[opensuse-factory] New Tumbleweed snapshot 20180101 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20180101 When you reply to report some issues, make sure to change the subject. It is not helpful to keep the release announcement subject in a thread while discussing a specific problem. Packages changed: ImageMagick MozillaThunderbird (52.5.0 -> 52.5.2) NetworkManager-applet apparmor (2.11.1 -> 2.12) btrfsprogs clutter-gst galculator (2.1.3 -> 2.1.4) geany (1.31 -> 1.32) gstreamer-plugins-bad gstreamer-plugins-good kernel-firmware (20171204 -> 20171221) libapparmor (2.11.1 -> 2.12) libssh libuv (1.15.0 -> 1.18.0) opusfile (0.9 -> 0.10) osinfo-db python-urllib3 xfce4-branding-openSUSE === Details === ==== ImageMagick ==== Subpackages: ImageMagick-devel ImageMagick-extra libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI5 libMagickWand-7_Q16HDRI5 perl-PerlMagick - readd ImageMagick-relax-filter.t.patch for SLE15 i586 - enable ImageMagick-s390-disable-tests.patch also for s390, in addition to s390x ==== MozillaThunderbird ==== Version update (52.5.0 -> 52.5.2) Subpackages: MozillaThunderbird-translations-common - update to Thunderbird 52.5.2 * This releases fixes the "Mailsploit" vulnerability and other vulnerabilities detected by the "Cure53" audit (MFSA 2017-30) * CVE-2017-7846 (bmo#1411716, bsc#1074043) JavaScript Execution via RSS in mailbox:// origin * CVE-2017-7847 (bmo#1411708, bsc#1074044) Local path string can be leaked from RSS feed * CVE-2017-7848 (bmo#1411699, bsc#1074045) RSS Feed vulnerable to new line Injection * CVE-2017-7829 (bmo#1423432, bsc#1074046) Mailsploit part 1: From address with encoded null character is cut off in message header display ==== NetworkManager-applet ==== Subpackages: NetworkManager-applet-lang NetworkManager-connection-editor libnm-gtk0 libnma0 nma-data typelib-1_0-NMGtk-1_0 - Allow for easy switch between meson and autoconf, using bcond_with (default to autoconf for now): Switch back to autoconf build system: meson is not ready and breaks nm-connection-editor (incompletely linked resources, boo#1072789). + In case of autoconf, add libtool BuildRequires, call autoreconf and use configure/make/mak_install. ==== apparmor ==== Version update (2.11.1 -> 2.12) Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-parser-lang apparmor-profiles apparmor-utils apparmor-utils-lang pam_apparmor pam_apparmor-32bit perl-apparmor python3-apparmor - update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - add 32-bit-no-uid.diff to fix handling of log events without ouid on 32 bit systems - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff - add aa-teardown (new script to unload all profiles) - make ExecStop in apparmor.service a no-op (workaround for a systemd restriction, see boo#996520 and boo#853019 for details) - lessopen profile: allow capability dac_read_search and dac_override, allow groff to execute several helpers (boo#1065388) ==== btrfsprogs ==== Subpackages: btrfsprogs-udev-rules libbtrfs0 - Fix rollback regression which can lead to data corruption Added patches: rollback-regression-fix.patch (bsc#1069478) ==== clutter-gst ==== Subpackages: gstreamer-plugin-gstclutter-3_0 libclutter-gst-3_0-0 typelib-1_0-ClutterGst-3_0 - Add clutter-gst-video-sink-fix-compilation-error.patch: video-sink: Fix compilation error. - Clean up spec with spec-cleaner, use modern macros. ==== galculator ==== Version update (2.1.3 -> 2.1.4) Subpackages: galculator-lang - use new upstream urls - cleanup with spec-cleaner - link against gtk 3 (instead of 2) - new upstream version 2.1.4 * adding a fresh "tx pull" of translations * adding an appdata file * in ui.c::set_all_dispctrl_buttons_property check for table_children != NULL (fixes sf.net bug #107) * *.c: all dynamic memory allocation and free'ing is done via glib now. * Changed default background color for the display to white. * In callbacks.c and general_functions.c, team up every gtk_check_menu_item_set_active with a gtk_check_menu_item_toggled. See also 2014-01-08 and sf.net bug #99. (fixes sf.net bug #105) * translations are now served through transifex * set_basic_object_data/set_scientific_object_data make structs static (fixes sf.net bug #104) - updated description - Provide and obsolete mate-calc; galculator has replaced mate-calc in Mate 1.10 ==== geany ==== Version update (1.31 -> 1.32) Subpackages: geany-lang libgeany0 - Update to version 1.32 + General: - Improve CLI argument help (gh#geany/geany#1644). - Keep the current tab when closing documents to the right of another tab. - Re-enable SIGTERM handling (gh#geany/geany#1255). - Create correct path for filetype config files. - Add an option to enable IME's candidate window display inline. - Add an option to automatically reload files changed on disk + Bug fixes: - Fix backward compatibility of the geometry saving setting. - Close "Deleted from Disk" Infobar on Reload. - Make sure GDK_MOD2_MASK is cleared when getting modifiers - Use non-symlinked VTE libraries on MacOS X. - Fix crash if plugin manager is opened more than once. - Fix incorrect variable reference. + Interface: - Add "Close Documents to the Right" feature. - Add an option to save/reload either window position or size, but optionally not both (gh#geany/geany#1456). + Editor - Update Scintilla to version 3.7.5 (gh#geany/geany#1503). - Improve snippet support (visual indicators and more) (gh#geany/geany#1470). - Push current position to navqueue before navigating back (gh#geany/geany#1537). + Filetypes: - Add GNU assembler filetype extensions (gh#geany/geany#904). - Make Python comment hash space (gh#geany/geany#1682). - Add missing string and comment styles for various lexers (gh#geany/geany#1502). - Add missing PHP keywords, especially for PHP 7.x (gh#geany/geany#1547). - Python: Don't highlight sub-identifiers as keywords (gh#geany/geany#1544). + Plugins: FileBrowser: don't change directory on project save (gh#geany/geany#1400). + API - Add `utils_get_real_path()` and deprecate `tm_get_real_path()` (gh#geany/geany#1224). - Add `geany_plugin_get_data()` (gh#geany/geany#1234). - Add `keybindings_load_keyfile()` (gh#geany/geany#1430). - Add `tm_tag_get_type()` (gh#geany/geany#1465). + HACKING: Add note about data types and update for best practices (gh#geany/geany#1282). + Updated translations. ==== gstreamer-plugins-bad ==== Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbadbase-1_0-0 libgstbadvideo-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstgl-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgsturidownloader-1_0-0 libgstwayland-1_0-0 - Add gst-bad-player-transfer-ownership.patch: player: transfer ownership of info properties (bgo#791982). - Add gst-bad-vtdec-destroy-create-fix.patch: vtdec: destroy and create the GL context on start()/stop(). Removes a reference count loop. - Add python3-xml BuildRequires and switch to using plain make instead of make_build macro, and add conditional for pkgconfig(graphene-1.0), pkgconfig(wayland-client), pkgconfig(wayland-cursor), pkgconfig(wayland-egl), pkgconfig(wayland-protocols) and pkgconfig(wayland-scanner) BuildRequires and the .so and sub-package produced, fix build for old versions of openSUSE. ==== gstreamer-plugins-good ==== Subpackages: gstreamer-plugins-good-extra gstreamer-plugins-good-lang - Add gst-good-equalizer-fix-Wincompatible-pointer-types-warning.patch: equalizer: Fix -Wincompatible-pointer-types warning (bgo#791494). - Clean up spec with spec-cleaner. - Toggle ENABLE_AALIB, no longer build aasink support. ==== kernel-firmware ==== Version update (20171204 -> 20171221) Subpackages: ucode-amd - Update to version 20171221: * nvidia: add GP108 signed firmware * linux-firmware: liquidio: add v1.7.0 vswitch firmware * brcm: add CYW4373 firmwares and Cypress license file * linux-firmware: Update firmware patch for Intel Bluetooth 8260 * linux-firmware: Update firmware file for Intel Bluetooth 8265 * linux-firmware: Add firmware file for Intel Bluetooth 9260 * linux-firmware: Add firmware file for Intel Bluetooth 9560 * Revert commits a42f895, c113d33, 041aff8, 73d13b5 * linux-firmware: Update firmware patch for Intel Bluetooth 8260 * linux-firmware: Update firmware file for Intel Bluetooth 8265 * linux-firmware: Add firmware file for Intel Bluetooth 9260 * linux-firmware: Add firmware file for Intel Bluetooth 9560 * linux-firmware: intel: Add Cannonlake audio firmware * nfp: add firmware for tc-flower * nfp: change firmware directory layout * nfp: update firmware for Agilio CX SmartNICs ==== libapparmor ==== Version update (2.11.1 -> 2.12) Subpackages: libapparmor-devel libapparmor1 libapparmor1-32bit - update to AppArmor 2.12 - preserve errno across aa_*_unref() functions - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - no longer package static libapparmor.a - update to AppArmor 2.11.95 aka 2.12 beta1 - no changes in libapparmor - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog ==== libssh ==== Subpackages: libssh-devel libssh4 - Add patch to fix parsing of config files (boo#1067782): * 0001-config-Bugfix-Dont-skip-unseen-opcodes.patch ==== libuv ==== Version update (1.15.0 -> 1.18.0) - Update to version 1.18.0 * unix,win: add uv_os_getpid() * unix: remove incorrect assertion in uv_shutdown() * aix: fix -Wmaybe-uninitialized warning * win,doc: remove note about SIGWINCH on Windows * doc: fix IRC URL in CONTRIBUTING.md - 1.17.0 * ibmi: add support for new platform * unix: keep track of bound sockets sent via spawn * unix: avoid malloc() call in uv_spawn() * zos: add strnlen() implementation * test: add threadpool init/teardown test * test: avoid malloc() in threadpool test * test: lower number of tasks in threadpool test * test: fix test-spawn compilation * doc: clarify the description of uv_loop_alive() * win: issue memory barrier in uv_thread_join() * win: map UV_FS_O_EXLOCK to a share mode of 0 * win: fix build on case-sensitive file systems * win: fix test runner build with mingw64 * win: remove unused variable in test/test-fs.c - 1.16.1 * unix: move net/if.h include * win: fix undeclared NDIS_IF_MAX_STRING_SIZE - 1.16.0 * unix,win: add fs open flags, map O_DIRECT|O_DSYNC * win, fs: fix non-symlink reparse points * test: fix -Wstrict-prototypes warnings * unix, windows: map ENOTTY errno * unix: fall back to fsync() if F_FULLFSYNC fails * unix: do not close invalid kqueue fd after fork * zos: reset epoll data after fork * zos: skip fork_threadpool_queue_work_simple * test: keep platform_output as first test * unix,win: add uv_os_getppid() * test: fix const qualification compiler warning * doc: mark uv_default_loop() as not thread safe * win, pipe: null-initialize stream->shutdown_req * tty, win: get SetWinEventHook pointer at startup * test: no extra new line in skipped test output * pipe: allow access from other users * unix,win: add uv_if_{indextoname,indextoiid} * win: fix non-English dlopen error message * win: change st_blksize from `2048` to `4096` - Small spec file cleanup ==== opusfile ==== Version update (0.9 -> 0.10) - Update to version 0.10: + Fix an out-of-bounds read matching serial numbers. - cleanup with spec-cleaner - add "--disable-silent-rules" to ./configure ==== osinfo-db ==== - Fix version string for leap 15 (bsc#1054986) add-opensuse-leap-15-support.patch ==== python-urllib3 ==== - Add python-urllib3-recent-date.patch: Fix test suite, use correct date (gh#shazow/urllib3#1303, boo#1074247). ==== xfce4-branding-openSUSE ==== Subpackages: exo-branding-openSUSE libgarcon-branding-openSUSE libxfce4ui-branding-openSUSE midori-branding-openSUSE openSUSE-xfce-icon-theme thunar-volman-branding-openSUSE xfce4-notifyd-branding-openSUSE xfce4-panel-branding-openSUSE xfce4-power-manager-branding-openSUSE xfce4-session-branding-openSUSE xfce4-settings-branding-openSUSE xfdesktop-branding-openSUSE xfwm4-branding-openSUSE - use plugin-pulseaudio instead of plugin-mixer - recommend pavucontrol and plugin-pulseaudio instead of xfe4-mixer - replace application-menu with whiskermenu - brand whiskermenu suse style - require whiskermenu from panel-branding-openSUSE - fix obsoletes of exo-branding-openSUSE - fix exo-branding provides / obsoletes - adapt to changes in exo package (exo-1 subdir patch removed) - on >= 13.2 package-manager.desktop was renamed to yast2-packager.desktop (boo#892936) - bump version to 4.12 - lock screen on suspen/hibernate - xfce4-panel-plugin-xfce4battery was renamed to power-manager-plugin - recommend xfce4-panel-plugin-xfce4battery which is in the panel branding - fix critical power action and hdd spindown settings - adapt xfce4-power-manager branding to version 1.3.0 - fix typo - rename source tarball removing the meaningless version - adjust to GTK 3 variant of libxfce4ui - remove support for openSUSE < 12.3 - add custom theme for xfce4-notifyd - improve suse_version overlay system - add xfce4-power-manager-branding-openSUSE with default actions for button press events and critical battery levels - add support for 13.2, drop support for < 12.2 - follow the exo package changes and rename exo-branding-openSUSE to libexo-1-0-branding-openSUSE and move helpers.rc in an API-versioned subdirectory - support openSUSE 13.1 - fix an error in the openSUSE-Xfce index.theme file causing theme inheritance to fail - 12.3 specific xfce4-panel branding - adapt to Terminal rename - adapt to new name of the mixer plugin - remove support for openSUSE 11.4 - disable automatic session saving by default and don't preselect session saving in the logout dialog since it causes problems such as bxo#5123 - added audio-input-microphone-muted icon to openSUSE Xfce icon theme which is used by xfce4-mixer 4.10.0 - on >= 12.2 depend on libgio-2_0-0 which provides the defaults.list symlink target - on > 12.2 depend on desktop-file-utils which is now needed to generate defaults.list - updated comment in xfce_defaults.conf - require desktop-data-openSUSE on openSUSE distros in the openSUSE branding - own more directories to fix build of derived packages - remove submenus below Settings which are accessible through the xfce4-settings-manager - add xfce4-panel-plugin-mixer to the panel - add support for Xfce-specific MIME default associations - add back pager and reduce workspaces to two - remove the launchers from the panel and switch from action buttons to the actions menu - mark the global menus as config files, they may be edited by an administrator and should not be silently overwritten - use actions menu rather than buttons in the panel - fix xfcemail and xfce-nomail icons - rename %{_datadir}/wallpapers/xfce/default.jpg to %{_datadir}/wallpapers/xfce/default.wallpaper, the default wallpaper formats may differ and xfdesktop doesn't care about the filetype extension - remove ristretto icons and use the new icons provided by ristretto 0.6.0 - added depenency of libgarcon-branding-openSUSE on libxfce4ui-tools snce the menu references xfce4-about.desktop - remove dependency of libgarcon-branding-openSUSE on libgarcon-data - remove dependency of xfce4-panel-branding-openSUSE on exo-tools - added xfce-schedule icon - bump version to 4.10 - libgarcon-branding-openSUSE should have a reverse dependency on libgarcon-data rather than libgarcon-1-0 - libxfce4ui-branding-openSUSE - added keyboard shortcuts for starting browser and MUA with XF86WWW and XF86Mail - use startup notification for xfce4-appfinder shortcuts - xfce4-settings-branding-openSUSE - order the menus in xfce-settings-manager.menu - xfwm4-branding-openSUSE - enable tiling - only build midori-branding-openSUSE for > 11.4 since Midori does not support 11.4 any more - only depend on wallpaper-branding-openSUSE for > 11.4 - make libgarcon-branding-openSUSE depend on libgarcon-data - added openSUSE-xfce-icon-theme which provides icons missing from gnome-icon-theme - moved licenses into the tarballs - xfce4-panel-branding-openSUSE - use internal clock plugin again - added new button images %{_datadir}/pixmaps/xfce4-opensuse-light.png and %{_datadir}/pixmaps/xfce4-opensuse-dark.png - xfce4-session-branding-openSUSE - dropped xfce4-settings-helper which ash been removed - dropped xscreensaver which is now started via autostart - xfwm4-branding-openSUSE - increased doubleclick time to 400ms - enabled composite by default - enabled shadows - libgarcon-branding-openSUSE - reworked application menu and incorporated a customized xfce-settings-manager-menu - xfce4-settings-branding-openSUSE - added customized %{_sysconfdir}/xdg/menus/xfce-settings-manager.menu which also includes non-Xfce settings - switch from the GNOME icon theme to the openSUSE Xfce icon theme - xfdesktop-branding-openSUSE - deliver symlink %{_datadir}/xfce4/backdrops/default.jpg pointing to the default backdrop image from wallpaper-branding-openSUSE which is now the compiled-in default and removed %{_sysconfdir}/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-desktop.xml so that now all screens have the same default - enabled thunar-volman-branding-openSUSE for 11.4 - bump version to 4.9.0 - remove xfce4-tips autostart file - add build dependencies on upstream branding to avoid ambiguities - added midori-branding-openSUSE - added openSUSE package search to the list of search engines - use opensuse.org as the default home page - own %{_datadir}/desktop-directories/ for >= 12.1 - enable GNOME compatibility mode in order to start gnome-keyring by default (bnc#754700) - adapt to renamed packages - make the default panel opaque with compositing enabled (bnc#742766) - license update: CC-BY-SA-3.0 and GPL-2.0+ Indicate the aggregation of GPL-2.0+ and the CC licensed wallpapers - fix license to be in spdx.org format - switch to final xfwm4 branding - make xfce4-panel-branding-openSUSE depend on xfce4-panel-plugin-datetime - use DateTime rather than Clock panel plugin - added thunar-volman-branding-openSUSE package for >= 12.1 - rename /usr/share/desktop-directories/xfce-settings-system.directory to /usr/share/desktop-directories/xfce-administration.directory and add /usr/share/desktop-directories/xfce-preferences.directory - change /etc/xdg/menus/xfce-applications.menu to not show category PackageManager under System - renamed COPYING.xfce4-splash-openSUSE-11.4 - created xfce4-branding-openSUSE-4.8.0-11.4.tar.bz2 for < 12.1 - switch to Adwaita as the new default theme for >= 12.1 - use wallpaper from new wallpaper-branding package - fix build failure by removing the splash on >= 12.1, also do not install the copyright file - require the splash out of branding-openSUSE for 12.1+ to ease the update of artwork - fixed "Administration" menu for >= 12.1 (bnc#719826) - changed border/text-color of splash screen to match that of other GTK splash screens - included the final splashscreen - explicitly include xfce-settings-manager.desktop in the Settings menu since it is also in the X-XFCE category - stay at 4.8.0 - determine versions of branded packages automatically - tweaked xfce4-session splash screen look a bit - bump libgarcon version - added temporary splash screen for xfce4-settings based on 11.3 branding - switch to Sonar theme - added xfce4-branding-openSUSE - replace exo- launches with launchers for the openSUSE default applications since items hidden in the main menu cannot be used as panel launchers - exclude X-XFCE category from the Settings menu as it will be shown inside the settings manager and exclude X-Xfce-Toplevel category from submenus - merged some keyboard shortcut changes from libxfce4ui 4.8.0 - removed unused panel launcher desktop files - supplement libgarcon-1-0 rather than libgarcon - added exo-branding-openSUSE subpackage - fixed launchers - added branding for libgarcon, libxfce4ui, xfce4-notifyd - obsoleted xfce4-desktop branding which is now provided by xfdesktop-branding - split up in subpackages xfce4-panel-branding-openSUSE, xfce4-session-branding-openSUSE, xfce4-settings-branding-openSUSE, xfdesktop-branding-openSUSE, libgarcon-branding-openSUSE, libxfce4ui-branding-openSUSE, xfce4-notifyd-branding-openSUSE - temporarily removed menu again as it is currently provided by libgarcon - migrated panel settings to new format - cleaned up menu - version bump to 4.8.0 - add gtk2-metatheme-gilouche to Requires [bnc#616275] - version bump to 4.7.1 - version bump to 4.6.4 - version bump to 4.6.3 - require desktop-data instead of desktop-data-SuSE - version bump to 4.6.1 - added branding for xfce4-panel - updated to be compatible with Xfce 4.6.0 release -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Mittwoch, 3. Januar 2018, 12:45:44 CET schrieb Dominique Leuenberger:
==== apparmor ==== Version update (2.11.1 -> 2.12)
I should probably highlight this change:
- add aa-teardown (new script to unload all profiles) - make ExecStop in apparmor.service a no-op (workaround for a systemd restriction, see boo#996520 and boo#853019 for details)
The short version is: "rcapparmor stop" and "systemctl stop apparmor" won't do anything now because of the way how systemd implements "restart" [insert systemd rant here]. If you really want to unload your AppArmor profiles, run "aa-teardown". But - who would do that? ;-) [1] The longer version is on https://blog.cboltz.de/archives/77-AppArmor-2.12-The-Grinch-is-confined!.htm... ;-) Regards, Christian Boltz [1] aa-complain /etc/apparmor.d/$whatever is a much better choice because it logs what would be denied and allows you to update the profile and/or to open a bugreport with useful logs -- "Never surf faster, than your guardian penguin can fly!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Jan 03, Christian Boltz wrote:
