Debian Bug report logs - #866792
irssi profile should be in complain mode

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: irssi profile should be in complain mode

Date: Sat, 01 Jul 2017 14:20:00 -0400

Package: apparmor-profiles-extra
Version: 1.11
Severity: normal

The apparmor profile for irssi is way too restrictive. A first
failure, in my use case, is restricting logs to be in ~/irclogs. While
this *is* the upstream default, it seems rather unusual to enforce
this in apparmor. A more common location would be, i believe, in
~/.irssi/irclogs, which I have been using forever. I would suggest at
least supporting that configuration.

But then there are so many plugins and tools out there for irssi, that
I find it very unlikely that the current configuration would fit even
a majority of use cases. People customize their clients like crazy and
tons of things are broken by the current profile. On the top of my
head, it will break:

 * chanpeak.pl
 * notify.pl
 * and probably more

Here's the modification I made locally to that profile:

diff --git a/apparmor.d/usr.bin.irssi b/apparmor.d/usr.bin.irssi
index 52a55b7b..9ba8e1c0 100644
--- a/apparmor.d/usr.bin.irssi
+++ b/apparmor.d/usr.bin.irssi
@@ -41,9 +41,10 @@
   owner @{HOME}/.irssi/*.theme wk,
 
   # http://www.irssi.org/documentation/startup states that ~/irclogs is the
-  # default location for logs.
-  owner @{HOME}/irclogs/ r,
-  owner @{HOME}/irclogs/** rwk,
+  # default location for logs. Also allow the common configuration of logging
+  # inside the .irssi directory.
+  owner @{HOME}/{.irssi/,}irclogs/ r,
+  owner @{HOME}/{.irssi/,}irclogs/** rwk,
 
   # for fnotify
   owner @{HOME}/.irssi/fnotify rwk,
diff --git a/apparmor.d/usr.bin.irssi b/apparmor.d/usr.bin.irssi
index ab9470c9..52a55b7b 100644
--- a/apparmor.d/usr.bin.irssi
+++ b/apparmor.d/usr.bin.irssi
@@ -2,7 +2,7 @@
 #         For use with irssi within screen
 #include <tunables/global>
 
-/usr/bin/irssi {
+/usr/bin/irssi flags=(complain) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/perl>

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor-profiles-extra depends on:
ii  apparmor  2.11.0-3

apparmor-profiles-extra recommends no packages.

apparmor-profiles-extra suggests no packages.

-- no debconf information

Message #10 received at 866792@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Antoine Beaupre <anarcat@debian.org>

Cc: 866792@bugs.debian.org

Subject: Re: Bug#866792: irssi profile should be in complain mode

Date: Sun, 02 Jul 2017 10:29:06 +0200

Hi!

Antoine Beaupre:
> The apparmor profile for irssi is way too restrictive. […]

I agree with your analysis.

Meta: this profile was added to aa-p-extra by Holger, who stopped
working on this package a while ago (#824462). I have no personal
interest in it and I am not in a position to maintain it properly (I
don't use irssi myself).

So I see 2 options:

 a) ship usr.bin.irssi in complain mode
 b) stop shipping usr.bin.irssi entirely

(a) makes sense to me as a temporary way to encourage interested
people to submit improvements upstream until this profile is suitable
for widespread usage. If this works, fine: at some point we will be
able to revert the change and ship the profile in enforce mode again.
If this fails, then I will want to go with (b) before the Buster
freeze.

