New Tumbleweed snapshot 20180101 released!

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

New Tumbleweed snapshot 20180101 released!

Dominique Leuenberger

Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.

Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20180101

When you reply to report some issues, make sure to change the subject.
It is not helpful to keep the release announcement subject in a thread
while discussing a specific problem.

Packages changed:
  ImageMagick
  MozillaThunderbird (52.5.0 -> 52.5.2)
  NetworkManager-applet
  apparmor (2.11.1 -> 2.12)
  btrfsprogs
  clutter-gst
  galculator (2.1.3 -> 2.1.4)
  geany (1.31 -> 1.32)
  gstreamer-plugins-bad
  gstreamer-plugins-good
  kernel-firmware (20171204 -> 20171221)
  libapparmor (2.11.1 -> 2.12)
  libssh
  libuv (1.15.0 -> 1.18.0)
  opusfile (0.9 -> 0.10)
  osinfo-db
  python-urllib3
  xfce4-branding-openSUSE

=== Details ===

==== ImageMagick ====
Subpackages: ImageMagick-devel ImageMagick-extra libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI5 libMagickWand-7_Q16HDRI5 perl-PerlMagick

- readd ImageMagick-relax-filter.t.patch for SLE15 i586
- enable ImageMagick-s390-disable-tests.patch also for s390, in
  addition to s390x

==== MozillaThunderbird ====
Version update (52.5.0 -> 52.5.2)
Subpackages: MozillaThunderbird-translations-common

- update to Thunderbird 52.5.2
  * This releases fixes the "Mailsploit" vulnerability and other
    vulnerabilities detected by the "Cure53" audit (MFSA 2017-30)
  * CVE-2017-7846 (bmo#1411716, bsc#1074043)
    JavaScript Execution via RSS in mailbox:// origin
  * CVE-2017-7847 (bmo#1411708, bsc#1074044)
    Local path string can be leaked from RSS feed
  * CVE-2017-7848 (bmo#1411699, bsc#1074045)
    RSS Feed vulnerable to new line Injection
  * CVE-2017-7829 (bmo#1423432, bsc#1074046)
    Mailsploit part 1: From address with encoded null character is
    cut off in message header display

==== NetworkManager-applet ====
Subpackages: NetworkManager-applet-lang NetworkManager-connection-editor libnm-gtk0 libnma0 nma-data typelib-1_0-NMGtk-1_0

- Allow for easy switch between meson and autoconf, using
  bcond_with (default to autoconf for now): Switch back to autoconf
  build system: meson is not ready and breaks nm-connection-editor
  (incompletely linked resources, boo#1072789).
  + In case of autoconf, add libtool BuildRequires, call autoreconf
    and use configure/make/mak_install.

==== apparmor ====
Version update (2.11.1 -> 2.12)
Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-parser-lang apparmor-profiles apparmor-utils apparmor-utils-lang pam_apparmor pam_apparmor-32bit perl-apparmor python3-apparmor

- update to AppArmor 2.12
  - add support for 'owner' rules in aa-logprof and aa-genprof
  - add support for includes with absolute path in aa-logprof etc. (lp#1733700)
  - update aa-decode to also decode PROCTITLE (lp#1736841)
  - several profile and abstraction updates, including boo#1069470
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12
    for the detailed upstream changelog
- drop upstreamed patches:
  - read_inactive_profile-exactly-once.patch
  - utils-fix-sorted-save_profiles-regression.diff
- lessopen profile: change all 'rix' rules to 'mrix'
- add 32-bit-no-uid.diff to fix handling of log events without ouid on
  32 bit systems
- update to AppArmor 2.11.95 aka 2.12 beta1
  - add JSON interface to aa-logprof and aa-genprof (used by YaST)
  - drop old YaST interface code
  - update audio, base and nameservice abstractions
  - allow @{pid} to match 7-digit pids
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95
    for the detailed upstream changelog
- drop upstreamed patches
  - apparmor-yast-cleanup.patch
  - apparmor-json-support.patch
  - nameservice-libtirpc.diff
- drop obsolete perl modules (YaST no longer needs them)
- drop patches that were only needed by the obsolete perl modules:
  - apparmor-utils-string-split
  - apparmor-abstractions-no-multiline.diff
- drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in
  apparmor_parser
- refresh utils-fix-sorted-save_profiles-regression.diff
- add aa-teardown (new script to unload all profiles)
- make ExecStop in apparmor.service a no-op (workaround for a systemd
  restriction, see boo#996520 and boo#853019 for details)
- lessopen profile: allow capability dac_read_search and dac_override,
  allow groff to execute several helpers (boo#1065388)

==== btrfsprogs ====
Subpackages: btrfsprogs-udev-rules libbtrfs0

- Fix rollback regression which can lead to data corruption
  Added patches: rollback-regression-fix.patch (bsc#1069478)

==== clutter-gst ====
Subpackages: gstreamer-plugin-gstclutter-3_0 libclutter-gst-3_0-0 typelib-1_0-ClutterGst-3_0

- Add clutter-gst-video-sink-fix-compilation-error.patch:
  video-sink: Fix compilation error.
- Clean up spec with spec-cleaner, use modern macros.