Hello,
Am Mittwoch, 3. Januar 2018, 12:45:44 CET schrieb Dominique Leuenberger:
==== apparmor ==== Version update (2.11.1 -> 2.12)
I should probably highlight this change:
There are more important changes: errors during loading of profiles are no longer ignored, which makes this bugs now really problematic and apparmor unuseable/non-functional with a read-only root filesystem: bsc#1074429 - AppArmor cannot be started in Kubic bsc#1069906 - Race: systemd remounts filesystems while apparmor loads profiles Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Mittwoch, 3. Januar 2018, 14:30:46 CET schrieb Thorsten Kukuk:
Am Mittwoch, 3. Januar 2018 schrieb Dominique Leuenberger:
==== apparmor ==== Version update (2.11.1 -> 2.12)
I should probably highlight this change: There are more important changes: errors during loading of profiles are no longer ignored, which makes this bugs now really problematic and apparmor unuseable/non-functional with a read-only root filesystem: bsc#1074429 - AppArmor cannot be started in Kubic bsc#1069906 - Race: systemd remounts filesystems while apparmor loads
On Wed, Jan 03, Christian Boltz wrote: profiles
I just installed the latest Kubic in a VM [1] and can confirm the problem - only the "docker-default" profile gets loaded, but not the other profiles in /etc/apparmor.d/. That leads to the question if the "docker-default" gets loaded or reloaded in a different way - any ideas? The most surprising thing is that it "errors out more" than in 2.11.x. Most 2.12 changes were in the python tools. A review of the 2.12 changes together with the upstream developers didn't bring up many changes in apparmor_parser or libapparmor that could cause this change, and the few commits that are somewhat related to this look harmless. I'll probably build 2.11.1 packages tomorrow to cross-check if this was really introduced in 2.12, even if looking at the upstream commits indicates it's unlikely. For now, I can offer two workarounds: - rcapparmor reload while /var/lib/apparmor is writeable to build or update the cache (which also means no more write attemps on boot until you install a new kernel) - or - - disable the "write-cache" option in /etc/apparmor/parser.conf - but let me warn you that this slows down profile loading 5 to 10 times, so this is nothing I want to do for the "normal" distribution. (If there is a build condition to match only Kubic, I'm willing to accept that in the AppArmor package as a hotfix. Technically we just have to disable a patch ;-) The long-term fix is to make cache write failures a warning instead of an error, but to make things more interesting, there are also situations where this needs to be an error. This is solvable by adding a new config option (think of -Werror), but needs a bit more work. Another option might be to pre-compile the profiles during installation. I know this is possible (AFAIK it was done for Ubuntu Phone), but I'll have to check the details with upstream. One funny detail is that we hit this issue too early ;-) - there are plans to support multiple caches for different kernel versions, but unfortunately, well, _plans_ ;-) Regards, Christian Boltz [1] my infrastructure test VMs don't feel alone anymore now ;-) -- Code like this is the reason for alcoholism running rampant with Java developers [Kristian Köhntopp on https://plus.google.com/+KristianKöhntopp/posts/K5DDeDMYr1e ] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-01-03, Christian Boltz <opensuse@cboltz.de> wrote:
==== apparmor ==== Version update (2.11.1 -> 2.12)
I should probably highlight this change: There are more important changes: errors during loading of profiles are no longer ignored, which makes this bugs now really problematic and apparmor unuseable/non-functional with a read-only root filesystem: bsc#1074429 - AppArmor cannot be started in Kubic bsc#1069906 - Race: systemd remounts filesystems while apparmor loads profiles
I just installed the latest Kubic in a VM [1] and can confirm the problem - only the "docker-default" profile gets loaded, but not the other profiles in /etc/apparmor.d/. That leads to the question if the "docker-default" gets loaded or reloaded in a different way - any ideas?
