Project

General

Profile

Bug #15965

Feature #14468: Add VeraCrypt support to Tails

AppArmor logs denials for access to /usr/local/share/mime

Added by intrigeri over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
09/19/2018
Due date:
% Done:

100%

Feature Branch:
bugfix/15965-fix-apparmor-spamming-log
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Browser

Description

This creates lots of noise in the logs which makes it harder to develop, debug, and analyze bug reports.
I think this is a regression brought by the VeraCrypt work which created that directory.
IIRC the freedesktop.org abstraction was updated upstream to support these paths => we should backport this.

Associated revisions

Revision 34d4bf51 (diff)
Added by segfault over 1 year ago

AppArmor: Allow access to /usr/local/share/mime (refs: #15965)

Revision a47cf296
Added by intrigeri over 1 year ago

Merge remote-tracking branch 'origin/bugfix/15965-fix-apparmor-spamming-log' into stable (Fix-committed: #15965)

History

#1 Updated by segfault over 1 year ago

  • Assignee changed from segfault to intrigeri
  • QA Check set to Info Needed

You are right, this is fixed upstream by allowing access to @{system_share_dirs}/mime/** instead of only /usr/share/mime/**. @{system_share_dirs} is defined in tunables/share, which is imported in tunables/global.

I'm wondering whether we want our patch to be closer to upstream, i.e. also create tunables/share and import it in tunables/global, or if we prefer our patch to be smaller, i.e. just change /usr/share/mime** to /usr/{local/,}share/mime/** in abstractions/freedesktop.org.

#2 Updated by intrigeri over 1 year ago

  • Assignee changed from intrigeri to segfault
  • QA Check deleted (Info Needed)

segfault wrote:

You are right, this is fixed upstream by allowing access to @{system_share_dirs}/mime/** instead of only /usr/share/mime/**. @{system_share_dirs} is defined in tunables/share, which is imported in tunables/global.

I'm wondering whether we want our patch to be closer to upstream, i.e. also create tunables/share and import it in tunables/global, or if we prefer our patch to be smaller, i.e. just change /usr/share/mime** to /usr/{local/,}share/mime/** in abstractions/freedesktop.org.

tunables/share was introduced to support Flatpak directories. I don't think we need to backport that complexity.

#3 Updated by segfault over 1 year ago

  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/15965-fix-apparmor-spamming-log

I pushed a commit, but I can't test it right now because of #16032.

#4 Updated by segfault over 1 year ago

  • Status changed from Confirmed to In Progress

Applied in changeset commit:a49357af58b3f8a6dd83ffe20746967a749f976a.

#5 Updated by segfault over 1 year ago

  • Assignee changed from segfault to intrigeri
  • QA Check set to Ready for QA

Tested it, seems to work

#6 Updated by intrigeri over 1 year ago

  • Assignee changed from intrigeri to segfault
  • QA Check changed from Ready for QA to Dev Needed
  • /usr/{local/},share/mime (alternation with a single candidate) is equivalent to /usr/local/,share/mime (litteral path) so I don't know how it can work. I guess you meant /usr/{local/,}share/mime. Are you sure you tested commit:a49357af58b3f8a6dd83ffe20746967a749f976a, as opposed to a locally fixed version that you forgot to push?
  • Please rebase the branch on stable so we can fix this without waiting for the next major release in 3 months :)

#7 Updated by segfault over 1 year ago

  • Assignee changed from segfault to intrigeri
  • QA Check changed from Dev Needed to Ready for QA

intrigeri wrote:

  • /usr/{local/},share/mime (alternation with a single candidate) is equivalent to /usr/local/,share/mime (litteral path) so I don't know how it can work. I guess you meant /usr/{local/,}share/mime. Are you sure you tested commit:a49357af58b3f8a6dd83ffe20746967a749f976a, as opposed to a locally fixed version that you forgot to push?
  • Please rebase the branch on stable so we can fix this without waiting for the next major release in 3 months :)

Fixed

#8 Updated by intrigeri over 1 year ago

  • % Done changed from 10 to 60

Code review passes! Testing.

#9 Updated by intrigeri over 1 year ago

  • Status changed from In Progress to 11
  • Assignee deleted (intrigeri)
  • % Done changed from 60 to 100
  • QA Check changed from Ready for QA to Pass

Merged.

#10 Updated by CyrilBrulebois over 1 year ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF