[ubuntu/trusty-updates] apparmor 2.10.95-0ubuntu2.5~14.04.1 (Accepted)
Robie Basak
robie.basak at canonical.com
Wed Jan 18 17:29:01 UTC 2017
apparmor (2.10.95-0ubuntu2.5~14.04.1) trusty; urgency=medium
* Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04.
- This allows for proper snap confinement on Ubuntu 14.04 when using the
hardware enablement kernel (LP: #1641243)
* Changes made on top of 2.10.95-0ubuntu2.5:
- debian/apparmor.upstart: Remove the upstart job and continue using the
init script in 14.04
- debian/apparmor.postinst, debian/apparmor-profiles.postinst,
debian/apparmor-profiles.postrm, debian/rules: Revert to using
invoke-rc.d to load the profiles, rather than reloading them directly,
since 14.04 will continue using the init script rather than the upstart
job.
- debian/apparmor.init, debian/lib/apparmor/functions,
debian/apparmor.postinst, debian/apparmor.postrm: Remove functionality
dealing with AppArmor policy in system image based environments since
this 14.04 package will not need to handle such environments. This
removes the handle_system_policy_package_updates(),
compare_previous_version(), compare_and_save_debsums() functions and
their callers.
- debian/apparmor.init: Continue using running-in-container since
systemd-detect-virt doesn't exist on 14.04
- debian/lib/apparmor/functions, debian/apparmor.init: Remove the
is_container_with_internal_policy() function and adjust its call sites
in apparmor.init so that AppArmor policy is not loaded inside of 14.04
LXD containers (avoids bug #1641236)
- debian/lib/apparmor/profile-load, debian/apparmor.install: Remove
profile-load as upstart's apparmor-profile-load is used in 14.04
- debian/patches/libapparmor-mention-dbus-method-in-getcon-man.patch:
Continue applying this patch since the dbus version in 14.04 isn't new
enough to support fetching the AppArmor context from
org.freedesktop.DBus.GetConnectionCredentials().
- debian/patches/libapparmor-force-libtoolize-replacement.patch: Force
libtoolize to replace existing files to fix a libapparmor FTBFS issue on
14.04.
- debian/control: Retain the original 14.04 Breaks and ignore the new
Breaks from 2.10.95-0ubuntu2.5 since they were put in place as part of
the enablement of UNIX domain socket mediation. They're not needed in
this upload since UNIX domain socket mediation is disabled by default so
updates to the profiles included in those packages are not needed.
- Preserve the profiles and abstractions from 14.04's
2.8.95~2430-0ubuntu5.3 apparmor package by recreating them in the
top-level profiles-14.04/ directory of the source. They'll be installed
to debian/tmp/etc/apparmor.d/ during the build process and then to
/etc/apparmor.d/ on package install so that there are no changes to the
shipped profiles or abstractions. The abstractions from
2.10.95-0ubuntu2.5 will be installed into
debian/tmp/snap/etc/apparmor.d/ during the build process and then into
/etc/apparmor.d/snap/abstractions/ on package install for use with snap
confinement. Snap confinement profiles, which includes AppArmor profiles
loaded by snapd and profiles loaded by snaps that are allowed to manage
AppArmor policy, will use the snap abstractions. All other AppArmor
profiles will continue to use the 14.04 abstractions.
- debian/rules: Adjust for new profiles-14.04/ directory
- debian/apparmor-profiles.install: Adjust to install the profiles that
were installed in the 2.8.95~2430-0ubuntu5.3 package
- debian/apparmor.install: Install the abstractions from the
2.10.95-0ubuntu2.5 package into /etc/apparmor.d/snap/abstractions/
- debian/patches/14.04-profiles.patch: Preserve the 14.04 profiles and
abstractions from the 2.8.95~2430-0ubuntu5.3 apparmor package.
- debian/patches/conditionalize-post-release-features.patch: Disable new
mediation features, implemented after the Ubuntu 14.04 release, unless
the profile is for snap confinement. If the profile is for snap
confinement, the abstractions from /etc/apparmor.d/snap/abstractions
will be used and all of the mediation features will be enabled.
- 14.04-add-chromium-browser.patch,
14.04-add-debian-integration-to-lighttpd.patch,
14.04-etc-writable.patch,
14.04-update-base-abstraction-for-signals-and-ptrace.patch,
14.04-dnsmasq-libvirtd-signal-ptrace.patch,
14.04-update-chromium-browser.patch,
14.04-php5-Zend_semaphore-lp1401084.patch,
14.04-dnsmasq-lxc_networking-lp1403468.patch,
14.04-profiles-texlive_font_generation-lp1010909.patch,
14.04-profiles-dovecot-updates-lp1296667.patch,
14.04-profiles-adjust_X_for_lightdm-lp1339727.patch: Import all of the
patches, from 14.04's 2.8.95~2430-0ubuntu5.3 apparmor package, which
patched profiles/ and adjust them to patch profiles-14.04/ instead.