==== galculator ====
Version update (2.1.3 -> 2.1.4)
Subpackages: galculator-lang

- use new upstream urls
- cleanup with spec-cleaner
- link against gtk 3 (instead of 2)
- new upstream version 2.1.4
  * adding a fresh "tx pull" of translations
  * adding an appdata file
  * in ui.c::set_all_dispctrl_buttons_property check for
    table_children != NULL (fixes sf.net bug #107)
  * *.c: all dynamic memory allocation and free'ing is done via
    glib now.
  * Changed default background color for the display to white.
  * In callbacks.c and general_functions.c, team up every
    gtk_check_menu_item_set_active with a gtk_check_menu_item_toggled.
    See also 2014-01-08 and sf.net bug #99. (fixes sf.net bug #105)
  * translations are now served through transifex
  * set_basic_object_data/set_scientific_object_data make structs
    static (fixes sf.net bug #104)
- updated description
- Provide and obsolete mate-calc; galculator has replaced
  mate-calc in Mate 1.10

==== geany ====
Version update (1.31 -> 1.32)
Subpackages: geany-lang libgeany0

- Update to version 1.32
  + General:
  - Improve CLI argument help (gh#geany/geany#1644).
  - Keep the current tab when closing documents to the right of
    another tab.
  - Re-enable SIGTERM handling (gh#geany/geany#1255).
  - Create correct path for filetype config files.
  - Add an option to enable IME's candidate window display
    inline.
  - Add an option to automatically reload files changed on disk
  + Bug fixes:
  - Fix backward compatibility of the geometry saving setting.
  - Close "Deleted from Disk" Infobar on Reload.
  - Make sure GDK_MOD2_MASK is cleared when getting modifiers
  - Use non-symlinked VTE libraries on MacOS X.
  - Fix crash if plugin manager is opened more than once.
  - Fix incorrect variable reference.
  + Interface:
  - Add "Close Documents to the Right" feature.
  - Add an option to save/reload either window position or size,
    but optionally not both (gh#geany/geany#1456).
  + Editor
  - Update Scintilla to version 3.7.5 (gh#geany/geany#1503).
  - Improve snippet support (visual indicators and more)
    (gh#geany/geany#1470).
  - Push current position to navqueue before navigating back
    (gh#geany/geany#1537).
  + Filetypes:
  - Add GNU assembler filetype extensions (gh#geany/geany#904).
  - Make Python comment hash space (gh#geany/geany#1682).
  - Add missing string and comment styles for various lexers
    (gh#geany/geany#1502).
  - Add missing PHP keywords, especially for PHP 7.x
    (gh#geany/geany#1547).
  - Python: Don't highlight sub-identifiers as keywords
    (gh#geany/geany#1544).
  + Plugins: FileBrowser: don't change directory on project save
    (gh#geany/geany#1400).
  + API
  - Add `utils_get_real_path()` and deprecate
    `tm_get_real_path()` (gh#geany/geany#1224).
  - Add `geany_plugin_get_data()` (gh#geany/geany#1234).
  - Add `keybindings_load_keyfile()` (gh#geany/geany#1430).
  - Add `tm_tag_get_type()` (gh#geany/geany#1465).
  + HACKING: Add note about data types and update for best
    practices (gh#geany/geany#1282).
  + Updated translations.

==== gstreamer-plugins-bad ====
Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbadbase-1_0-0 libgstbadvideo-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstgl-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgsturidownloader-1_0-0 libgstwayland-1_0-0

- Add gst-bad-player-transfer-ownership.patch: player: transfer
  ownership of info properties (bgo#791982).
- Add gst-bad-vtdec-destroy-create-fix.patch: vtdec: destroy and
  create the GL context on start()/stop(). Removes a reference
  count loop.
- Add python3-xml BuildRequires and switch to using plain make
  instead of make_build macro, and add conditional for
  pkgconfig(graphene-1.0), pkgconfig(wayland-client),
  pkgconfig(wayland-cursor), pkgconfig(wayland-egl),
  pkgconfig(wayland-protocols) and pkgconfig(wayland-scanner)
  BuildRequires and the .so and sub-package produced, fix build for
  old versions of openSUSE.

