From pkg-apparmor-team at lists.alioth.debian.org Mon Sep 1 19:30:06 2025 From: pkg-apparmor-team at lists.alioth.debian.org (pkg-apparmor-team at lists.alioth.debian.org) Date: Mon, 01 Sep 2025 18:30:06 -0000 Subject: [pkg-apparmor] usertag 'new-profile' deleted on bug #770794: Patch: apparmor profile for sbin.unix_chkpwd Message-ID: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770794 See all usertags: https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team at lists.alioth.debian.org From owner at bugs.debian.org Thu Sep 4 13:41:04 2025 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 04 Sep 2025 12:41:04 +0000 Subject: [pkg-apparmor] Processed: Re: Bug#1111245: wrong profile for winbind References: <871pombde6.fsf@manticora> <175532467973.403725.3810383848731455096.reportbug@localhost> Message-ID: Processing control commands: > tag -1 + upstream Bug #1111245 [apparmor] wrong profile for winbind Added tag(s) upstream. -- 1111245: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111245 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From intrigeri at debian.org Thu Sep 4 13:39:13 2025 From: intrigeri at debian.org (intrigeri) Date: Thu, 04 Sep 2025 14:39:13 +0200 Subject: [pkg-apparmor] Bug#1111245: wrong profile for winbind In-Reply-To: <175532467973.403725.3810383848731455096.reportbug@localhost> References: <175532467973.403725.3810383848731455096.reportbug@localhost> <175532467973.403725.3810383848731455096.reportbug@localhost> Message-ID: <871pombde6.fsf@manticora> Control: tag -1 + upstream Hi, Michael Tokarev (2025-08-16): > abstractions/winbind has rather strange and very outdated profile. > I'm assuming this is pam-winbind and nss-winbind, not winbind daemon - > because for the daemon, much more is needed. Yes, this traks: on my system I see this abstraction is only included from the authentication and nameservice abstractions. > I dont know where all these files listed in there are there. Neiter > pam nor winbind modules access these files. The only file they do > access is /run/samba/winbind/pipe - very long time ago it's been in > /tmp/.winbind/pipe, but it has been moved elsewhere (to /var/run, > later to /run) many years ago. And this is the path which is blocked > by current profile. The Git [history] of this file upstream suggests that the last change applied to it, apart of mostly-mechanical tree-wide updates, dates back from 2014. So I'm not surprised if, as you're saying, it is greatly outdated. [history] https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d/abstractions/winbind?ref_type=heads > Without any prior knowlege of apparmor, I'd say this whole file should > have just one line: > > @{run}/samba/winbind/pipe rw, Thanks a lot for this insight. I don't have the means to quickly test this change and confirm it works, so I won't submit it upstream myself nor tag this bug report "patch". Are you in a position to do that? > I wonder how it went unnoticed for so many years. Good question. I guess either the impact on affected users is smaller than we would expect, or there are fewer affected users than we would expect, or the affected users silently disable AppArmor and go on with their day without reporting bugs. Given the kind of environments where I expect this sort of things to be deployed, my guess is that the sysadmins who set this up on client Linux machines deal with it *somehow*, and actual end-users of said machines never experience the problem. > This come to my attention as #1110985 - this one apparently also needs > an ability to create unix sockets (socket(AF_UNIX)) which is blocked > now, but I don't know how to enable this one. Any help with this bug > is appreciated. I'll try to take a look but most likely this will exceed my capacity for AppArmor work in Debian, so if someone else reading here can help, this would be much appreciated! Cheers, -- intrigeri