- debian/patches/revert-r2550-and-r2551.patch: Revert two upstream changes
to mod_apparmor which could potentially regress existing users of
mod_apparmor in 14.04. These upstream changes are not appropriate for an
SRU.
apparmor (2.10.95-0ubuntu2.5) xenial; urgency=medium
* debian/lib/apparmor/functions, debian/apparmor.init,
debian/apparmor.service, debian/apparmor.upstart,
debian/lib/apparmor/profile-load: Adjust the checks that previously kept
AppArmor policy from being loaded while booting a container. Now we
attempt to load policy if we're in a LXD or LXC managed container that is
using profile stacking inside of a policy namespace. (LP: #1628285)
* Fix regression tests for stacking so that the kernel SRU process is not
interrupted by failing tests whenever the AppArmor stacking features are
backported from the 16.10 kernel or when the 16.04 LTS Enablement Stack
receives a 4.8 or newer kernel
- debian/patches/r3509-tests-fix-exec_stack-errors-1.patch: Fix the
exec_stack.sh test when running on 4.8 or newer kernels (LP: #1628745)
- debian/patches/r3558-tests-fix-exec_stack-errors-2.patch: Adjust the
exec_stack.sh fix mentioned above to more accurately test kernels older
than 4.8 (LP: #1630069)
- debian/patches/allow-stacking-tests-to-use-system.patch: Apply this
patch earlier in the series, as to match when it was committed upstream,
so that the above two patches can be cherry-picked from lp:apparmor
apparmor (2.10.95-0ubuntu2.4) xenial; urgency=medium
* debian/patches/r3505-tests-fix-stacking-mode-checks.patch: Fix failing
regression tests so that the kernel SRU process is not interrupted by
failing stackonexec.sh and stackprofile.sh tests (LP: #1628295)
apparmor (2.10.95-0ubuntu2.3) xenial; urgency=medium
* debian/patches/allow-access-to-ibus-socket.patch: Adjust the ibus
abstraction to allow access to the abstract UNIX domain socket location
used in Ubuntu. (LP: #1580463)
* debian/lib/apparmor/functions: Quiet the "Files ... and ... differ"
output, during the update process, which was printed by diff. This message
left users concerned since it mentioned md5sums files without being clear
about what was happening. (LP: #1614215)
apparmor (2.10.95-0ubuntu2.2) xenial; urgency=medium
* r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an
aa-logprof crash by ignoring file events that contains send *and* receive
in the request mask. This is an improvement to the previous fix that only
addressed events that contained send *or* receive.
(LP: #1577051, LP: #1582374)
- debian/rules: Create a new empty file, needed for the test added by this
patch, since quilt is unable to do so.
apparmor (2.10.95-0ubuntu2.1) xenial; urgency=medium
* debian/patches/r3460-ignore-file-events-with-send-or-receive-request.patch:
Prevent an aa-logprof crash by ignoring file events that contains
send or receive in the request mask. (LP: #1577051, LP: #1582374)
* debian/patches/r3463-r3475-change-profile-exec-modes.patch: Allow policy
authors to specify if the environment should scrubbed during exec
transitions allowed by a change_profile rule. (LP: #1584069)
* debian/patches/r3478-make-overlapping-safe-and-unsafe-rules-conflict.patch:
Make sure that multiple change_profile rules with overlapping safe and
unsafe exec modes conflict when they share the same exec conditional
(LP: #1588069)
* debian/patches/r3488-r3489-fix-racy-onexec-test.patch: Fix racy regression
test so that the kernel SRU process is not interrupted by the onexec.sh
periodically failing. (LP: #1528230)
* debian/patches/r3490-utils-handle-change-profile-exec-modes.patch: Update
the Python utilities to handle the new exec mode keywords in
change_profile rules. (LP: #1584069)
* debian/patches/r3492-allow-dbus-user-session-path.patch: Allow read/write
access to the dbus-user-session socket file in profiles that include the
dbus-session-strict abstraction. (LP: #1604872)
apparmor (2.10.95-0ubuntu2) xenial; urgency=medium
* debian/patches/r3435-allow-dnsmasq-access-to-lxd-bridge.patch: Grant
access to the new default bridge configuration in LXD 2.0.0 (LP: #1566944)
* debian/patches/r3437-add-attach-disconnected-to-dnsmasq.patch: Add the
attach_disconnected flag to the dnsmasq profile in order to prevent a
disconnected path denial triggered by the latest network-manager upload
(LP: #1569316)
* debian/lib/apparmor/functions: Reference the new path used for snapd
AppArmor profiles to fix a bug which left those profiles unloaded after
booting (LP: #1569573)
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium
* Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
- Allow Apache prefork profile to chown(2) files (LP: #1210514)
- Allow deluge-gtk and deluge-console to handle torrents opened in
browsers (LP: #1501913)
- Allow file accesses needed by some programs using libnl-3-200
(Closes: #810888)
- Allow file accesses needed on systems that use NetworkManager without
resolvconf (Closes: #813835)
- Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
- Fix aa-logprof(8) crash when operating on files containing multiple
profiles with certain rules (LP: #1528139)
- Fix log parsing crashes, in the Python utilities, caused by certain file
related events (LP: #1525119, LP: #1540562)
- Fix log parsing crasher, in the Python utilities, caused by certain
change_hat events (LP: #1523297)
- Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
when Python 3 is not available (LP: #1513880)
- Send aa-easyprof(8) error messages to stderr instead of stdout
(LP: #1521400)
- Fix aa-autodep(8) failure when the shebang line of a script contained
parameters (LP: #1505775)
- Don't depend on the system logprof.conf when running utils/ build tests
(LP: #1393979)
- Fix apparmor_parser(8) bugs when parsing profiles that use policy
namespaces in the profile declaration or profile transition targets
(LP: #1540666, LP: #1544387)
- Regression fix for apparmor_parser(8) bug that resulted in the
--namespace-string commandline option being ignored causing profiles to
be loaded into the root policy namespace (LP: #1526085)
- Fix crasher regression in apparmor_parser(8) when the parser was asked
to process a directory (LP: #1534405)
- Fix bug in apparmor_parser(8) to honor the specified bind flags remount
rules (LP: #1272028)
- Support tarball generation for Coverity scans and fix a number of issues
discovered by Coverity
- Fix regression test failures on s390x systems (LP: #1531325)
- Adjust expected errno values in changeprofile regression test
(LP: #1559705)
- The Python utils gained support for ptrace and signal rules
- aa-exec(8) received a rewrite in C
- apparmor_parser(8) gained support for stacking multiple profiles, as
supported by the Xenial kernel (LP: #1379535)
- libapparmor gained new public interfaces, aa_stack_profile(2) and
aa_stack_onexec(2), allowing applications to utilize the new kernel
stacking support (LP: #1379535)
* Drop the following patches since they've been incorporated upstream:
- aa-status-dont_require_python3-apparmor.patch
- r3209-dnsmasq-allow-dash
- r3227-locale-indep-capabilities-sorting.patch
- r3277-update-python-abstraction.patch
- r3366-networkd.patch,
- tests-fix_sysctl_test.patch
- parser-fix-cache-file-mtime-regression.patch
- parser-verify-cache-file-mtime.patch
- parser-run-caching-tests-without-apparmorfs.patch
- parser-do-cleanup-when-test-was-skipped.patch
- parser-allow-unspec-in-network-rules.patch
* debian/rules, debian/apparmor.install, debian/apparmor.manpages: Update
for new upstream binutils directory and aa-enabled binary
- Continue installing aa-exec into /usr/sbin/ for now since
click-apparmor's aa-exec-click autopkgtest expects it to be there
* debian/libapparmor-dev.manpages: Include the new aa_stack_profile.2 man
page
* debian/patches/r3424-nscd-profile-allow-paranoia-mode.patch: Allow file
access needed for nscd's paranoia mode
* debian/patches/r3425-adjust-stacking-tests-version-check.patch: Adjust the
regression test build time checks, for libapparmor stacking support, to
look for the 2.10.95 versioning rather than 2.11
* debian/patches/r3426-allow-debugedit-to-work-on-apparmor-parser.patch:
Remove extra slash in the parser Makefile so that debugedit(8) can work on
apparmor_parser(8) (LP: #1561939)
* debian/patches/allow-stacking-tests-to-use-system.patch: Adjust the file
rules of the new stacking tests so that the generated profiles allow the
system binaries and libraries to be tested
* debian/libapparmor1.symbols: update symbols file for added symbols
in libapparmor
apparmor (2.10-3ubuntu2) xenial; urgency=medium
* debian/patches/parser-allow-unspec-in-network-rules.patch: Allow
apparmor_parser to support rules that use 'unspec' as the network protocol
family. (LP: #1546455)
apparmor (2.10-3ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/apparmor.init,apparmor.upstart,debian/lib/apparmor/functions:
clear only the system cache if apparmor version has changed on snappy
flavors since snappy will handle the app's cache itself
- debian/apparmor.install: install tunables/home.d and
tunables/multiarch.d
- debian/apparmor-utils.dirs: install usr/bin and usr/share/apparmor
- debian/control:
+ make libnotify-bin a Suggests rather than a Recommends since it is
assumed to already be installed on the desktop and so server
environments don't have to pull in a lot of X dependencies
(LP: #1061879)
+ apparmor-easyprof in section 'admin'
+ apparmor Depends on initramfs-tools | linux-initramfs-tool [linux-any]
+ apparmor Breaks on lightdm (<< 1.11.8-0ubuntu2~),
lxc (<< 1.1.0~alpha1-0ubuntu5~)
- drop debian/patches/reproducible-pdf.patch (not applied in series)
* drop debian/patches/fix-abstraction-for-python3.5.patch in favor of
Debian's
* debian/patches/series: comment out notify-group.patch
* debian/patches/non-linux.patch: refresh
* debian/patches/r3366-networkd.patch: use this instead of dropped Ubuntu
lp1529074.patch for NetworkManager and networkd support
apparmor (2.10-3) unstable; urgency=medium
* Team upload.
