bin.chromium-browser removed as it is not list in
apparmor-profiles.list and fopr good reason as far as I know, or is
apparmor-profiles.list supposed to contain the list of conffiles even
if not shipped by the package? (ie the computer filesystem status).
If so it could be the rm_conffile with the incorrect prior-version (ie
the prior-version set to the 2016 version that stopped shipping the
conffile (2.10.95-8~) instead of the apparmor-profiles version that add
the rm_conffile code (4.1.0~beta5-5~), removed the conffile from the
apparmor-profiles.list as it did in /var/lib/dpkg/status Conffiles:
list for the apparmor-profiles package entry?
that is even if the conffile was not removed from the filesystem the
entry from the dpkg status db file
" /etc/apparmor.d/usr.bin.chromium-browser 8776649e465b5b5b0ffd1a5c792ce03e obsolete"
was removed under "Conffiles:")
Best Regards,
Alban
More information about the pkg-apparmor-team
mailing list