Bug 714158

Summary:	sys-apps/apparmor-2.13.4 -> ? fails at runtime if built with sys-devel/make-4.3
Product:	Gentoo Linux	Reporter:	Aidan Harris <me>
Component:	Current packages	Assignee:	Michael Palimaka (kensington) <kensington>
Status:	RESOLVED FIXED
Severity:	normal	CC:	aptx945, hardened, jstein, plevine457, reagentoo, soprwa
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitlab.com/apparmor/apparmor/-/issues/85
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	diff of the modified ebuild

Description Aidan Harris 2020-03-24 10:51:11 UTC

Apparmor parsers fails due to broken capability detection. When restarting apparmor several profiles fail to load with messages like "Invalid capability net_bind_service".

Reproducible: Always

Steps to Reproduce:
1. emerge -av1 "~sys-devel/make-4.3"
2. emerge -av1 "~sys-apps/apparmor-2.13.4" "~sys-libs/libapparmor-2.13.4" "~sys-apps/apparmor-utils-2.13.4"
3. rc-service apparmor -v --nodeps restart
4. Observe several apparmor profiles fail to load
5. Downgrade make: emerge -av1 "<sys-devel/make-4.3"
6. Re-build apparmor: emerge -av1 "~sys-apps/apparmor-2.13.4" "~sys-libs/libapparmor-2.13.4" "~sys-apps/apparmor-utils-2.13.4"
7. Restart apparmor services again (this time profiles will load correctly): rc-service apparmor -v --nodeps restart

Comment 1 Peter Levine 2020-04-09 03:49:58 UTC

Upstream commit: https://gitlab.com/apparmor/apparmor/-/commit/92f6679da99152c9c1557ba5adade19ea1b4ee4f

Comment 2 Dmitriy Baranov 2020-04-13 15:56:33 UTC

@kensington https://github.com/gentoo/gentoo/pull/15037

Comment 3 Michael Palimaka (kensington) gentoo-dev

2020-04-14 12:21:11 UTC

(In reply to reagentoo from comment #2)
> @kensington https://github.com/gentoo/gentoo/pull/15037

The patch here looks quite different to the one noted in comment #1. I'm running stable so I can't test to see what the difference is. Any advice?

Comment 4 Dmitriy Baranov 2020-04-17 13:58:36 UTC

(In reply to Michael Palimaka (kensington) from comment #3)
> (In reply to reagentoo from comment #2)
> > @kensington https://github.com/gentoo/gentoo/pull/15037
> 
> The patch here looks quite different to the one noted in comment #1. I'm
> running stable so I can't test to see what the difference is. Any advice?

https://i.imgur.com/NlZkZ3T.png

Comment 5 Dmitriy Baranov 2020-04-17 14:04:52 UTC

Advice - to accept PR or wait 5-10 month the next release. Obviosly.

Comment 6 Michael Palimaka (kensington) gentoo-dev

2020-06-16 10:33:03 UTC

*** Bug 727154 has been marked as a duplicate of this bug. ***

Comment 7 Peter Levine 2020-07-01 01:50:42 UTC

Upstream commit: https://gitlab.com/apparmor/apparmor/-/commit/92f6679da99152c9c1557ba5adade19ea1b4ee4f

Comment 8 Jason Chan 2020-07-24 17:41:59 UTC

Created attachment 650600 [details, diff]
diff of the modified ebuild

I've modified the ebuild to only patch common/Make.rules if ">=sys-devel/make-4.3" is installed. I pushed it here: https://github.com/jiblime/gentoo/commit/81b54f83af7144eff67766532eac0d267ec54209

Would this be the best interim solution until upstream makes a release?

Comment 9 Michael Palimaka (kensington) gentoo-dev

2020-10-10 09:53:17 UTC

This should be fixed in 3.0.0.