[ intrigeri ]
* Drop libapparmor-mention-dbus-method-in-getcon-man.patch (Closes: #800132)
[ Felix Geyer ]
* Update python abstraction for python 3.5.
- Pull r3277-update-python-abstraction.patch from upstream
apparmor (2.10-2) unstable; urgency=medium
[ Felix Geyer ]
* Apply aa-status-dont_require_python3-apparmor.patch, to keep
the hard dependencies of the apparmor binary package minimal.
* python{,3}-apparmor: require at least the same upstream version
of python{,3}-libapparmor.
[ intrigeri ]
* Drop abstractions-ubuntu-browsers.patch: integrated upstream
(in a slightly different way).
* debian/control: don't start short description with capital letter.
(Closes: #795434)
* r3227-locale-indep-capabilities-sorting.patch: cherry-pick from upstream,
to make (more of?) the build reproducible. (Closes: #797415)
* Merge from ubuntu-citrain up to revision 1578, that is changes brought
by 2.10-0ubuntu3 to 2.10-0ubuntu6.
* Upload to unstable.
apparmor (2.10-1) experimental; urgency=medium
[ intrigeri ]
* Merge ubuntu-citrain up to revision 1575, except:
- previously documented changes
- debian/patches/aa-status-dont_require_python3-apparmor.patch:
don't apply, only relevant for Ubuntu Phone
* debian/patches/r3209-dnsmasq-allow-dash: cherry-pick from upstream.
* debian/patches/pass-compiler-flags.patch: refresh.
* Update upstream signing key.
* apparmor-utils: make the Depends on python3-apparmor versioned.
(Closes: #785436)
* Override the "apparmor source: usr-lib-perl5-mentioned rules" error.
We replace usr/lib/perl5 with the corresponding multiarch path
in debian/rules, as a consequence this file contains this string.
* python-apparmor, python3-apparmor: add Lintian overrides for
the extended-description-is-probably-too-short tag.
* debian/control: stuff out a bit apparmor-utils' extended description.
[ Felix Geyer ]
* Add Brazilian Portuguese translation of debconf messages.
Thanks to Adriano Rafael Gomes. (Closes: #788342)
* Use dh_apparmor from this source package for apparmor-profiles.
(Closes: #656451)
* Make debian/rules safer:
- Add set -e to loops.
- Use "&&" when chaining shell commands.
apparmor (2.10-0ubuntu12) xenial; urgency=medium
* Call systemd-detect-virt instead of the Ubuntu specific
running-in-container wrapper. (LP: #1539016)
apparmor (2.10-0ubuntu11) xenial; urgency=medium
* No-change rebuild to drop python3.4 support.
apparmor (2.10-0ubuntu10) xenial; urgency=medium
* debian/patches/lp1529074.patch: for systems using networkd, add read on
/run/systemd/resolve/resolv.conf (LP: #1529074)
apparmor (2.10-0ubuntu9) xenial; urgency=medium
* No change rebuild for perl 5.22
apparmor (2.10-0ubuntu8) xenial; urgency=medium
* debian/patches/fix-abstraction-for-python3.5.patch: adjust python
abstraction for python 3.5
apparmor (2.10-0ubuntu7) xenial; urgency=medium
* debian/apparmor.init,apparmor.upstart: clear only the system cache if
apparmor version has changed on snappy flavors since snappy will handle
the app's cache itself
* debian/lib/apparmor/functions:
- compile /var/lib/snappy/apparmor/profiles policy
- add compare_previous_version()
- refactor clear_cache()
- compare_and_save_debsums() checks if $PROFILES_VAR exists
apparmor (2.10-0ubuntu6) wily; urgency=medium
* debian/libapparmor-dev.manpages: add 5 missing libapparmor manpages
(LP: #1491147, LP: #1384431)
apparmor (2.10-0ubuntu4) wily; urgency=medium
* Rebuild against python3.5.
apparmor (2.10-0ubuntu3) wily; urgency=medium
* debian/patches/parser-fix-cache-file-mtime-regression.patch: Fix a bug
that resulted in the mtime of generate policy cache files to be set
incorrectly. The mtime of cache files should be the newest mtime detected
on the profile and abstraction files used to generate the policy cache
file. However, the bug caused the mtime of the policy cache file to either
not be updated or to be updated to an incorrect time. (LP: #1484178)
* debian/patches/parser-verify-cache-file-mtime.patch: Add tests to verify
that the policy cache file's mtime is being set correctly and that cache
handling is correct when the profile or abstraction files are newer than
the policy cache file.
