On a fresh install of the package, the file "/etc/apparmor.d/local/usr.bin.redshift" is missing. This causes apparmor to not be able to enforce the profile that comes with the package. The reason for this is that the apparmor profile that comes with the package, contains the following line: #include <local/usr.bin.redshift> If an user is not aware of this, they might assume, that the profile has been enforced the whole time. The solution is to create the file "/etc/apparmor.d/local/usr.bin.redshift", containing the line: # Site-specific additions and overrides for usr.bin.redshift This might be done in the package itself and can be reported to upstream. Reproducible: Always
Hi Sotir, let me first do a brain dump and then suggest something concrete: Braindump: - redshift is mostly dead upstream (https://github.com/jonls/redshift/) - redshift's AppArmor profile seems to have even more problems, see https://github.com/jonls/redshift/pull/864 - I have never used AppArmor myself, as of today - I would ideally like to understand fixes that I apply, if possible - As I just learned there is fork of redshift named gammastep at https://gitlab.com/chinstrap/gammastep - gammastep has a similar line in its AppArmor profile BUT with "if exists" at https://gitlab.com/chinstrap/gammastep/-/blob/master/data/apparmor/com.gitlab.chinstrap.gammastep.in - gammastep is apparently available in a number of other distributions, see https://repology.org/project/gammastep/versions Suggestions / ideas: - If "#include if exists" in redshift fixes the problem for you locally, I would ask you to create a pull request with explanation and that fix at the dead redshift upstream for everyone else to see, and then I'll apply that patch of yours in Gentoo. - If you consider https://github.com/jonls/redshift/pull/864 working and a good idea I can apply that patch in Gentoo as well. - You and/or me or both play with gammastep locally and see if packaging gammastep for Gentoo is feasable and if the app behaves similar to redshift in practice to be a viable substitute. What do you think? PS: How did you learn that redshift's AppArmor profile was inactive altogether? How does AppArmor let the user know? Best Sebastian
> redshift is mostly dead upstream Yeah, seems to be the case. > redshift's AppArmor profile seems to have even more problems Yeah not only that, this pull request mentions another pull request, fixing a segfault, which isn't merged. It's related to LDAP, which I don't use. > I have never used AppArmor myself, as of today I'm not an expert, but I've configured some profiles before. I'll read around their docs for reference and link them here when appropriate. > As I just learned there is fork of redshift named gammastep I didn't know, gammastep seems active. I was using redshift, just because I've been using it for a while, didn't even come to mind to look for another project since redshift just worked so far. If upstream continues being dead, I don't know what the procedure is usually with such packages on Gentoo, but I wouldn't personally mind the package being removed if there's an appropriate substitution. > If "#include if exists" in redshift fixes the problem for you locally, I would > ask you to create a pull request with explanation and that fix at the dead > redshift upstream for everyone else to see, and then I'll apply that patch of > yours in Gentoo. Sure I can try that and if it goes well, I'll send the pull request here. > If you consider https://github.com/jonls/redshift/pull/864 working and > a good idea I can apply that patch in Gentoo as well. I don't think that patch will apply cleanly, since this pull request is on a newer version of the file. The one installed on my system is different from the one changed with the pull request. It also seems to rely on other commits which are after the 1.12 tag. > You and/or me or both play with gammastep locally and > see if packaging gammastep for Gentoo is feasable and > if the app behaves similar to redshift in practice to be a viable substitute. I don't mind, I will try compiling it on my machine and will test it. I don't have any experience with packaging on Gentoo, but I can learn whatever I need to help you. > PS: How did you learn that redshift's AppArmor profile was inactive altogether? > How does AppArmor let the user know? The way I noticed initially was the OpenRC logs on boot showing that the profile isn't loaded because of an error on line 41 for the redshift profile. I ran the command "aa-status" and noticed that redshift is missing from there. To manually verify I ran: sudo aa-enforce /usr/bin/redshift Which gave me: ERROR: Include file /etc/apparmor.d/local/usr.bin.redshift not found After adding the file I ran aa-enforce again and restarted the program to see if aa-status will show it as enforced.
> Sure I can try that and if it goes well, I'll send the pull request here. Issue is, when I try it locally, applying the patch from master to v1.12 doesn't apply cleanly, unless I modify the patch file, so using the pull request directly wouldn't work probably.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56b90a0b2599fa3bfdd64e96890d92f61e3bd937 commit 56b90a0b2599fa3bfdd64e96890d92f61e3bd937 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2022-12-26 23:41:24 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2022-12-26 23:53:33 +0000 x11-misc/gammastep: New package, fork of x11-misc/redshift Bug: https://bugs.gentoo.org/887979 Signed-off-by: Sebastian Pipping <sping@gentoo.org> x11-misc/gammastep/Manifest | 1 + x11-misc/gammastep/gammastep-2.0.9.ebuild | 85 +++++++++++++++++++++++++++++++ x11-misc/gammastep/metadata.xml | 13 +++++ 3 files changed, 99 insertions(+)
Created attachment 845103 [details, diff] Candidate patch for Redshift AppArmor profile Sotir, thanks for your positive reply! Any chance you could review and test the attached patch to RedShift, and also play with the new package "x11-misc/gammastep" of today? I'm happy to fix more on gammastep as well, as needed.
@slashbeast please be invited to add yourself as a maintainer to the new gammastep as well, if you like.
> Any chance you could review and test the attached patch to RedShift I applied the patch using: sudo patch /etc/apparmor.d/usr.bin.redshift redshift-1.12-apparmor.patch I checked the patched file and it seemed good. I then removed the file: /etc/apparmor.d/local/usr.bin.redshift Then I did: sudo aa-disable /usr/bin/redshift && sudo aa-enforce /usr/bin/redshift It all seems to work fine, the config works in the proper directory and the hooks work. It doesn't cause an error on the missing local config and it's enforced properly.
> and also play with the new package "x11-misc/gammastep" of today Just tested it and it works. The issue with the apparmor profile is that when you install the package it doesn't enforce it. The user must enforce it manually. When enforced it works fine.
Hi Sotir, happy new year and thanks for testing! I'll apply the patch to Redshift in a minute and then close the ticket as fixed. If Redshift and/or gammastep need more patching, please open new tickets. Cheers!
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddf9074b3579b8587f3beb9f0817caa2d19c5ff8 commit ddf9074b3579b8587f3beb9f0817caa2d19c5ff8 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2023-01-01 15:59:48 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2023-01-01 16:01:58 +0000 x11-misc/redshift: Fix AppArmor profile Closes: https://bugs.gentoo.org/887979 Signed-off-by: Sebastian Pipping <sping@gentoo.org> .../redshift/files/redshift-1.12-apparmor.patch | 35 +++++++++ x11-misc/redshift/redshift-1.12-r9.ebuild | 91 ++++++++++++++++++++++ 2 files changed, 126 insertions(+)
