Merge ~sergiodj/ubuntu/+source/sssd:bug1910611-update-apparmor-hirsute into ubuntu/+source/sssd:ubuntu/devel

Proposed by Sergio Durigan Junior on 2021-01-20
Status: Merged
Approved by: Sergio Durigan Junior on 2021-01-20
Approved revision: 2c49e64e959fa2c6fcb4169d66417b4d40266b84
Merged at revision: 2c49e64e959fa2c6fcb4169d66417b4d40266b84
Proposed branch: ~sergiodj/ubuntu/+source/sssd:bug1910611-update-apparmor-hirsute
Merge into: ubuntu/+source/sssd:ubuntu/devel
Diff against target: 36 lines (+13/-0)
2 files modified
debian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2021-01-20 Approve on 2021-01-20
Canonical Server Core Reviewers 2021-01-20 Pending
Canonical Server Team 2021-01-20 Pending
Review via email: mp+396542@code.launchpad.net

Description of the change

This is the fix for bug 1910611 on Hirsute.

The sssd apparmor profile is outdated with regards to a few aspects:

- It doesn't allow the execution of binaries under /usr/libexec/sssd/*

- It doesn't allow sssd to read configuration files under /etc/sssd/conf.d/*

- It doesn't allow sssd to read files under /etc/gss/mech.d/*

The original bug only complained about the first item, but while investigating I found the other two issues, so I'm fixing them as well.

Here's a PPA with the proposed package:

https://launchpad.net/~sergiodj/+archive/ubuntu/sssd-bug1910611

And autopkgtest is still happy:

autopkgtest [23:17:14]: @@@@@@@@@@@@@@@@@@@@ summary
ldap-user-group-ldap-auth PASS
ldap-user-group-krb5-auth PASS

To post a comment you must log in.
Sergio Durigan Junior (sergiodj) wrote :

I'm marking Christian as a reviewer because he also reviewed (and approved) the Focal MP.

Christian, as I said in the Focal MP:

1) There's also a Groovy MP for this: https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396453

2) I submitted this same change to Debian here: https://salsa.debian.org/sssd-team/sssd/-/merge_requests/12

Thanks!

Christian Ehrhardt  (paelzer) wrote :

Thanks, I've checked the groovy MP as well by now.

Ack on the apparmor changes and in Hirsute the version is ok.

Thanks for the Debian MP as well.
There the piuparts test fail seems legit, not due to your changes but still a legit error as FYI.

You already mentioned the i386 build issues before. I guess you decided that since https://launchpad.net/ubuntu/+source/sssd/2.4.0-1ubuntu2 is b-wait on i386 as well it will be no-change and therefore ok.
I agree if that is the case, but otherwise please speak up.

OTOH i386 - see https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1904990
Maybe sooner or later i386 will resolve that way, but it does not have to stop/gate this upload.

review: Approve
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the review, Christian. As we've already discussed during standup, I'm aware of the i386 situation. I went ahead and did the upload.

$ git push pkg upload/2.4.0-1ubuntu3
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 8 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.24 KiB | 158.00 KiB/s, done.
Total 9 (delta 6), reused 0 (delta 0)
To ssh://git.launchpad.net/ubuntu/+source/sssd
 * [new tag] upload/2.4.0-1ubuntu3 -> upload/2.4.0-1ubuntu3

$ dput sssd_2.4.0-1ubuntu3_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/sssd/sssd_2.4.0-1ubuntu3_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/sssd/sssd_2.4.0-1ubuntu3.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading sssd_2.4.0-1ubuntu3.dsc: done.
  Uploading sssd_2.4.0-1ubuntu3.debian.tar.xz: done.
  Uploading sssd_2.4.0-1ubuntu3_source.buildinfo: done.
  Uploading sssd_2.4.0-1ubuntu3_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index c5f3658..ecf5f7d 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -25,10 +25,15 @@
6 /etc/localtime r,
7 /etc/shells r,
8 /etc/sssd/sssd.conf r,
9+ /etc/sssd/conf.d/ r,
10+ /etc/sssd/conf.d/** r,
11+ /etc/gss/mech.d/ r,
12+ /etc/gss/mech.d/** r,
13
14 /usr/lib/@{multiarch}/ldb/modules/ldb/* m,
15 /usr/lib/@{multiarch}/samba/ldb/* m,
16 /usr/lib/@{multiarch}/sssd/* rix,
17+ /usr/libexec/sssd/* rmix,
18 /usr/sbin/sssd rmix,
19
20 /tmp/{,.}krb5cc_* rwk,
21diff --git a/debian/changelog b/debian/changelog
22index 568e3cc..f327146 100644
23--- a/debian/changelog
24+++ b/debian/changelog
25@@ -1,3 +1,11 @@
26+sssd (2.4.0-1ubuntu3) hirsute; urgency=medium
27+
28+ * d/apparmor-profile: Update profile. (LP: #1910611)
29+ - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
30+ - Add read/execute permission to /usr/libexec/sssd/*.
31+
32+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 18 Jan 2021 16:57:21 -0500
33+
34 sssd (2.4.0-1ubuntu2) hirsute; urgency=medium
35
36 * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:

Subscribers

People subscribed via source and target branches