Ubuntu
sssd package

Merge ~sergiodj/ubuntu/+source/sssd:bug1910611-update-apparmor-hirsute into ubuntu/+source/sssd:ubuntu/devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/sssd
  3. bug1910611-update-apparmor-hirsute
  4. Merge into ubuntu/devel
Proposed by Sergio Durigan Junior
Status: Merged
Approved by: Sergio Durigan Junior
Approved revision: 2c49e64e959fa2c6fcb4169d66417b4d40266b84
Merged at revision: 2c49e64e959fa2c6fcb4169d66417b4d40266b84
Proposed branch: ~sergiodj/ubuntu/+source/sssd:bug1910611-update-apparmor-hirsute
Merge into: ubuntu/+source/sssd:ubuntu/devel
Diff against target: 36 lines (+13/-0)
2 files modified
debian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Core Reviewers Pending
Canonical Server Pending
Review via email: mp+396542@code.launchpad.net

Description of the change

This is the fix for bug 1910611 on Hirsute.

The sssd apparmor profile is outdated with regards to a few aspects:

- It doesn't allow the execution of binaries under /usr/libexec/sssd/*

- It doesn't allow sssd to read configuration files under /etc/sssd/conf.d/*

- It doesn't allow sssd to read files under /etc/gss/mech.d/*

The original bug only complained about the first item, but while investigating I found the other two issues, so I'm fixing them as well.

Here's a PPA with the proposed package:

https://launchpad.net/~sergiodj/+archive/ubuntu/sssd-bug1910611

And autopkgtest is still happy:

autopkgtest [23:17:14]: @@@@@@@@@@@@@@@@@@@@ summary
ldap-user-group-ldap-auth PASS
ldap-user-group-krb5-auth PASS

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I'm marking Christian as a reviewer because he also reviewed (and approved) the Focal MP.

Christian, as I said in the Focal MP:

1) There's also a Groovy MP for this: https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396453

2) I submitted this same change to Debian here: https://salsa.debian.org/sssd-team/sssd/-/merge_requests/12

Thanks!

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks, I've checked the groovy MP as well by now.

Ack on the apparmor changes and in Hirsute the version is ok.

Thanks for the Debian MP as well.
There the piuparts test fail seems legit, not due to your changes but still a legit error as FYI.

You already mentioned the i386 build issues before. I guess you decided that since https://launchpad.net/ubuntu/+source/sssd/2.4.0-1ubuntu2 is b-wait on i386 as well it will be no-change and therefore ok.
I agree if that is the case, but otherwise please speak up.

OTOH i386 - see https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1904990
Maybe sooner or later i386 will resolve that way, but it does not have to stop/gate this upload.

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the review, Christian. As we've already discussed during standup, I'm aware of the i386 situation. I went ahead and did the upload.

$ git push pkg upload/2.4.0-1ubuntu3
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 8 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.24 KiB | 158.00 KiB/s, done.
Total 9 (delta 6), reused 0 (delta 0)
To ssh://git.launchpad.net/ubuntu/+source/sssd
 * [new tag] upload/2.4.0-1ubuntu3 -> upload/2.4.0-1ubuntu3

$ dput sssd_2.4.0-1ubuntu3_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/sssd/sssd_2.4.0-1ubuntu3_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/sssd/sssd_2.4.0-1ubuntu3.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading sssd_2.4.0-1ubuntu3.dsc: done.
  Uploading sssd_2.4.0-1ubuntu3.debian.tar.xz: done.
  Uploading sssd_2.4.0-1ubuntu3_source.buildinfo: done.
  Uploading sssd_2.4.0-1ubuntu3_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apparmor-profile b/debian/apparmor-profile
index c5f3658..ecf5f7d 100644
--- a/debian/apparmor-profile
+++ b/debian/apparmor-profile
@@ -25,10 +25,15 @@
25 /etc/localtime r,25 /etc/localtime r,
26 /etc/shells r,26 /etc/shells r,
27 /etc/sssd/sssd.conf r,27 /etc/sssd/sssd.conf r,
28 /etc/sssd/conf.d/ r,
29 /etc/sssd/conf.d/** r,
30 /etc/gss/mech.d/ r,
31 /etc/gss/mech.d/** r,
2832
29 /usr/lib/@{multiarch}/ldb/modules/ldb/* m,33 /usr/lib/@{multiarch}/ldb/modules/ldb/* m,
30 /usr/lib/@{multiarch}/samba/ldb/* m,34 /usr/lib/@{multiarch}/samba/ldb/* m,
31 /usr/lib/@{multiarch}/sssd/* rix,35 /usr/lib/@{multiarch}/sssd/* rix,
36 /usr/libexec/sssd/* rmix,
32 /usr/sbin/sssd rmix,37 /usr/sbin/sssd rmix,
3338
34 /tmp/{,.}krb5cc_* rwk,39 /tmp/{,.}krb5cc_* rwk,
diff --git a/debian/changelog b/debian/changelog
index 568e3cc..f327146 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1sssd (2.4.0-1ubuntu3) hirsute; urgency=medium
2
3 * d/apparmor-profile: Update profile. (LP: #1910611)
4 - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
5 - Add read/execute permission to /usr/libexec/sssd/*.
6
7 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 18 Jan 2021 16:57:21 -0500
8
1sssd (2.4.0-1ubuntu2) hirsute; urgency=medium9sssd (2.4.0-1ubuntu2) hirsute; urgency=medium
210
3 * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:11 * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:

Subscribers

People subscribed via source and target branches