Bug#1107855: unblock: lomiri-online-accounts/0.16-4

[Mike Gabriel <mike.gabriel@das-netzwerkteam.de>]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: lomiri-online-accounts@packages.debian.org
Control: affects -1 + src:lomiri-online-accounts
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package lomiri-online-accounts

Let src/utils.cpp:apparmorProfileOfPeer() always return 'unconfined'.

[ Reason ]
Debian's (and the upstream) Linux kernel lacks proper
LinuxSecurityContext support. There is an Apparmor-specific kernel patch
that has never made it to Linux upstream for now.

Details: It appears that AppArmor SO_PEERSEC support for unix domain
sockets bound to a filesystem path name is missing from the upstream
kernel and is only enabled as a side effect of a patch distributed with
AppArmor:
https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch

Ubuntu kernels contain a rebased variant of the patch which is likely
why SO_PEERSEC works on Ubuntu.

See: https://bugs.debian.org/1092591

[ Impact ]
Calendar Sync and Contact Sync in lomiri-{addressbook,calendar}-app
won't be able to add online accounts such as nextcloud or owncloud
accounts.

[ Tests ]
Manual tests in Debian trixie VM.

[ Risks ]
Regressions might impact lomiri-calendar-app or lomiri-addressbook-app.
There is still a problem in lomiri-cloudsync-app with Nextcloud sync
which I will address in lomiri-cloudsync-app itself.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Relevant to Lomiri in Debian.

unblock lomiri-online-accounts/0.16-4

diff -Nru lomiri-online-accounts-0.16/debian/changelog lomiri-online-accounts-0.16/debian/changelog
--- lomiri-online-accounts-0.16/debian/changelog	2025-04-16 23:54:57.000000000 +0200
+++ lomiri-online-accounts-0.16/debian/changelog	2025-06-15 23:57:27.000000000 +0200
@@ -1,3 +1,14 @@
+lomiri-online-accounts (0.16-4) unstable; urgency=medium
+
+  * debian/patches:
+    + Add 2001_no-functional-LinuxSecurityContext-support-in-Debians-
+      kernel.patch. Let src/utils.cpp:apparmorProfileOfPeer() always return
+      'unconfined'. Required due to apparmor-specific limitation in
+      Debian's Linux kernel. (See also: #1092591). This is needed to
+      make Lomiri Online Accounts setups functional on Debian systems.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sun, 15 Jun 2025 23:57:27 +0200
+
 lomiri-online-accounts (0.16-3) unstable; urgency=medium
 
   * debian/rules:
diff -Nru lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch
--- lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch	1970-01-01 01:00:00.000000000 +0100
+++ lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch	2025-06-15 23:55:34.000000000 +0200
@@ -0,0 +1,44 @@
+Description: Let src/utils.cpp:apparmorProfileOfPeer() always return 'unconfined'.
+Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+Abstract:
+ Debian's kernel lacks proper LinuxSecurityContext support. There is an
+ Apparmor-specific kernel patch that has never made it to Linux upstream
+ for now.
+ .
+ Details: It appears that AppArmor SO_PEERSEC support for unix domain
+ sockets bound to a filesystem path name is missing from the upstream
+ kernel and is only enabled as a side effect of a patch distributed with
+ AppArmor:
+ https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch
+ .
+ Ubuntu kernels contain a rebased variant of the patch which is likely
+ why SO_PEERSEC works on Ubuntu.
+ .
+ See: https://bugs.debian.org/1092591
+
+--- a/online-accounts-service/src/utils.cpp
++++ b/online-accounts-service/src/utils.cpp
+@@ -33,6 +33,23 @@
+ {
+     static QString ourProfile;
+ 
++    /* Debian's kernel lacks proper LinuxSecurityContext support. There is an
++     * Apparmor-specific kernel patch that has never made it to Linux upstream
++     * for now.
++     *
++     * Details: It appears that AppArmor SO_PEERSEC support for unix domain
++     * sockets bound to a filesystem path name is missing from the upstream
++     * kernel and is only enabled as a side effect of a patch distributed with
++     * AppArmor:
++     * https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch
++     *
++     * Ubuntu kernels contain a rebased variant of the patch which is likely
++     * why SO_PEERSEC works on Ubuntu.
++     *
++     * See: https://bugs.debian.org/1092591
++     */
++    return QString("unconfined");
++
+     QString uniqueConnectionId = message.service();
+     /* This is mainly for unit tests: real messages on the session bus always
+      * have a service name. */
diff -Nru lomiri-online-accounts-0.16/debian/patches/series lomiri-online-accounts-0.16/debian/patches/series
--- lomiri-online-accounts-0.16/debian/patches/series	2024-08-20 19:18:33.000000000 +0200
+++ lomiri-online-accounts-0.16/debian/patches/series	2025-06-15 23:03:40.000000000 +0200
@@ -1 +1,2 @@
 1001_drop-encoding-key-from-desktop-file.patch
+2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch