[ubuntu/trusty-updates] apparmor 2.10.95-0ubuntu2.5~14.04.1 (Accepted)

Robie Basak robie.basak at canonical.com
Wed Jan 18 17:29:01 UTC 2017

apparmor (2.10.95-0ubuntu2.5~14.04.1) trusty; urgency=medium

  * Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04.
    - This allows for proper snap confinement on Ubuntu 14.04 when using the
      hardware enablement kernel (LP: #1641243)
  * Changes made on top of 2.10.95-0ubuntu2.5:
    - debian/apparmor.upstart: Remove the upstart job and continue using the
      init script in 14.04
    - debian/apparmor.postinst, debian/apparmor-profiles.postinst,
      debian/apparmor-profiles.postrm, debian/rules: Revert to using
      invoke-rc.d to load the profiles, rather than reloading them directly,
      since 14.04 will continue using the init script rather than the upstart
    - debian/apparmor.init, debian/lib/apparmor/functions,
      debian/apparmor.postinst, debian/apparmor.postrm: Remove functionality
      dealing with AppArmor policy in system image based environments since
      this 14.04 package will not need to handle such environments. This
      removes the handle_system_policy_package_updates(),
      compare_previous_version(), compare_and_save_debsums() functions and
      their callers.
    - debian/apparmor.init: Continue using running-in-container since
      systemd-detect-virt doesn't exist on 14.04
    - debian/lib/apparmor/functions, debian/apparmor.init: Remove the
      is_container_with_internal_policy() function and adjust its call sites
      in apparmor.init so that AppArmor policy is not loaded inside of 14.04
      LXD containers (avoids bug #1641236)
    - debian/lib/apparmor/profile-load, debian/apparmor.install: Remove
      profile-load as upstart's apparmor-profile-load is used in 14.04
    - debian/patches/libapparmor-mention-dbus-method-in-getcon-man.patch:
      Continue applying this patch since the dbus version in 14.04 isn't new
      enough to support fetching the AppArmor context from
    - debian/patches/libapparmor-force-libtoolize-replacement.patch: Force
      libtoolize to replace existing files to fix a libapparmor FTBFS issue on
    - debian/control: Retain the original 14.04 Breaks and ignore the new
      Breaks from 2.10.95-0ubuntu2.5 since they were put in place as part of
      the enablement of UNIX domain socket mediation. They're not needed in
      this upload since UNIX domain socket mediation is disabled by default so
      updates to the profiles included in those packages are not needed.
    - Preserve the profiles and abstractions from 14.04's
      2.8.95~2430-0ubuntu5.3 apparmor package by recreating them in the
      top-level profiles-14.04/ directory of the source. They'll be installed
      to debian/tmp/etc/apparmor.d/ during the build process and then to
      /etc/apparmor.d/ on package install so that there are no changes to the
      shipped profiles or abstractions. The abstractions from
      2.10.95-0ubuntu2.5 will be installed into
      debian/tmp/snap/etc/apparmor.d/ during the build process and then into
      /etc/apparmor.d/snap/abstractions/ on package install for use with snap
      confinement. Snap confinement profiles, which includes AppArmor profiles
      loaded by snapd and profiles loaded by snaps that are allowed to manage
      AppArmor policy, will use the snap abstractions. All other AppArmor
      profiles will continue to use the 14.04 abstractions.
      - debian/rules: Adjust for new profiles-14.04/ directory
      - debian/apparmor-profiles.install: Adjust to install the profiles that
        were installed in the 2.8.95~2430-0ubuntu5.3 package
      - debian/apparmor.install: Install the abstractions from the
        2.10.95-0ubuntu2.5 package into /etc/apparmor.d/snap/abstractions/
      - debian/patches/14.04-profiles.patch: Preserve the 14.04 profiles and
        abstractions from the 2.8.95~2430-0ubuntu5.3 apparmor package.
      - debian/patches/conditionalize-post-release-features.patch: Disable new
        mediation features, implemented after the Ubuntu 14.04 release, unless
        the profile is for snap confinement. If the profile is for snap
        confinement, the abstractions from /etc/apparmor.d/snap/abstractions
        will be used and all of the mediation features will be enabled.
    - 14.04-add-chromium-browser.patch,
      14.04-profiles-adjust_X_for_lightdm-lp1339727.patch: Import all of the
      patches, from 14.04's 2.8.95~2430-0ubuntu5.3 apparmor package, which
      patched profiles/ and adjust them to patch profiles-14.04/ instead.
    - debian/patches/revert-r2550-and-r2551.patch: Revert two upstream changes
      to mod_apparmor which could potentially regress existing users of
      mod_apparmor in 14.04. These upstream changes are not appropriate for an

