Merge ~sergiodj/ubuntu/+source/sssd:bug1910611-update-apparmor-focal into ubuntu/+source/sssd:ubuntu/focal-devel

Proposed by Sergio Durigan Junior on 2021-01-18
Status: Merged
Approved by: Sergio Durigan Junior on 2021-01-21
Approved revision: 219ccf95c2bf926f9868c5abda944d24bef7f326
Merge reported by: Sergio Durigan Junior
Merged at revision: 219ccf95c2bf926f9868c5abda944d24bef7f326
Proposed branch: ~sergiodj/ubuntu/+source/sssd:bug1910611-update-apparmor-focal
Merge into: ubuntu/+source/sssd:ubuntu/focal-devel
Diff against target: 36 lines (+13/-0)
2 files modified
debian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2021-01-18 Approve on 2021-01-19
Canonical Server Team 2021-01-18 Pending
Review via email: mp+396454@code.launchpad.net

Description of the change

This is the fix for bug 1910611 on Focal.

The sssd apparmor profile is outdated with regards to a few aspects:

- It doesn't allow the execution of binaries under /usr/libexec/sssd/*

- It doesn't allow sssd to read configuration files under /etc/sssd/conf.d/*

- It doesn't allow sssd to read files under /etc/gss/mech.d/*

The original bug only complained about the first item, but while investigating I found the other two issues, so I'm fixing them as well.

The SRU template is already in place, and contains specific instructions for reproducing the bug and testing the package.

Here's a PPA with the proposed package:

https://launchpad.net/~sergiodj/+archive/ubuntu/sssd-bug1910611

And autopkgtest is still happy:

autopkgtest [18:00:56]: @@@@@@@@@@@@@@@@@@@@ summary
ldap-user-group-ldap-auth PASS
ldap-user-group-krb5-auth PASS

To post a comment you must log in.
Sergio Durigan Junior (sergiodj) wrote :

I haven't been able to post an MP for hirsute yet because sssd doesn't compile on i386 there (there's a problem with uid-wrapper:i386 which I'm investigating). I know the SRU won't be accepted until the hirsute update is done, so even if this MP (and groovy's) is approved, I won't upload the package just yet.

Christian Ehrhardt  (paelzer) wrote :

I have read the bug in the past on triage - taking a look.

Christian Ehrhardt  (paelzer) wrote :

The changes LGTM and are rather trivial (no patches since it is in debian/*), ...
I assume as part of the Hirsute MP you'll also do a Debian submission?

BTW - we will also need a Groovy MP/upload - that built fine in your PPA, is there an MP for it?
Quite likely it is the same change there and an ultra fast-ack. So if you have the same change, don't bother (just for the process) to spin up that MP and wait for it.

But be careful there as groovy sssd is 2.3.1-3ubuntu2 which already was wrong - IMHO that should have been 2.3.1-3ubuntu0.x all the time. Not too bad since hirsute is on 2.4 but still I couldn't look away while reviewing this :-)

review: Approve
Sergio Durigan Junior (sergiodj) wrote :

On Tuesday, January 19 2021, Christian Ehrhardt  wrote:

> Review: Approve

Thanks, Christian.

> The changes LGTM and are rather trivial (no patches since it is in debian/*), ...
> I assume as part of the Hirsute MP you'll also do a Debian submission?

Yep; I already did yesterday:

https://salsa.debian.org/sssd-team/sssd/-/merge_requests/12

> BTW - we will also need a Groovy MP/upload - that built fine in your PPA, is there an MP for it?

Yes, I filed it at the same time yesterday:

https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396453

Curious that you didn't see it!

> Quite likely it is the same change there and an ultra fast-ack. So if you have the same change, don't bother (just for the process) to spin up that MP and wait for it.

Exactly, it's the same change.

> But be careful there as groovy sssd is 2.3.1-3ubuntu2 which already
> was wrong - IMHO that should have been 2.3.1-3ubuntu0.x all the
> time. Not too bad since hirsute is on 2.4 but still I couldn't look
> away while reviewing this :-)

Yeah; unfortunately I was the one who introduced this versioning error
on Groovy. I talked to Robie when I noticed, but he told me it was OK
and that I shouldn't worry about it. Anyway, as you say, I'm glad that
we're on 2.4 on hirsute.

Thanks!

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Sergio Durigan Junior (sergiodj) wrote :

Uploaded:

$ git push pkg upload/2.2.3-3ubuntu0.3
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 8 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.25 KiB | 106.00 KiB/s, done.
Total 9 (delta 6), reused 0 (delta 0)
To ssh://git.launchpad.net/ubuntu/+source/sssd
 * [new tag] upload/2.2.3-3ubuntu0.3 -> upload/2.2.3-3ubuntu0.3

$ dput sssd_2.2.3-3ubuntu0.3_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/sssd/sssd-focal/sssd_2.2.3-3ubuntu0.3_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/sssd/sssd-focal/sssd_2.2.3-3ubuntu0.3.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading sssd_2.2.3-3ubuntu0.3.dsc: done.
  Uploading sssd_2.2.3-3ubuntu0.3.diff.gz: done.
  Uploading sssd_2.2.3-3ubuntu0.3_source.buildinfo: done.
  Uploading sssd_2.2.3-3ubuntu0.3_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index c5f3658..ecf5f7d 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -25,10 +25,15 @@
6 /etc/localtime r,
7 /etc/shells r,
8 /etc/sssd/sssd.conf r,
9+ /etc/sssd/conf.d/ r,
10+ /etc/sssd/conf.d/** r,
11+ /etc/gss/mech.d/ r,
12+ /etc/gss/mech.d/** r,
13
14 /usr/lib/@{multiarch}/ldb/modules/ldb/* m,
15 /usr/lib/@{multiarch}/samba/ldb/* m,
16 /usr/lib/@{multiarch}/sssd/* rix,
17+ /usr/libexec/sssd/* rmix,
18 /usr/sbin/sssd rmix,
19
20 /tmp/{,.}krb5cc_* rwk,
21diff --git a/debian/changelog b/debian/changelog
22index b6366f5..d46090c 100644
23--- a/debian/changelog
24+++ b/debian/changelog
25@@ -1,3 +1,11 @@
26+sssd (2.2.3-3ubuntu0.3) focal; urgency=medium
27+
28+ * d/apparmor-profile: Update profile. (LP: #1910611)
29+ - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
30+ - Add read/execute permission to /usr/libexec/sssd/*.
31+
32+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 18 Jan 2021 16:30:13 -0500
33+
34 sssd (2.2.3-3ubuntu0.2) focal; urgency=medium
35
36 * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:

Subscribers

People subscribed via source and target branches