* debian/patches/parser-run-caching-tests-without-apparmorfs.patch,
debian/patches/parser-do-cleanup-when-test-was-skipped.patch: Enable the
caching tests to run on the buildds even though apparmorfs isn't mounted.
apparmor (2.10-0ubuntu2) wily; urgency=medium
* debian/patches/aa-status-dont_require_python3-apparmor.patch:
make aa-status(8) work even when python3-apparmor is not installed,
otherwise dh_apparmor postinst snippets can fail (LP: #1480492)
* debian/control: make apparmor-utils depend on the same package
version of python3-apparmor
apparmor (2.10-0ubuntu1) wily; urgency=medium
* Update to apparmor 2.10
- libapparmor added functions to ease loading profile cache files to
help support systemd on-demand load of policy (LP: #1385414)
- apparmor parser: fixed policy generation to allow matching
embedded NULs in abstract unix socket names (LP: #1413410)
- aa-status: don't traceback when not permitted to read current
set of apparmor policy (LP: #1466768)
- aa-logprof: don't crash on policies that have an #include of a
directory (LP: #1471425)
- aa-logprof: fix crash when network rejections occur when file
operations are performed on network sockets (LP: #1466812)
* dropped reproducible-pdf.patch, incorporated upstream
* debian/patches/tests-fix_sysctl_test.patch: fix sysctl test failure
with 4.1 kernel and newer.
* debian/control: add alternate dependency on linux-initramfs-tool
(LP: #1109029)
* debian/libapparmor1.symbols: update symbols file for added symbols
in libapparmor
apparmor (2.9.2-0ubuntu2) wily; urgency=medium
* No-change rebuild for python3.5 transition
apparmor (2.9.2-0ubuntu1) wily; urgency=medium
* Update to apparmor 2.9.2
- Fix minitools to work with multiple profiles at once (LP: #1378095)
- Parse mounts that have non-ascii UTF-8 chars (LP: #1310598)
- Update dovecot profiles (LP: #1296667)
- Allow ubuntu-helpers to build texlive fonts (LP: #1010909)
* dropped patches incorporated upstream:
add-mir-abstraction-lp1422521.patch, systemd-dev-log-lp1413232.patch
parser-fix_modifier_compilation_+_tests.patch,
tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch,
GDM_X_authority-lp1432126.patch, and
debian/patches/easyprof-framework-policy.patch
* Partial merge with debian apparmor package:
- debian/rules: enable the bindnow hardening flag during build.
- debian/upstream/signing-key.asc: add new upstream public
signing key
- debian/watch: fix watch file, add gpg signature checking
- install libapparmor.so dev symlink under /usr not /lib
- debian/patches/reproducible-pdf.patch: make techdoc.pdf
reproducible even in face of timezone variations.
- debian/control: sync fields
- debian/debhelper/postrm-apparmor: remove
/etc/apparmor.d/{disable,} on package purge
- debian/libapache2-mod-apparmor.postrm: on package purge, delete
/etc/apparmor.d/{,disable} if empty
- debian/libapparmor1.symbols: Use Build-Depends-Package in the
symbols file.
- debian/copyright: sync
apparmor (2.9.1-0ubuntu9) vivid; urgency=medium
* Make debian/lib/apparmor/profile-load executable.
