macro/alias, and Breaks: apparmor << version-that-does-not-have-it".
Turns out the Breaks doesn't work so well for us in this case[2]:
Unpacking apparmor (5.0.0~alpha1-0ubuntu7) over (5.0.0~alpha1-0ubuntu4) ...
Preparing to unpack .../cups-browsed_2.1.1-0ubuntu2~ppa1_amd64.deb ...
Unpacking cups-browsed (2.1.1-0ubuntu2~ppa1) over (2.1.1-0ubuntu1) ...
Setting up cups-browsed (2.1.1-0ubuntu2~ppa1) ...
Installing new version of config file /etc/apparmor.d/usr.sbin.cups-browsed ...
Failed to find declaration for: @{coreutil_dirs}
ERROR expanding variables for profile /usr/sbin/cups-browsed, failed to load
Setting up apparmor (5.0.0~alpha1-0ubuntu7) ...
Installing new version of config file /etc/apparmor.d/abstractions/bash ...
(...)
Installing new version of config file /etc/apparmor.d/tunables/global ...
(...)
Removing obsolete conffile /etc/apparmor.d/free ...
Removing obsolete conffile /etc/apparmor.d/curl ...
Reloading AppArmor profiles
Apparmor is unpacked before cups-browsed (who has the Breaks: apparmor
(<< 5.0.0~alpha1-0ubuntu7), but the file that contains the new
@{coreutil_dirs} definition is only installed later, in apparmor's
postinst (/etc/apparmor.d/tunables/global). The assumption was that it
would be available after apparmor was unpacked, but I guess due to the
config file management, that's not the case.
Also note that due to the way the apparmor profiles are loaded in most
(all?) postinsts, a failure there will not fail the package
installation, leaving the currently loaded profile intact. And in the
end, apparmor itself will reload the profiles.
Bottom line, the Breaks didn't help here, and it's debatable it will
help at all. It also introduces risk in the sense that the package
installation order will be changed.
Given that:
a) there is risk in introducing the Breaks this late in the game
(changes package installation ordering, forcing apparmor to be one of
the first)
b) failed postinst actions that reload the apparmor profile will not
fail the package installation
c) failed postinst to reload the apparmor profile will not touch the
already loaded profile, i.e., the confinement, whatever it was, stays
put
d) at some point, apparmor itself will reload all profiles, and at
that point the new variable definition will be in place
e) this change is happening during the development cycle still
f) users will get these new profiles via a release upgrade, or fresh
install, and both cases demand a reboot
I think that the Breaks addition should be skipped, unless we have a
clear bug where it is needed.
Thoughts?
Because of that risk, and the
1. https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123870/comments/7
2. https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123870/comments/17
On Fri, Sep 19, 2025 at 5:01 PM Andreas Hasenack
<andreas.hasenack@canonical.com> wrote:
>
> Hi,
>
> this is about LP: #2123870[1]. TL;DR is in comment #1[2]. We basically
> need to replace any reference to a coreutils binary in existing
> apparmor profiles to an expanded path list to cope with the different
> ways this binary can be called in questing.
>
> If using gnu-coreutils, we have a symlink /usr/bin/<tool> -> gnu<tool>
>
> If using rust coreutils, we have a symlink /usr/bin/<tool> ->
> /usr/lib/cargo/bin/coreutils/<tool>
>
> Since apparmor cares about the target, we have multiple possibilities
> for a rule that references, for example, /usr/bin/echo.
>
> In apparmor 5.0.0~alpha1-0ubuntu7[3], a variable was added to cope
> with these possibilities: @{coreutil_dirs}. See [4].
>
> We are now going over the list of affected profiles, and using that
> bug[1] to track the effort.
>
> At this time, this is NOT a call for help: this is a PSA/RFC. We might
> be touching a package you maintain and don't want uploaded now, or
> something else. These are all being done via git ubuntu PRs in
> launchpad. I expect some uploads will start happening early next week.
>
> Please reply if you have any comments, suggestions,
> zomg-please-dont-touch-my-package, etc.
>
>
> 1. https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123870
> 2. https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123870/comments/1
> 3. https://launchpad.net/ubuntu/+source/apparmor/5.0.0~alpha1-0ubuntu7
> 4. https://git.launchpad.net/ubuntu/+source/apparmor/commit/?id=e636b645358a49ec0845012a620061e203ab2cff
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