Docker loads the profile manually using apparmor_parser. The reason for this is that Docker needs to reload the profile if the system unloads it for some reason (which happens on Ubuntu on certain upgrades). As a complete aside -- there is also currently an AppArmor design flaw, where unloading a profile (ie. restarting the "AppArmor service") will make all previously confined processes unconfined -- with no way for an administrator to re-confine them (other than attaching to each process with GDB and executing aa_changehat from the context of the process). Is there a reason that restarting the "apparmor service" does anything at all? We really should not be removing profiles automatically given this fairly glaring security problem.
- disable the "write-cache" option in /etc/apparmor/parser.conf - but let me warn you that this slows down profile loading 5 to 10 times, so this is nothing I want to do for the "normal" distribution. (If there is a build condition to match only Kubic, I'm willing to accept that in the AppArmor package as a hotfix. Technically we just have to disable a patch ;-)
Docker uses apparmor_parser with the write cache disabled, specifically so that it can work on a read-only root with Kubic[1]. [1]: https://github.com/moby/moby/pull/33250 -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
On 2018-01-04, Aleksa Sarai <asarai@suse.de> wrote:
As a complete aside -- there is also currently an AppArmor design flaw, where unloading a profile (ie. restarting the "AppArmor service") will make all previously confined processes unconfined -- with no way for an administrator to re-confine them (other than attaching to each process with GDB and executing aa_changehat from the context of the process).
Is there a reason that restarting the "apparmor service" does anything at all? We really should not be removing profiles automatically given this fairly glaring security problem.
My straw-man pitch would be that "systemctl restart apparmor" should only *replace* profiles that are stored in /etc/apparmor.d. If a profile is not present in /etc/apparmor.d (and *especially* if it's currently confining a process) then the "apparmor service" should not touch it. This could be a good stop-gap until profile removal semantics are fixed in AppArmor. We've had cases where someone has restarted the "apparmor service" and all of their containers are now running with unconfined AppArmor profiles (which is quite bad, given that we know that the AppArmor profiles for Docker containers have protected against kernel 0days in the past). -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Hello, thanks for the info about docker - that explains why the docker profile was loaded :-) Also, upstream was fast in providing a patch that make cache write failures only a warning. I just submitted SR 561675 to get this patch into Tumbleweed. To answer your aside: Am Donnerstag, 4. Januar 2018, 00:23:31 CET schrieb Aleksa Sarai:
On 2018-01-04, Aleksa Sarai <asarai@suse.de> wrote:
As a complete aside -- there is also currently an AppArmor design flaw, where unloading a profile (ie. restarting the "AppArmor service") will make all previously confined processes unconfined -- with no way for an administrator to re-confine them (other than attaching to each process with GDB and executing aa_changehat from the context of the process).
Yes, that's why I changed apparmor.service to ExecStop=/bin/true in 2.12 to prevent that from accidently happening. This results in "restart" behaving like "reload" now. Needless to say that this is not my favorite solution. A better solution would be ExecRestart= in apparmor.service, but the systemd developers refused to implement ExecRestart= despite several people asking for it. As I already wrote two mails ago, [insert systemd rant here] ;-) (If you are interested in more details, one of the bugreports mentioned two mails ago includes the link to the discussion on systemd-devel.)