apparmor (2.9.1-0ubuntu8) vivid; urgency=medium
[ Steve Beattie ]
* debian/rules: run make check on the libapparmor library
* add-chromium-browser.patch: add support for chromium policies
(LP: #1419294)
* debian/apparmor.{init,upstart}: add support for triggering
aa-profile-hook runs when packages are updated via snappy system
image updates (LP: #1434143)
* parser-fix_modifier_compilation_+_tests.patch: fix compilation
of audit modifiers for exec and pivot_root and deny modifiers on
link rules as well as significantly expand related tests
(LP: #1431717, LP: #1432045, LP: #1433829)
* tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
around pivot_root test failures due to init=systemd (LP: #1436109)
* GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
file to X abstraction (LP: #1432126)
[ Jamie Strandboge ]
* easyprof-framework-policy.patch: add --include-templates-dir and
--include-policy-groups-dir options to easyprof to support framework
policy on snappy
[ Robie Basak ]
* Add /lib/apparmor/profile-load; moved from
/lib/init/apparmor-profile-load from the upstart package. A wrapper at
the original path is now provided by init-system-helpers. (LP: #1432683)
apparmor (2.9.1-0ubuntu7) vivid; urgency=medium
* systemd-dev-log-lp1413232.patch: Allow writes to the systemd journal
socket /{,var}/run/systemd/journal/dev-log. This can be dropped with
with AppArmor 2.9.2. (LP: #1413232)
apparmor (2.9.1-0ubuntu6) vivid; urgency=medium
* add-mir-abstractions-lp1422521.patch: add correct location of
mir specific libraries and mir unprivileged client socket
to mir abstraction (LP: #1422521)
apparmor (2.9.1-0ubuntu5) vivid; urgency=medium
* debian/apparmor.init: Replace unnecessary $remote_fs dependency with
$local_fs. This is sufficient as during boot we don't use anything from
/usr. It's also necessary to avoid dependency cycles when using NFS (as
its dependencies should be covered by AppArmor). (LP: #1312976)
apparmor (2.9.1-0ubuntu4) vivid; urgency=medium
* Update to apparmor 2.9.1
- make parser mount rule options consistent with documentation
(LP: #1401619)
- make parser fail if unknown mount options are encountered
(LP: #1401621)
- stop aa-logprof from asking about already allowed network rules
(LP: #1380367)
- make utils offer abstractions for network rules (LP: #1380367)
- make libapparmor understand logs generated by syslog-ng
(LP: #1399027)
- stop python utilities from adding duplicate quotes (LP: #1328707)
- work around aa-cleanprof crashes (LP: #1382236)
- other bug fixes, performance improvements, and testcases added to
the python utils.
- policy updates for dnsmasq, nscd, and others
- translation updates
* Partial sync with debian apparmor package:
- debian/apparmor-profiles.install: add additional dovecot and
smbldap-useradd profiles
- debian/control: fix typo in apparmor-docs description, fix file
overwrite issues with python-apparmor, apparmor-docs
- debian/rules: improved repeat-build cleanup logic.
- Add Turkish translation of debconf messages. Thanks to
Mert Dirik <mertdirik at gmail.com> for the patch!
- debian/apparmor.postrm: Remove
/var/lib/apparmor/profiles/.apparmor.md5sums and parent
directories on package purge.
* add-mir-abstractions-lp1422521.patch: add mir abstraction to cover
mir specific libraries (LP: #1422521)
* debian/rules: remove no longer needed references to PERLDIR when
installing from utils/
apparmor (2.8.98-0ubuntu4) vivid; urgency=medium
* Ship libapparmor in /lib instead of /usr as we want to use it in systemd
now. (LP: #1397960)
apparmor (2.8.98-0ubuntu3) vivid; urgency=medium
* debian/lib/apparmor/functions: disable expr tree simplification for
/var/lib/apparmor/profiles (LP: #1383858)
* parser-dont-skip-read-cache-with-optimizations.patch: don't skip read
cache when specifying '-O' (LP: #1385947)
apparmor (2.8.98-0ubuntu2) utopic; urgency=medium
* Updated to apparmor 2.9.beta4 (aka apparmor 2.8.98)
- fix logparsing memory leak (LP: #1340927)
- incorporate fixes to regression testsuite to compensate for
af_unix mediation, as well as extend test coverage
(LP: #1375403, LP: #1375516)
- fix libapparmor's log parsing code to accept additional rejection
types (LP: #1375413)
- fix X abstraction for changed lightdm xauthority file locations
(LP: #1339727)
- parser: disable downgrade and not enforced rule messages
by default (LP: #1302735)
- fix error when using regex profile names in IPC rules
(LP: #1373085)
- update base abstraction for /proc/sys/kernel/cap_last_cap for dnsmasq
(LP: #1378977)
- update freedesktop.org for @{HOME}/.config/mimeapps.list (LP: #1377140)
- update gnome abstraction for access to @/dbus-vfs-daemon/socket-*
(LP: #1375067)
- update ubuntu-browsers.d/java abstraction for icedtea plugin access
in /{,var/}run/user/*/icedteaplugin-* (LP: #1293439)
- update user-mail abstraction for /var/mail (LP: #1192965)
- updates and fixes to the python utilities
- translation updates
[ Steve Beattie ]
* Removed upstreamed patches:
drop-peer_addr-with-local-addr-in-base.patch,
update_socketpair_tests_for_af_unix.patch,
fix_socketpair_tests.patch, sanitized-helpers-updates.patch,
01-tests-unix_socket_lists.patch,
02-tests-accept_unix_rules_in_mkprofile.patch,
03-tests-unix_sockets_v7_pathnames.patch,
04-tests-migrate_from_poll_to_sockio_timeout.patch,
05-tests-add_abstract_socket_tests.patch,
06-tests-use_socketpair_and_none.patch,
07-parser-fix_local_perms.patch,
08-phpsysinfo-policy-updates.patch,
09-apache2-policy-instructions.patch,
10-lp1371771.patch, 11-lp1371765.patch,
lp1169881.patch
* refreshed etc-writable.patch and libapparmor-layout-deb.patch
* debian/control: add breaks on python3-apparmor against older
apparmor-utils that used to be where python bits lived
(LP: #1373259)
* debian/apport/source_apparmor.py:
- fixes the apparmor apport hook so it does not raise an exception if
a non-unicode character is found in /var/log/kern.log or in
/var/log/syslog. This should work under python3 or python2.7
(LP: #1304447)
- adjusts the add_info() function to take the expected additional ui
argument, though it has no need for it.