==== gstreamer-plugins-good ====
Subpackages: gstreamer-plugins-good-extra gstreamer-plugins-good-lang

- Add
  gst-good-equalizer-fix-Wincompatible-pointer-types-warning.patch:
  equalizer: Fix -Wincompatible-pointer-types warning (bgo#791494).
- Clean up spec with spec-cleaner.
- Toggle ENABLE_AALIB, no longer build aasink support.

==== kernel-firmware ====
Version update (20171204 -> 20171221)
Subpackages: ucode-amd

- Update to version 20171221:
  * nvidia: add GP108 signed firmware
  * linux-firmware: liquidio: add v1.7.0 vswitch firmware
  * brcm: add CYW4373 firmwares and Cypress license file
  * linux-firmware: Update firmware patch for Intel Bluetooth 8260
  * linux-firmware: Update firmware file for Intel Bluetooth 8265
  * linux-firmware: Add firmware file for Intel Bluetooth 9260
  * linux-firmware: Add firmware file for Intel Bluetooth 9560
  * Revert commits a42f895, c113d33, 041aff8, 73d13b5
  * linux-firmware: Update firmware patch for Intel Bluetooth 8260
  * linux-firmware: Update firmware file for Intel Bluetooth 8265
  * linux-firmware: Add firmware file for Intel Bluetooth 9260
  * linux-firmware: Add firmware file for Intel Bluetooth 9560
  * linux-firmware: intel: Add Cannonlake audio firmware
  * nfp: add firmware for tc-flower
  * nfp: change firmware directory layout
  * nfp: update firmware for Agilio CX SmartNICs

==== libapparmor ====
Version update (2.11.1 -> 2.12)
Subpackages: libapparmor-devel libapparmor1 libapparmor1-32bit

- update to AppArmor 2.12
  - preserve errno across aa_*_unref() functions
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12
    for the detailed upstream changelog
- no longer package static libapparmor.a
- update to AppArmor 2.11.95 aka 2.12 beta1
  - no changes in libapparmor
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95
    for the detailed upstream changelog

==== libssh ====
Subpackages: libssh-devel libssh4

- Add patch to fix parsing of config files (boo#1067782):
  * 0001-config-Bugfix-Dont-skip-unseen-opcodes.patch

==== libuv ====
Version update (1.15.0 -> 1.18.0)

- Update to version 1.18.0
  * unix,win: add uv_os_getpid()
  * unix: remove incorrect assertion in uv_shutdown()
  * aix: fix -Wmaybe-uninitialized warning
  * win,doc: remove note about SIGWINCH on Windows
  * doc: fix IRC URL in CONTRIBUTING.md
- 1.17.0
  * ibmi: add support for new platform
  * unix: keep track of bound sockets sent via spawn
  * unix: avoid malloc() call in uv_spawn()
  * zos: add strnlen() implementation
  * test: add threadpool init/teardown test
  * test: avoid malloc() in threadpool test
  * test: lower number of tasks in threadpool test
  * test: fix test-spawn compilation
  * doc: clarify the description of uv_loop_alive()
  * win: issue memory barrier in uv_thread_join()
  * win: map UV_FS_O_EXLOCK to a share mode of 0
  * win: fix build on case-sensitive file systems
  * win: fix test runner build with mingw64
  * win: remove unused variable in test/test-fs.c
- 1.16.1
  * unix: move net/if.h include
  * win: fix undeclared NDIS_IF_MAX_STRING_SIZE
- 1.16.0
  * unix,win: add fs open flags, map O_DIRECT|O_DSYNC
  * win, fs: fix non-symlink reparse points
  * test: fix -Wstrict-prototypes warnings
  * unix, windows: map ENOTTY errno
  * unix: fall back to fsync() if F_FULLFSYNC fails
  * unix: do not close invalid kqueue fd after fork
  * zos: reset epoll data after fork
  * zos: skip fork_threadpool_queue_work_simple
  * test: keep platform_output as first test
  * unix,win: add uv_os_getppid()
  * test: fix const qualification compiler warning
  * doc: mark uv_default_loop() as not thread safe
  * win, pipe: null-initialize stream->shutdown_req
  * tty, win: get SetWinEventHook pointer at startup
  * test: no extra new line in skipped test output
  * pipe: allow access from other users
  * unix,win: add uv_if_{indextoname,indextoiid}
  * win: fix non-English dlopen error message
  * win: change st_blksize from `2048` to `4096`
- Small spec file cleanup

==== opusfile ====
Version update (0.9 -> 0.10)

- Update to version 0.10:
  + Fix an out-of-bounds read matching serial numbers.
- cleanup with spec-cleaner
- add "--disable-silent-rules" to ./configure

==== osinfo-db ====

- Fix version string for leap 15 (bsc#1054986)
  add-opensuse-leap-15-support.patch

==== python-urllib3 ====

- Add python-urllib3-recent-date.patch: Fix test suite, use correct
  date (gh#shazow/urllib3#1303, boo#1074247).

==== xfce4-branding-openSUSE ====
Subpackages: exo-branding-openSUSE libgarcon-branding-openSUSE libxfce4ui-branding-openSUSE midori-branding-openSUSE openSUSE-xfce-icon-theme thunar-volman-branding-openSUSE xfce4-notifyd-branding-openSUSE xfce4-panel-branding-openSUSE xfce4-power-manager-branding-openSUSE xfce4-session-branding-openSUSE xfce4-settings-branding-openSUSE xfdesktop-branding-openSUSE xfwm4-branding-openSUSE

- use plugin-pulseaudio instead of plugin-mixer
- recommend pavucontrol and plugin-pulseaudio instead of xfe4-mixer
- replace application-menu with whiskermenu
- brand whiskermenu suse style
- require whiskermenu from panel-branding-openSUSE
- fix obsoletes of exo-branding-openSUSE
- fix exo-branding provides / obsoletes
- adapt to changes in exo package (exo-1 subdir patch removed)
- on >= 13.2 package-manager.desktop was renamed to
  yast2-packager.desktop (boo#892936)
- bump version to 4.12
- lock screen on suspen/hibernate
- xfce4-panel-plugin-xfce4battery was renamed to
  power-manager-plugin
- recommend xfce4-panel-plugin-xfce4battery which is in the panel
  branding
- fix critical power action and hdd spindown settings
- adapt xfce4-power-manager branding to version 1.3.0
- fix typo
- rename source tarball removing the meaningless version
- adjust to GTK 3 variant of libxfce4ui
- remove support for openSUSE < 12.3
- add custom theme for xfce4-notifyd
- improve suse_version overlay system
- add xfce4-power-manager-branding-openSUSE with default actions
  for button press events and critical battery levels
- add support for 13.2, drop support for < 12.2
- follow the exo package changes and rename exo-branding-openSUSE
  to libexo-1-0-branding-openSUSE and move helpers.rc in an
  API-versioned subdirectory
- support openSUSE 13.1
- fix an error in the openSUSE-Xfce index.theme file causing
  theme inheritance to fail
- 12.3 specific xfce4-panel branding
- adapt to Terminal rename
- adapt to new name of the mixer plugin
- remove support for openSUSE 11.4
- disable automatic session saving by default and don't preselect
  session saving in the logout dialog since it causes problems such
  as bxo#5123
- added audio-input-microphone-muted icon to openSUSE Xfce icon
  theme which is used by xfce4-mixer 4.10.0
- on >= 12.2 depend on libgio-2_0-0 which provides the
  defaults.list symlink target
- on > 12.2 depend on desktop-file-utils which is now needed to
  generate defaults.list
- updated comment in xfce_defaults.conf
- require desktop-data-openSUSE on openSUSE distros in
  the openSUSE branding
- own more directories to fix build of derived packages
- remove submenus below Settings which are accessible through the
  xfce4-settings-manager
- add xfce4-panel-plugin-mixer to the panel
- add support for Xfce-specific MIME default associations
- add back pager and reduce workspaces to two
- remove the launchers from the panel and switch from action
  buttons to the actions menu
- mark the global menus as config files, they may be edited by an
  administrator and should not be silently overwritten
- use actions menu rather than buttons in the panel
- fix xfcemail and xfce-nomail icons
- rename %{_datadir}/wallpapers/xfce/default.jpg to
  %{_datadir}/wallpapers/xfce/default.wallpaper, the default
  wallpaper formats may differ and xfdesktop doesn't care about
  the filetype extension
- remove ristretto icons and use the new icons provided by
  ristretto 0.6.0
- added depenency of libgarcon-branding-openSUSE on
  libxfce4ui-tools snce the menu references xfce4-about.desktop
- remove dependency of libgarcon-branding-openSUSE on
  libgarcon-data
- remove dependency of xfce4-panel-branding-openSUSE on exo-tools
- added xfce-schedule icon
- bump version to 4.10
- libgarcon-branding-openSUSE should have a reverse dependency on
  libgarcon-data rather than libgarcon-1-0
- libxfce4ui-branding-openSUSE
  - added keyboard shortcuts for starting browser and MUA with
    XF86WWW and XF86Mail
  - use startup notification for xfce4-appfinder shortcuts
- xfce4-settings-branding-openSUSE
  - order the menus in xfce-settings-manager.menu
- xfwm4-branding-openSUSE
  - enable tiling
- only build midori-branding-openSUSE for > 11.4 since Midori does
  not support 11.4 any more
- only depend on wallpaper-branding-openSUSE for > 11.4
- make libgarcon-branding-openSUSE depend on libgarcon-data
- added openSUSE-xfce-icon-theme which provides icons missing from
  gnome-icon-theme
- moved licenses into the tarballs
- xfce4-panel-branding-openSUSE
  - use internal clock plugin again
  - added new button images
    %{_datadir}/pixmaps/xfce4-opensuse-light.png and