apparmor (2.10.95-0ubuntu2.5) xenial; urgency=medium

  * debian/lib/apparmor/functions, debian/apparmor.init,
    debian/apparmor.service, debian/apparmor.upstart,
    debian/lib/apparmor/profile-load: Adjust the checks that previously kept
    AppArmor policy from being loaded while booting a container. Now we
    attempt to load policy if we're in a LXD or LXC managed container that is
    using profile stacking inside of a policy namespace. (LP: #1628285)
  * Fix regression tests for stacking so that the kernel SRU process is not
    interrupted by failing tests whenever the AppArmor stacking features are
    backported from the 16.10 kernel or when the 16.04 LTS Enablement Stack
    receives a 4.8 or newer kernel
    - debian/patches/r3509-tests-fix-exec_stack-errors-1.patch: Fix the
      exec_stack.sh test when running on 4.8 or newer kernels (LP: #1628745)
    - debian/patches/r3558-tests-fix-exec_stack-errors-2.patch: Adjust the
      exec_stack.sh fix mentioned above to more accurately test kernels older
      than 4.8 (LP: #1630069)
    - debian/patches/allow-stacking-tests-to-use-system.patch: Apply this
      patch earlier in the series, as to match when it was committed upstream,
      so that the above two patches can be cherry-picked from lp:apparmor

apparmor (2.10.95-0ubuntu2.4) xenial; urgency=medium

  * debian/patches/r3505-tests-fix-stacking-mode-checks.patch: Fix failing
    regression tests so that the kernel SRU process is not interrupted by
    failing stackonexec.sh and stackprofile.sh tests (LP: #1628295)

apparmor (2.10.95-0ubuntu2.3) xenial; urgency=medium

  * debian/patches/allow-access-to-ibus-socket.patch: Adjust the ibus
    abstraction to allow access to the abstract UNIX domain socket location
    used in Ubuntu. (LP: #1580463)
  * debian/lib/apparmor/functions: Quiet the "Files ... and ... differ"
    output, during the update process, which was printed by diff. This message
    left users concerned since it mentioned md5sums files without being clear
    about what was happening. (LP: #1614215)

apparmor (2.10.95-0ubuntu2.2) xenial; urgency=medium

  * r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an
    aa-logprof crash by ignoring file events that contains send *and* receive
    in the request mask. This is an improvement to the previous fix that only
    addressed events that contained send *or* receive.
    (LP: #1577051, LP: #1582374)
    - debian/rules: Create a new empty file, needed for the test added by this
      patch, since quilt is unable to do so.

apparmor (2.10.95-0ubuntu2.1) xenial; urgency=medium

  * debian/patches/r3460-ignore-file-events-with-send-or-receive-request.patch:
    Prevent an aa-logprof crash by ignoring file events that contains
    send or receive in the request mask. (LP: #1577051, LP: #1582374)
  * debian/patches/r3463-r3475-change-profile-exec-modes.patch: Allow policy
    authors to specify if the environment should scrubbed during exec
    transitions allowed by a change_profile rule. (LP: #1584069)
  * debian/patches/r3478-make-overlapping-safe-and-unsafe-rules-conflict.patch:
    Make sure that multiple change_profile rules with overlapping safe and
    unsafe exec modes conflict when they share the same exec conditional
    (LP: #1588069)
  * debian/patches/r3488-r3489-fix-racy-onexec-test.patch: Fix racy regression
    test so that the kernel SRU process is not interrupted by the onexec.sh
    periodically failing. (LP: #1528230)
  * debian/patches/r3490-utils-handle-change-profile-exec-modes.patch: Update
    the Python utilities to handle the new exec mode keywords in
    change_profile rules. (LP: #1584069)
  * debian/patches/r3492-allow-dbus-user-session-path.patch: Allow read/write
    access to the dbus-user-session socket file in profiles that include the
    dbus-session-strict abstraction. (LP: #1604872)

