Bug#1107855: marked as done (unblock: lomiri-online-accounts/0.16-4)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#1107855: marked as done (unblock: lomiri-online-accounts/0.16-4)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 18 Jun 2025 10:08:01 +0000
Message-id: <[🔎] handler.1107855.D1107855.1750241230261053.ackdone@bugs.debian.org>
Reply-to: 1107855@bugs.debian.org
References: <E1uRphD-005L8o-2l@respighi.debian.org> <[🔎] 175002644163.281217.5718290593491501893.reportbug@sunobo>

Your message dated Wed, 18 Jun 2025 10:07:07 +0000
with message-id <E1uRphD-005L8o-2l@respighi.debian.org>
and subject line unblock lomiri-online-accounts
has caused the Debian Bug report #1107855,
regarding unblock: lomiri-online-accounts/0.16-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107855: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107855
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: lomiri-online-accounts/0.16-4
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Mon, 16 Jun 2025 00:27:21 +0200
Message-id: <[🔎] 175002644163.281217.5718290593491501893.reportbug@sunobo>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: lomiri-online-accounts@packages.debian.org
Control: affects -1 + src:lomiri-online-accounts
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package lomiri-online-accounts

Let src/utils.cpp:apparmorProfileOfPeer() always return 'unconfined'.

[ Reason ]
Debian's (and the upstream) Linux kernel lacks proper
LinuxSecurityContext support. There is an Apparmor-specific kernel patch
that has never made it to Linux upstream for now.

Details: It appears that AppArmor SO_PEERSEC support for unix domain
sockets bound to a filesystem path name is missing from the upstream
kernel and is only enabled as a side effect of a patch distributed with
AppArmor:
https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch

Ubuntu kernels contain a rebased variant of the patch which is likely
why SO_PEERSEC works on Ubuntu.

See: https://bugs.debian.org/1092591

[ Impact ]
Calendar Sync and Contact Sync in lomiri-{addressbook,calendar}-app
won't be able to add online accounts such as nextcloud or owncloud
accounts.

[ Tests ]
Manual tests in Debian trixie VM.

[ Risks ]
Regressions might impact lomiri-calendar-app or lomiri-addressbook-app.
There is still a problem in lomiri-cloudsync-app with Nextcloud sync
which I will address in lomiri-cloudsync-app itself.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Relevant to Lomiri in Debian.

unblock lomiri-online-accounts/0.16-4

diff -Nru lomiri-online-accounts-0.16/debian/changelog lomiri-online-accounts-0.16/debian/changelog
--- lomiri-online-accounts-0.16/debian/changelog	2025-04-16 23:54:57.000000000 +0200
+++ lomiri-online-accounts-0.16/debian/changelog	2025-06-15 23:57:27.000000000 +0200
@@ -1,3 +1,14 @@
+lomiri-online-accounts (0.16-4) unstable; urgency=medium
+
+  * debian/patches:
+    + Add 2001_no-functional-LinuxSecurityContext-support-in-Debians-
+      kernel.patch. Let src/utils.cpp:apparmorProfileOfPeer() always return
+      'unconfined'. Required due to apparmor-specific limitation in
+      Debian's Linux kernel. (See also: #1092591). This is needed to
+      make Lomiri Online Accounts setups functional on Debian systems.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sun, 15 Jun 2025 23:57:27 +0200
+
 lomiri-online-accounts (0.16-3) unstable; urgency=medium
 
   * debian/rules:
diff -Nru lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch
--- lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch	1970-01-01 01:00:00.000000000 +0100
+++ lomiri-online-accounts-0.16/debian/patches/2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch	2025-06-15 23:55:34.000000000 +0200
@@ -0,0 +1,44 @@
+Description: Let src/utils.cpp:apparmorProfileOfPeer() always return 'unconfined'.
+Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+Abstract:
+ Debian's kernel lacks proper LinuxSecurityContext support. There is an
+ Apparmor-specific kernel patch that has never made it to Linux upstream
+ for now.
+ .
+ Details: It appears that AppArmor SO_PEERSEC support for unix domain
+ sockets bound to a filesystem path name is missing from the upstream
+ kernel and is only enabled as a side effect of a patch distributed with
+ AppArmor:
+ https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch
+ .
+ Ubuntu kernels contain a rebased variant of the patch which is likely
+ why SO_PEERSEC works on Ubuntu.
+ .
+ See: https://bugs.debian.org/1092591
+
+--- a/online-accounts-service/src/utils.cpp
++++ b/online-accounts-service/src/utils.cpp
+@@ -33,6 +33,23 @@
+ {
+     static QString ourProfile;
+ 
++    /* Debian's kernel lacks proper LinuxSecurityContext support. There is an
++     * Apparmor-specific kernel patch that has never made it to Linux upstream
++     * for now.
++     *
++     * Details: It appears that AppArmor SO_PEERSEC support for unix domain
++     * sockets bound to a filesystem path name is missing from the upstream
++     * kernel and is only enabled as a side effect of a patch distributed with
++     * AppArmor:
++     * https://gitlab.com/apparmor/apparmor/-/blob/692e6850ba90582105713a683bed753bad696aab/kernel-patches/v4.17/0002-apparmor-af_unix-mediation.patch
++     *
++     * Ubuntu kernels contain a rebased variant of the patch which is likely
++     * why SO_PEERSEC works on Ubuntu.
++     *
++     * See: https://bugs.debian.org/1092591
++     */
++    return QString("unconfined");
++
+     QString uniqueConnectionId = message.service();
+     /* This is mainly for unit tests: real messages on the session bus always
+      * have a service name. */
diff -Nru lomiri-online-accounts-0.16/debian/patches/series lomiri-online-accounts-0.16/debian/patches/series
--- lomiri-online-accounts-0.16/debian/patches/series	2024-08-20 19:18:33.000000000 +0200
+++ lomiri-online-accounts-0.16/debian/patches/series	2025-06-15 23:03:40.000000000 +0200
@@ -1 +1,2 @@
 1001_drop-encoding-key-from-desktop-file.patch
+2001_no-functional-LinuxSecurityContext-support-in-Debians-kernel.patch

--- End Message ---

--- Begin Message ---

To: 1107855-done@bugs.debian.org

Subject: unblock lomiri-online-accounts

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Wed, 18 Jun 2025 10:07:07 +0000

Message-id: <E1uRphD-005L8o-2l@respighi.debian.org>
Unblocked lomiri-online-accounts.
--- End Message ---

Reply to:

References:
- Bug#1107855: unblock: lomiri-online-accounts/0.16-4
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Prev by Date: Bug#1107851: marked as done (unblock: lomiri-indicator-location/25.4.22-2)
Next by Date: Bug#1107867: marked as done (unblock: python-zeep/4.3.1-3)
Previous by thread: Processed: unblock: lomiri-online-accounts/0.16-4
Next by thread: Bug#1107856: bookworm-pu: package icu/72.1-3+deb12u1
Index(es):
- Date
- Thread