    %{_datadir}/pixmaps/xfce4-opensuse-dark.png
- xfce4-session-branding-openSUSE
  - dropped xfce4-settings-helper which ash been removed
  - dropped xscreensaver which is now started via autostart
- xfwm4-branding-openSUSE
  - increased doubleclick time to 400ms
  - enabled composite by default
  - enabled shadows
- libgarcon-branding-openSUSE
  - reworked application menu and incorporated a customized
    xfce-settings-manager-menu
- xfce4-settings-branding-openSUSE
  - added customized
    %{_sysconfdir}/xdg/menus/xfce-settings-manager.menu which also
    includes non-Xfce settings
  - switch from the GNOME icon theme to the openSUSE Xfce icon
    theme
- xfdesktop-branding-openSUSE
  - deliver symlink %{_datadir}/xfce4/backdrops/default.jpg
    pointing to the default backdrop image from
    wallpaper-branding-openSUSE which is now the compiled-in
    default and removed
    %{_sysconfdir}/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-desktop.xml
    so that now all screens have the same default
- enabled thunar-volman-branding-openSUSE for 11.4
- bump version to 4.9.0
- remove xfce4-tips autostart file
- add build dependencies on upstream branding to avoid ambiguities
- added midori-branding-openSUSE
  - added openSUSE package search to the list of search engines
  - use opensuse.org as the default home page
- own %{_datadir}/desktop-directories/ for >= 12.1
- enable GNOME compatibility mode in order to start gnome-keyring
  by default (bnc#754700)
- adapt to renamed packages
- make the default panel opaque with compositing enabled
  (bnc#742766)
- license update: CC-BY-SA-3.0 and GPL-2.0+
  Indicate the aggregation of GPL-2.0+ and the CC licensed wallpapers
- fix license to be in spdx.org format
- switch to final xfwm4 branding
- make xfce4-panel-branding-openSUSE depend on
  xfce4-panel-plugin-datetime
- use DateTime rather than Clock panel plugin
- added thunar-volman-branding-openSUSE package for >= 12.1
- rename
  /usr/share/desktop-directories/xfce-settings-system.directory to
  /usr/share/desktop-directories/xfce-administration.directory
  and add
  /usr/share/desktop-directories/xfce-preferences.directory
- change /etc/xdg/menus/xfce-applications.menu to not show category
  PackageManager under System
- renamed COPYING.xfce4-splash-openSUSE-11.4
- created xfce4-branding-openSUSE-4.8.0-11.4.tar.bz2 for < 12.1
- switch to Adwaita as the new default theme for >= 12.1
- use wallpaper from new wallpaper-branding package
- fix build failure by removing the splash on >= 12.1, also
  do not install the copyright file
- require the splash out of branding-openSUSE for 12.1+ to
  ease the update of artwork
- fixed "Administration" menu for >= 12.1 (bnc#719826)
- changed border/text-color of splash screen to match that of other
  GTK splash screens
- included the final splashscreen
- explicitly include xfce-settings-manager.desktop in the Settings
  menu since it is also in the X-XFCE category
- stay at 4.8.0
- determine versions of branded packages automatically
- tweaked xfce4-session splash screen look a bit
- bump libgarcon version
- added temporary splash screen for xfce4-settings based on 11.3
  branding
- switch to Sonar theme
- added xfce4-branding-openSUSE
- replace exo- launches with launchers for the openSUSE default
  applications since items hidden in the main menu cannot be used
  as panel launchers
- exclude X-XFCE category from the Settings menu as it will be
  shown inside the settings manager and exclude X-Xfce-Toplevel
  category from submenus
- merged some keyboard shortcut changes from libxfce4ui 4.8.0
- removed unused panel launcher desktop files
- supplement libgarcon-1-0 rather than libgarcon
- added exo-branding-openSUSE subpackage
- fixed launchers
- added branding for libgarcon, libxfce4ui, xfce4-notifyd
- obsoleted xfce4-desktop branding which is now provided by
  xfdesktop-branding
- split up in subpackages xfce4-panel-branding-openSUSE,
  xfce4-session-branding-openSUSE,
  xfce4-settings-branding-openSUSE, xfdesktop-branding-openSUSE,
  libgarcon-branding-openSUSE, libxfce4ui-branding-openSUSE,
  xfce4-notifyd-branding-openSUSE
- temporarily removed menu again as it is currently provided by
  libgarcon
- migrated panel settings to new format
- cleaned up menu
- version bump to 4.8.0
- add gtk2-metatheme-gilouche to Requires [bnc#616275]
- version bump to 4.7.1
- version bump to 4.6.4
- version bump to 4.6.3
- require desktop-data instead of desktop-data-SuSE
- version bump to 4.6.1
- added branding for xfce4-panel
- updated to be compatible with Xfce 4.6.0 release


