debcrafters-packages team mailing list archive

[Julian Andres Klode <2102033@xxxxxxxxxxxxxxxxxx>]

Hello Erich, or anyone else affected,

Accepted apparmor into plucky-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/apparmor/4.1.0~beta5-0ubuntu14.1 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
plucky to verification-done-plucky. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-plucky. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: apparmor (Ubuntu Plucky)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-plucky

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to remmina in Ubuntu.
https://bugs.launchpad.net/bugs/2102033

Title:
  remmina blocked by apparmor in Plucky

Status in apparmor package in Ubuntu:
  Fix Released
Status in remmina package in Ubuntu:
  Invalid
Status in apparmor source package in Plucky:
  Fix Committed
Status in remmina source package in Plucky:
  Invalid
Status in apparmor source package in Questing:
  Fix Released
Status in remmina source package in Questing:
  Invalid

Bug description:
  SRU Justification:

  [ Impact ]

  The remmina profile is missing a bunch of rules that would be needed
  in order to allow usage of all its functionality. For example, remmina
  lacked permissions to read ssh keys for the SSH and SFTP operation
  modes, lacked permissions to access KDE Wallet secret storage, and
  could not create files needed for TLS-secured RDP. As such, we will
  need to pull the remmina profile from Plucky to avoid breaking its
  usages.

  [ Test Plan ]

   * Run `sudo aa-status` and look for a loaded remmina profile: it should not be there
   * If it is still there after installing the updated AppArmor and rebooting, report verification test failure
   * Launch remmina
   * Use ps -Zelf | grep -F remmina to locate the running remmina process
   * Read the output to verify that remmina is now unconfined
   * The following steps exercise the SSH operation mode of remmina to verify that it is not broken:
     - Set up a different server that uses SSH pubkey authentication, place the keypair inside the Plucky client's `~/.ssh`, and verify from a terminal window that the keypair works as authentication for SSHing into the server
     - Click the '+' button to add a new connection
     - Set the protocol to SSH
     - Enter the server URL and set the authentication type to 'SSH identity file'
     - Check the 'SSH identity file' checkbox and select the private key inside `~/.ssh`. If a permission denial occurs when trying to select the file, report verification test failure
     - Click the 'Connect' button and follow any prompt it might show, which should end with successfully opening a remote shell
   * Fully quit remmina through its menu, its task bar entry, or by Ctrl-C'ing its terminal (closing the GUI window is insufficient)
   * Install apparmor-profiles if it wasn't installed already
   * Repeat the above steps to verify that remmina is unconfined even when apparmor-profiles is also installed (including reboot if installing apparmor-profiles fresh)
   * Warning: remmina writes a .desktop file to automatically start itself upon login, which will complicate profile replacement or removal if investigating remmina test failure

  [ Where problems could occur ]

  The removal of the profile should restore remmina's functionality to
  its original state before a profile was added, as an application would
  not rely on external AppArmor denials to function correctly. However,
  if a user set up custom profiles that use "peer=remmina" IPC rules,
  then these rules would break upon the upgrade removing the remmina
  profile. None of the officially shipped profiles include such rules.

  [ Other Info ]

  --------Original bug report:

  Remmina is now failing on plucky, blocked by apparmor:

  Failed to register:
  GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor
  policy prevents this sender from sending this message to this
  recipient; type="method_call", sender=":1.126" (uid=1000 pid=9636
  comm="remmina" label="remmina (enforce)") interface="org.gtk.Actions"
  member="DescribeAll" error name="(unset)" requested_reply="0"
  destination="org.remmina.Remmina" (uid=1000 pid=4366
  comm="/usr/bin/remmina -i" label="remmina (enforce)")

  ProblemType: Bug
  DistroRelease: Ubuntu 25.04
  Package: remmina 1.4.39+dfsg-1
  ProcVersionSignature: Ubuntu 6.12.0-16.16-generic 6.12.11
  Uname: Linux 6.12.0-16-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.32.0-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: KDE
  Date: Tue Mar 11 09:09:15 2025
  InstallationDate: Installed on 2024-10-30 (132 days ago)
  InstallationMedia: Ubuntu-Studio 24.10 "Oracular Oriole" - Release amd64 (20241007.1)
  SourcePackage: remmina
  UpgradeStatus: Upgraded to plucky on 2025-01-25 (45 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102033/+subscriptions