To anyone who wants to improve this profile:

 * it lives in
   https://code.launchpad.net/~apparmor-dev/apparmor-profiles/+git/apparmor-profiles

 * Ulrike was kind enough to document how to prepare and send merge
   requests upstream:
   https://wiki.debian.org/AppArmor/Contribute/Upstream#Quick_howto_contribute_to_upstream_AppArmor_profiles_using_Git

Cheers,
-- 
intrigeri

Message #17 received at 866792-close@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: 866792-close@bugs.debian.org

Subject: Bug#866792: fixed in apparmor-profiles-extra 1.13

Date: Sat, 09 Sep 2017 21:34:12 +0000

Source: apparmor-profiles-extra
Source-Version: 1.13

We believe that the bug you reported is fixed in the latest version of
apparmor-profiles-extra, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866792@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
intrigeri <intrigeri@debian.org> (supplier of updated apparmor-profiles-extra package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 Sep 2017 21:24:02 +0000
Source: apparmor-profiles-extra
Binary: apparmor-profiles-extra
Architecture: source
Version: 1.13
Distribution: unstable
Urgency: medium
Maintainer: Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org>
Changed-By: intrigeri <intrigeri@debian.org>
Closes: 866792 867692
Description: 
 apparmor-profiles-extra - Extra profiles for AppArmor Security policies
Changes:
 apparmor-profiles-extra (1.13) unstable; urgency=medium
 .
   * Add a script allowing the source package to put specific profiles
     in complain mode.
   * Put the irssi profile in complain mode (Closes: #866792).
   * Totem: update to the version from the apparmor-profiles repository
     at commit bfc0bff (Closes: #867692).
Checksums-Sha1: 
 7d5426c845ebaeaa1b90fcb961a33262233e7f0b 1793 apparmor-profiles-extra_1.13.dsc
 1161668750294d3a6db637461ab98c487e1998d1 8248 apparmor-profiles-extra_1.13.tar.xz
Checksums-Sha256: 
 9c4d62f4c43e6b98086e695ea447199e9330f145b3a6b957add0318dc3f7eee9 1793 apparmor-profiles-extra_1.13.dsc
 996f113c691be470fe326e08b2ea458d6fbc3ef2db1d8adabfd48ba5bb794e7b 8248 apparmor-profiles-extra_1.13.tar.xz
Files: 
 17f9c0cca8d646275c3e16b5c823715c 1793 admin extra apparmor-profiles-extra_1.13.dsc
 ed9dd84b89f9e5b1da3f676f20ac4267 8248 admin extra apparmor-profiles-extra_1.13.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcMAxqZeuB0p8dimNy2kI2AAOzf4FAlm0XT0ACgkQy2kI2AAO
zf7neQ/8DOTUGuOpOKvtRJ2jI1+7cZyEYfLLIUJu87/wbWedlX+oAB0K5D21q/dL
YTH/4nNARjkGnT1Cu7sje7Sus53XEjocPeFmBGqf2lZ7/sqbvgC8x7VNNA6aX6U+
GBDu2Uc8VIW80Pcm5Wm/7VeYbY8k78LP4D/KaFMObRP7n0YPglx6ERrmd6a+Ytd0
B8X9aquZVVxsbrM/i6F/us3ujltTxJFiCXaU8N27rc1gc6TzYMWS7uzOWrrXOh24
KkbuZ0KoPQW/QkU/3bgdL1n/vkt4xx0COXykAHU5drnh+n8UiHYuP84MkmgaC3VU
ZmDUQyo8dg4b0lHbN7geJUPT+rZd5BfyhuZihEiRVDCad+/QqC5CVW4zr4kwpYiJ
LHifLQV6y+r5QWwwoo1lw+AOcfwnywccPu1TbpUEfQHWKQLASQDpA1tuhzRqZF05
LUq2QYIg/dJW+fYUszSggXMFQSj7JHoRYM3K7RDIDyocizpAbQbyRg62hkzyILyX
F0VOrlBitF6Zl6Je/V0c6AJqPHk6WuOeltIy9jXgMrydbYLUV4Msjlfq2wHHcAIN
uXzOrXcHlpnRupuZaOd+h21ZzayC7LI3IdrRBA2tEqlINtrEXId5kIxQlRZ6kju9
w5JIK4dazQ8ngXzXiQ64NKolfqdIC98keX0YDkxgo4Lr0jsLtpY=
=rElq
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.