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)

Christian Boltz-5
Hello,

Am Mittwoch, 3. Januar 2018, 12:45:44 CET schrieb Dominique Leuenberger:
> ==== apparmor ====
> Version update (2.11.1 -> 2.12)

I should probably highlight this change:

> - add aa-teardown (new script to unload all profiles)
> - make ExecStop in apparmor.service a no-op (workaround for a systemd
>   restriction, see boo#996520 and boo#853019 for details)

The short version is:

"rcapparmor stop" and "systemctl stop apparmor" won't do anything now
because of the way how systemd implements "restart" [insert systemd
rant here].

If you really want to unload your AppArmor profiles, run "aa-teardown".
But - who would do that? ;-)  [1]

The longer version is on
https://blog.cboltz.de/archives/77-AppArmor-2.12-The-Grinch-is-confined!.html
;-)


Regards,

Christian Boltz

[1] aa-complain /etc/apparmor.d/$whatever is a much better choice
    because it logs what would be denied and allows you to update the
    profile and/or to open a bugreport with useful logs
--
"Never surf faster, than your guardian penguin can fly!"



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)

Thorsten Kukuk
On Wed, Jan 03, Christian Boltz wrote:

> Hello,
>
> Am Mittwoch, 3. Januar 2018, 12:45:44 CET schrieb Dominique Leuenberger:
> > ==== apparmor ====
> > Version update (2.11.1 -> 2.12)
>
> I should probably highlight this change:

There are more important changes: errors during loading of profiles
are no longer ignored, which makes this bugs now really problematic
and apparmor unuseable/non-functional with a read-only root filesystem:
bsc#1074429 - AppArmor cannot be started in Kubic
bsc#1069906 - Race: systemd remounts filesystems while apparmor loads profiles

  Thorsten

--
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)

Christian Boltz-5
Hello,

Am Mittwoch, 3. Januar 2018, 14:30:46 CET schrieb Thorsten Kukuk:

> On Wed, Jan 03, Christian Boltz wrote:
> > Am Mittwoch, 3. Januar 2018 schrieb Dominique Leuenberger:
> > > ==== apparmor ====
> > > Version update (2.11.1 -> 2.12)
> >
> > I should probably highlight this change:
> There are more important changes: errors during loading of profiles
> are no longer ignored, which makes this bugs now really problematic
> and apparmor unuseable/non-functional with a read-only root
> filesystem: bsc#1074429 - AppArmor cannot be started in Kubic
> bsc#1069906 - Race: systemd remounts filesystems while apparmor loads
> profiles

I just installed the latest Kubic in a VM [1] and can confirm the
problem - only the "docker-default" profile gets loaded, but not the
other profiles in /etc/apparmor.d/. That leads to the question if the
"docker-default" gets loaded or reloaded in a different way - any ideas?

The most surprising thing is that it "errors out more" than in 2.11.x.
Most 2.12 changes were in the python tools. A review of the 2.12 changes
together with the upstream developers didn't bring up many changes in
apparmor_parser or libapparmor that could cause this change, and the few
commits that are somewhat related to this look harmless.

I'll probably build 2.11.1 packages tomorrow to cross-check if this was
really introduced in 2.12, even if looking at the upstream commits
indicates it's unlikely.

For now, I can offer two workarounds:
- rcapparmor reload   while /var/lib/apparmor is writeable to build or
  update the cache (which also means no more write attemps on boot until
  you install a new kernel)   - or -
- disable the "write-cache" option in /etc/apparmor/parser.conf - but
  let me warn you that this slows down profile loading 5 to 10 times,
  so this is nothing I want to do for the "normal" distribution.
  (If there is a build condition to match only Kubic, I'm willing to
  accept that in the AppArmor package as a hotfix. Technically we just
  have to disable a patch ;-)

The long-term fix is to make cache write failures a warning instead of
an error, but to make things more interesting, there are also situations
where this needs to be an error. This is solvable by adding a new config
option (think of -Werror), but needs a bit more work.