Is there a reason that restarting the "apparmor service" does anything at all? We really should not be removing profiles automatically given this fairly glaring security problem.
My straw-man pitch would be that "systemctl restart apparmor" should
For restart vs. reload, see above.
only *replace* profiles that are stored in /etc/apparmor.d. If a profile is not present in /etc/apparmor.d (and *especially* if it's currently confining a process) then the "apparmor service" should not touch it. This could be a good stop-gap until profile removal semantics are fixed in AppArmor.
This was a different problem, and should be fixed since AppArmor 2.11.1 and 2.10.3 - starting with those versions, "unknown" profiles don't get unloaded on reload. (Use aa-remove-unknown to unload profiles that don't exist in /etc/apparmor.d/) If you still can trigger this issue with current AppArmor versions, please tell me or open a bugreport. Regards, Christian Boltz -- Er wollte den Wert verändern. 0/1 sind zwei verschiedene Werte. Er kann also egal welchen Wert er vorher hatte den Wert ändern. ;-) [dfroehling in suse-programming] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Jan 03, Christian Boltz wrote:
For now, I can offer two workarounds: - rcapparmor reload while /var/lib/apparmor is writeable to build or update the cache (which also means no more write attemps on boot until you install a new kernel) - or - - disable the "write-cache" option in /etc/apparmor/parser.conf - but let me warn you that this slows down profile loading 5 to 10 times, so this is nothing I want to do for the "normal" distribution. (If there is a build condition to match only Kubic, I'm willing to accept that in the AppArmor package as a hotfix. Technically we just have to disable a patch ;-)
As I wrote in one of the bug reports: since apparmor should load the profiles very early in the boot process, it should do the very early load without "write-cache" option and create the cache later in the running system. This avoids that the profiles are loaded to late and there are unproteced services running, and the performance problem should be the same. At least I don't see why creating the cache and loading the rules is faster than loading the rules without creating the cache. If this is really the case, we should move the cache to /run/ .... Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Donnerstag, 4. Januar 2018, 16:18:24 CET schrieb Thorsten Kukuk:
On Wed, Jan 03, Christian Boltz wrote:
For now, I can offer two workarounds: - rcapparmor reload while /var/lib/apparmor is writeable to build or> update the cache (which also means no more write attemps on boot until you install a new kernel) - or -
- disable the "write-cache" option in /etc/apparmor/parser.conf - but let me warn you that this slows down profile loading 5 to 10 times, so this is nothing I want to do for the "normal" distribution. (If there is a build condition to match only Kubic, I'm willing to accept that in the AppArmor package as a hotfix. Technically we just have to disable a patch ;-)
As I wrote in one of the bug reports: since apparmor should load the profiles very early in the boot process, it should do the very early load without "write-cache" option and create the cache later in the running system. This avoids that the profiles are loaded to late and there are unproteced services running, and the performance problem should be the same.
Such a split makes sense if it helps to load profiles earlier - but if it doesn't help with this, I'd prefer to avoid the additional complexity. As you probably noticed in my reply to Aleksa, upstream provided a patch that makes cache write failures a warning instead of an error. This is probably not the final solution, but fixes the most urgent problem. For building the profile cache, run rcapparmor reload while /var/lib/apparmor is writeable.
At least I don't see why creating the cache and loading the rules is faster than loading the rules without creating the cache. If this is really the case, we should move the cache to /run/ ....
;-)) The slowdown is obviously the comparison between "having a valid cache" and "having no cache" - things are fast if you have a valid cache and apparmor_parser doesn't need to re-compile the profiles. If you don't have a valid cache, the difference between "loading the profiles" and "loading the profiles and writing the cache" is very small. Compiling the profiles needs time/CPU, writing the cache file to disk is quite "cheap" in comparison. Regards, Christian Boltz -- Ein Computer tut ja das, was man ihm "sagt", und nicht das, was man will. Ergo muß man wissen, wie man ihm sagt, was man will. [Stefan G. Weichinger in postfixbuch-users] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Aleksa Sarai -
Christian Boltz -
Dominique Leuenberger -
Thorsten Kukuk