[Pkg-xfce-devel] Bug#747252: lightdm: AppArmor parser error in /etc/apparmor.d/abstractions/lightdm_chromium-browser

Thu Jun 5 17:07:01 UTC 2014

On Thu, 2014 Jun  5 11:00+0200, intrigeri wrote:
>
> I gave it a quick try as part of my work on AppArmor support in
> Debian. The attached patch suppresses the parser errors on unknown
> ptrace and signal keywords, but then:
>
> # apparmor_parser -r /etc/apparmor.d/lightdm-guest-session
> profile has merged rule with conflicting x modifiers ERROR processing
> regexs for profile /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-
> session, failed to load

Well, that's frustrating :(  This is on sid?

> It's unclear to me what "working/tested" means in this context, if
> Daniel Richard G.'s assertion that the lightdm guest session does not
> exist on Debian. Do you mean a patched profile that parses right, even
> if it's entirely useless?

That's what I took it to mean, FWIW. Getting LightDM guest sessions
working on Debian is likely going to be a project all its own, so for
now, just getting rid of the parse error (one way or another) is enough.

On Thu, 2014 Jun  5 16:04+0200, intrigeri wrote:
>
> As someone working on improving AppArmor support in Debian, my
> personal expectation wrt. this bug is to avoid creating the situation
> where Debian users, who dared enabling AppArmor, are used to more or
> less always see the `apparmor' service in failed state, because oh
> well, there's always something that doesn't parse somewhere, but
> nothing particularly critical.

I agree; the error when the profiles are loaded not only trains users to
accept random security-related failures, it's also misleading, in that
all the other profiles are still loaded and effective.

Another problem that I recently found: The parse error, despite being in
a completely extraneous profile, prevents aa-genprof(1) from working.

> If the information I read is correct, this profile brings absolutely
> no security improvement, so I suggest to simply stop shipping it.

My preference would be to patch it and keep it in, so that anyone who
wants to get LightDM guest session stuff working doesn't have to hunt
for it. But if that "conflicting x modifiers" error is the start of a
wild goose chase, then it's not worth the candle.