Another option might be to pre-compile the profiles during installation.
I know this is possible (AFAIK it was done for Ubuntu Phone), but I'll
have to check the details with upstream. One funny detail is that we hit
this issue too early ;-) - there are plans to support multiple caches
for different kernel versions, but unfortunately, well, _plans_ ;-)


Regards,

Christian Boltz

[1] my infrastructure test VMs don't feel alone anymore now ;-)
--
Code like this is the reason for alcoholism running rampant
with Java developers [Kristian Köhntopp on
https://plus.google.com/+KristianKöhntopp/posts/K5DDeDMYr1e ]



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)

Aleksa Sarai
On 2018-01-03, Christian Boltz <[hidden email]> wrote:

> > > > ==== apparmor ====
> > > > Version update (2.11.1 -> 2.12)
> > >
> > > I should probably highlight this change:
> > There are more important changes: errors during loading of profiles
> > are no longer ignored, which makes this bugs now really problematic
> > and apparmor unuseable/non-functional with a read-only root
> > filesystem: bsc#1074429 - AppArmor cannot be started in Kubic
> > bsc#1069906 - Race: systemd remounts filesystems while apparmor loads
> > profiles
>
> I just installed the latest Kubic in a VM [1] and can confirm the
> problem - only the "docker-default" profile gets loaded, but not the
> other profiles in /etc/apparmor.d/. That leads to the question if the
> "docker-default" gets loaded or reloaded in a different way - any ideas?
Docker loads the profile manually using apparmor_parser. The reason for
this is that Docker needs to reload the profile if the system unloads it
for some reason (which happens on Ubuntu on certain upgrades).

As a complete aside -- there is also currently an AppArmor design flaw,
where unloading a profile (ie.  restarting the "AppArmor service") will
make all previously confined processes unconfined -- with no way for an
administrator to re-confine them (other than attaching to each process
with GDB and executing aa_changehat from the context of the process).

Is there a reason that restarting the "apparmor service" does anything
at all? We really should not be removing profiles automatically given
this fairly glaring security problem.

> - disable the "write-cache" option in /etc/apparmor/parser.conf - but
>   let me warn you that this slows down profile loading 5 to 10 times,
>   so this is nothing I want to do for the "normal" distribution.
>   (If there is a build condition to match only Kubic, I'm willing to
>   accept that in the AppArmor package as a hotfix. Technically we just
>   have to disable a patch ;-)

Docker uses apparmor_parser with the write cache disabled, specifically
so that it can work on a read-only root with Kubic[1].

[1]: https://github.com/moby/moby/pull/33250

--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)

Aleksa Sarai
On 2018-01-04, Aleksa Sarai <[hidden email]> wrote:
> As a complete aside -- there is also currently an AppArmor design flaw,
> where unloading a profile (ie.  restarting the "AppArmor service") will
> make all previously confined processes unconfined -- with no way for an
> administrator to re-confine them (other than attaching to each process
> with GDB and executing aa_changehat from the context of the process).
>
> Is there a reason that restarting the "apparmor service" does anything
> at all? We really should not be removing profiles automatically given
> this fairly glaring security problem.

My straw-man pitch would be that "systemctl restart apparmor" should
only *replace* profiles that are stored in /etc/apparmor.d. If a profile
is not present in /etc/apparmor.d (and *especially* if it's currently
confining a process) then the "apparmor service" should not touch it.
This could be a good stop-gap until profile removal semantics are fixed
in AppArmor.

We've had cases where someone has restarted the "apparmor service" and
all of their containers are now running with unconfined AppArmor
profiles (which is quite bad, given that we know that the AppArmor
profiles for Docker containers have protected against kernel 0days in
the past).

--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)

Christian Boltz-5
Hello,

thanks for the info about docker - that explains why the docker profile
was loaded :-)

Also, upstream was fast in providing a patch that make cache write
failures only a warning. I just submitted SR 561675 to get this patch
into Tumbleweed.

To answer your aside:

Am Donnerstag, 4. Januar 2018, 00:23:31 CET schrieb Aleksa Sarai:
> On 2018-01-04, Aleksa Sarai <[hidden email]> wrote:
> > As a complete aside -- there is also currently an AppArmor design
> > flaw, where unloading a profile (ie.  restarting the "AppArmor
> > service") will make all previously confined processes unconfined --
> > with no way for an administrator to re-confine them (other than
> > attaching to each process with GDB and executing aa_changehat from
> > the context of the process).

Yes, that's why I changed apparmor.service to
    ExecStop=/bin/true
in 2.12 to prevent that from accidently happening. This results in
"restart" behaving like "reload" now.

Needless to say that this is not my favorite solution. A better solution
would be ExecRestart= in apparmor.service, but the systemd developers
refused to implement ExecRestart= despite several people asking for it.
As I already wrote two mails ago, [insert systemd rant here] ;-)
(If you are interested in more details, one of the bugreports mentioned
two mails ago includes the link to the discussion on systemd-devel.)