- converts the log parsing code to use with statements so as not to
leak open file descriptors
- updates the set of packages to query to see if installed and if so,
report the version of.
- adjust import to make pyflakes job easier
- minor pep8 cleanups
[ Jamie Strandboge ]
* add-chromium-browser.patch:
- don't allow writing to the oom score and adjust files since this allows
chromium to change the values for any process matching our UID
- allow writing to /run/shm/shmfd-*
- add a few signal rules from base abstraction for the sandbox
* debian/apparmor.upstart: check if click-apparmor md5sums changed so we
regenerate the policy if it changes too (LP: #1371574)
* debian/apparmor.init: make corresponding upstart change to initscript
* debian/lib/apparmor/functions: fall back to using -n1 if the parser failed
to load a profile set. This should be removed when the parser properly
handles profile sets with corrupted profiles (LP: 1377338)
* debian/control: fix typo (LP: #1187447)
apparmor (2.8.96~2652-0ubuntu7) utopic; urgency=medium
* add-chromium-browser.patch: user addr=none instead of peer=(addr=none)
(LP: #1374363)
apparmor (2.8.96~2652-0ubuntu6) utopic; urgency=medium
* lp1169881.patch: add /usr/bin/gnome-gmail to ubuntu-email (LP: #1169881)
* debian/control: update Breaks on lxc 1.1.0~alpha1-0ubuntu5~ (LP: #1373555)
apparmor (2.8.96~2652-0ubuntu5) utopic; urgency=medium
[ Jamie Strandboge ]
* sanitized-helpers-updates.patch: update ubuntu-helpers for unix mediation
* 10-lp1371771.patch: don't exit prematurely and fail to load remaining
policy if encounter a corrupt cache file (LP: #1371771)
* 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it
(LP: #1371765)
* debian/lib/apparmor/functions:
- don't return 0 on parsing failure. Patch thanks to Felix Geyer
(LP: #1370228)
- use xargs -n1 when we don't have cache files, but omit it when we do.
This allows taking full advantage of xargs -P when we need it most,
without the cost when we don't.
[ Steve Beattie ]
* update_socketpair_tests_for_af_unix.patch,
fix_socketpair_tests.patch: update socketpair regression tests for
af_unix socket mediation
apparmor (2.8.96~2652-0ubuntu4) utopic; urgency=medium
* debian/apparmor.{upstart,init}: make sure we always update the .md5sums
for apparmor-easyprof-ubuntu even when apparmor is updated (before if both
were updated, aa-clickhook -f would be run on the 1st and 2nd boot rather
than just the 1st)
* debian/apparmor.postinst: update the cached .md5sums file on upgrade to
avoid running on install and then again on first boot after upgrade. This
change only affects apt upgrades and not system-image upgrades since
system-image upgrades always use the existing .md5sums if they exist (see
/etc/system-image/writable-paths).
* ubuntu-manpage-updates.patch: adjust for move to upstart job and click
policy
* debian/lib/apparmor/functions: don't pass costly '-n1' to xargs in
foreach_configured_profile() when loading valid cache files. This used to
be needed when apparmor_parser would generate different binary caches when
compiling policy one profile at a time and all at once. That bug is long
fixed and removing -n1 gives a significant performance improvement for
boots with valid cache files (~65% on armhf)
apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium
* 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu
14.10
* 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu
packaging
* debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin,
and lightdm. Add Breaks on rsyslog.
apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium
* 07-parser-fix_local_perms.patch: do not output local permissions for rules
that have peer_conditionals. Patch from John Johansen
apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium
* Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152)
[ Steve Beattie ]
* removed upstreamed patches:
- dnsmasq-libvirtd-signal-ptrace.patch
- update-base-abstraction-for-signals-and-ptrace.patch
- update-nameservice-abstraction-for-extrausers.patch
- debian/apparmor-profiles.install: dropped program-chunks/postfix-common,
moved to abstractions/ and covered by apparmor.install
- refreshed libapparmor-layout-deb.patch patch
* Add in Tyler Hicks' regression test improvements:
- 01-tests-unix_socket_lists.patch,
- 02-tests-accept_unix_rules_in_mkprofile.patch,
- 03-tests-unix_sockets_v7_pathnames.patch,
- 04-tests-migrate_from_poll_to_sockio_timeout.patch,
- 05-tests-add_abstract_socket_tests.patch,
* 07-parser-fix_local_perms.patch: do not output local permissions
for rules that have peer_conditionals
[ Jamie Strandboge ]
* add-chromium-browser.patch: update for unix socket mediation
* drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none)
with getattr, getopt, setopt and shutdown
[ Tyler Hicks ]
* debian/lib/apparmor/functions, debian/apparmor.init,
debian/apparmor.upstart: Ensure system policy cache cannot become stale
after image based upgrades that update the system profiles (LP: #1350673)
* parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust
the default parser.conf file, to add /usr/share/apparmor as an additional
search path when resolving include directives in profiles, and install the
file in /etc/apparmor. Ubuntu places hardware specific access rules in
/usr/share/apparmor/hardware. This change allows these files to be
included without using an absolute path (e.g.,
'#include <hardware/graphics.d>').
apparmor (2.8.96~2541-0ubuntu3.1) utopic; urgency=medium
* Updates for perl 5.20 multiarch transition
- debian/libapparmor-perl.install: don't hardcode usr/lib/perl5 but
instead use $Config{vendorarch} in an executable install file. Make it
executable
- debian/control: Build-Depends on debhelper (>= 9) (9 is needed to use
an executable install file)
- debian/patches/perl-multiarch.patch:
+ add @{multiarch} paths to perl abstraction
+ update logprof.conf, severity.db and corresponding tests for updated
perl path
apparmor (2.8.96~2541-0ubuntu2) utopic; urgency=medium
* update-nameservice-abstraction-for-extrausers.patch: update nameservice
abstraction to allow passwd and group when using libnss-extrausers
apparmor (2.8.96~2541-0ubuntu1) utopic; urgency=medium
* Updated to r2541 snapshot of 2.8.96:
- removed upstreamed patches: convert-to-rules.patch, list-fns.patch,
parse-mode.patch, add-decimal-interp.patch, policy_mediates.patch,
fix-failpath.patch, feature_file.patch, fix-network.patch,
aare-to-class.patch, add-mediation-unix.patch, parser_version.patch,
caching.patch, label-class.patch, fix-lexer-debug.patch,
use-diff-encode.patch, fix-serialize.patch,
fix-ppc-endian-ftbfs.patch, opt_arg.patch, tests-cond-dbus.patch,
initialize-mount-flags.patch, fix-typo-in-dbus_write.patch,
limited-mount-rule-support.patch, bare-capability-rule-support.patch,
check-config-for-sysctl.patch, increase-swap-size.patch,
test-v6-policy.patch, test-mount-mediation.patch,
mediate-signals.patch, change-signal-syntax.patch,
mediate-ptrace.patch, change-ptrace-syntax.patch,
test-signal-rules.patch, test-ptrace-rules.patch,
update-tests-for-new-semantics.patch,
fix-garbage-in-preprocessor-output.patch,
fix-double-comma-in-preprocessor-output.patch,
symtab-tests-and-seenlist-bug.patch, add-profile-name-variable.patch,
fix-names-treated-as-condlistid.patch, manpage-signal-ptrace.patch,
python-utils-file-support.patch, python-utils-signal-support.patch,
python-utils-ptrace-support.patch,
python-utils-pivot_root-support.patch.
* Added upstart job (LP: #1305108)
- debian/apparmor.upstart: new upstart job.
- debian/apparmor.init: added click handling, move some code to
unload_obsolete_profiles().
- debian/lib/apparmor/functions: add unload_obsolete_profiles().
- debian/apparmor.postinst, debian/apparmor-profiles.postinst: reload
profiles directly since invoke-rc.d won't allow to do this easily
with upstart and systemd jobs.
- debian/rules: pass --no-start to dh_installinit since we're handling
reloading profiles manually in the postinst scripts.
- debian/control: add a versioned apparmor Depends to the
apparmor-profiles package to make sure the required tools are
installed for the postinst script.
Date: 2016-12-01 21:54:11.414430+00:00
Changed-By: Tyler Hicks <tyhicks at canonical.com>
Signed-By: Robie Basak <robie.basak at canonical.com>
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.5~14.04.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list