> > Is there a reason that restarting the "apparmor service" does
> > anything at all? We really should not be removing profiles
> > automatically given this fairly glaring security problem.
>
> My straw-man pitch would be that "systemctl restart apparmor" should

For restart vs. reload, see above.

> only *replace* profiles that are stored in /etc/apparmor.d. If a
> profile is not present in /etc/apparmor.d (and *especially* if it's
> currently confining a process) then the "apparmor service" should not
> touch it. This could be a good stop-gap until profile removal
> semantics are fixed in AppArmor.

This was a different problem, and should be fixed since AppArmor 2.11.1
and 2.10.3 - starting with those versions, "unknown" profiles don't get
unloaded on reload. (Use aa-remove-unknown to unload profiles that don't
exist in /etc/apparmor.d/)

If you still can trigger this issue with current AppArmor versions,
please tell me or open a bugreport.


Regards,

Christian Boltz
--
Er wollte den Wert verändern. 0/1 sind zwei verschiedene Werte. Er
kann also egal welchen Wert er vorher hatte den Wert ändern. ;-)
[dfroehling in suse-programming]



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)

Thorsten Kukuk
In reply to this post by Christian Boltz-5
On Wed, Jan 03, Christian Boltz wrote:

> For now, I can offer two workarounds:
> - rcapparmor reload   while /var/lib/apparmor is writeable to build or
>   update the cache (which also means no more write attemps on boot until
>   you install a new kernel)   - or -
> - disable the "write-cache" option in /etc/apparmor/parser.conf - but
>   let me warn you that this slows down profile loading 5 to 10 times,
>   so this is nothing I want to do for the "normal" distribution.
>   (If there is a build condition to match only Kubic, I'm willing to
>   accept that in the AppArmor package as a hotfix. Technically we just
>   have to disable a patch ;-)

As I wrote in one of the bug reports: since apparmor should load the
profiles very early in the boot process, it should do the very early
load without "write-cache" option and create the cache later in the
running system. This avoids that the profiles are loaded to late and
there are unproteced services running, and the performance problem
should be the same. At least I don't see why creating the cache and
loading the rules is faster than loading the rules without creating
the cache. If this is really the case, we should move the cache to
/run/ ....

  Thorsten

--
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)

Christian Boltz-5
Hello,

Am Donnerstag, 4. Januar 2018, 16:18:24 CET schrieb Thorsten Kukuk:

> On Wed, Jan 03, Christian Boltz wrote:
> > For now, I can offer two workarounds:
> > - rcapparmor reload   while /var/lib/apparmor is writeable to build
> > or>
> >   update the cache (which also means no more write attemps on boot
> >   until you install a new kernel)   - or -
> >
> > - disable the "write-cache" option in /etc/apparmor/parser.conf -
> > but
> >   let me warn you that this slows down profile loading 5 to 10
> >   times,
> >   so this is nothing I want to do for the "normal" distribution.
> >   (If there is a build condition to match only Kubic, I'm willing to
> >   accept that in the AppArmor package as a hotfix. Technically we
> >   just have to disable a patch ;-)
>
> As I wrote in one of the bug reports: since apparmor should load the
> profiles very early in the boot process, it should do the very early
> load without "write-cache" option and create the cache later in the
> running system. This avoids that the profiles are loaded to late and
> there are unproteced services running, and the performance problem
> should be the same.

Such a split makes sense if it helps to load profiles earlier - but if
it doesn't help with this, I'd prefer to avoid the additional
complexity.

As you probably noticed in my reply to Aleksa, upstream provided a patch
that makes cache write failures a warning instead of an error. This is
probably not the final solution, but fixes the most urgent problem.

For building the profile cache, run   rcapparmor reload   while
/var/lib/apparmor is writeable.

> At least I don't see why creating the cache and
> loading the rules is faster than loading the rules without creating
> the cache. If this is really the case, we should move the cache to
> /run/ ....

;-))

The slowdown is obviously the comparison between "having a valid cache"
and "having no cache" - things are fast if you have a valid cache and
apparmor_parser doesn't need to re-compile the profiles.

If you don't have a valid cache, the difference between "loading the
profiles" and "loading the profiles and writing the cache" is very
small. Compiling the profiles needs time/CPU, writing the cache file to
disk is quite "cheap" in comparison.


Regards,

Christian Boltz
--
Ein Computer tut ja das, was man ihm "sagt", und nicht das, was
man will. Ergo muß man wissen, wie man ihm sagt, was man will.
[Stefan G. Weichinger in postfixbuch-users]



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]