apparmor (2.10.95-0ubuntu2) xenial; urgency=medium

  * debian/patches/r3435-allow-dnsmasq-access-to-lxd-bridge.patch: Grant
    access to the new default bridge configuration in LXD 2.0.0 (LP: #1566944)
  * debian/patches/r3437-add-attach-disconnected-to-dnsmasq.patch: Add the
    attach_disconnected flag to the dnsmasq profile in order to prevent a
    disconnected path denial triggered by the latest network-manager upload
    (LP: #1569316)
  * debian/lib/apparmor/functions: Reference the new path used for snapd
    AppArmor profiles to fix a bug which left those profiles unloaded after
    booting (LP: #1569573)

apparmor (2.10.95-0ubuntu1) xenial; urgency=medium

  * Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
    - Allow Apache prefork profile to chown(2) files (LP: #1210514)
    - Allow deluge-gtk and deluge-console to handle torrents opened in
      browsers (LP: #1501913)
    - Allow file accesses needed by some programs using libnl-3-200
      (Closes: #810888)
    - Allow file accesses needed on systems that use NetworkManager without
      resolvconf (Closes: #813835)
    - Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
    - Fix aa-logprof(8) crash when operating on files containing multiple
      profiles with certain rules (LP: #1528139)
    - Fix log parsing crashes, in the Python utilities, caused by certain file
      related events (LP: #1525119, LP: #1540562)
    - Fix log parsing crasher, in the Python utilities, caused by certain
      change_hat events (LP: #1523297)
    - Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
      when Python 3 is not available (LP: #1513880)
    - Send aa-easyprof(8) error messages to stderr instead of stdout
      (LP: #1521400)
    - Fix aa-autodep(8) failure when the shebang line of a script contained
      parameters (LP: #1505775)
    - Don't depend on the system logprof.conf when running utils/ build tests
      (LP: #1393979)
    - Fix apparmor_parser(8) bugs when parsing profiles that use policy
      namespaces in the profile declaration or profile transition targets
      (LP: #1540666, LP: #1544387)
    - Regression fix for apparmor_parser(8) bug that resulted in the
      --namespace-string commandline option being ignored causing profiles to
      be loaded into the root policy namespace (LP: #1526085)
    - Fix crasher regression in apparmor_parser(8) when the parser was asked
      to process a directory (LP: #1534405)
    - Fix bug in apparmor_parser(8) to honor the specified bind flags remount
      rules (LP: #1272028)
    - Support tarball generation for Coverity scans and fix a number of issues
      discovered by Coverity
    - Fix regression test failures on s390x systems (LP: #1531325)
    - Adjust expected errno values in changeprofile regression test
      (LP: #1559705)
    - The Python utils gained support for ptrace and signal rules
    - aa-exec(8) received a rewrite in C
    - apparmor_parser(8) gained support for stacking multiple profiles, as
      supported by the Xenial kernel (LP: #1379535)
    - libapparmor gained new public interfaces, aa_stack_profile(2) and
      aa_stack_onexec(2), allowing applications to utilize the new kernel
      stacking support (LP: #1379535)
  * Drop the following patches since they've been incorporated upstream:
    - aa-status-dont_require_python3-apparmor.patch
    - r3209-dnsmasq-allow-dash
    - r3227-locale-indep-capabilities-sorting.patch
    - r3277-update-python-abstraction.patch
    - r3366-networkd.patch,
    - tests-fix_sysctl_test.patch
    - parser-fix-cache-file-mtime-regression.patch
    - parser-verify-cache-file-mtime.patch
    - parser-run-caching-tests-without-apparmorfs.patch
    - parser-do-cleanup-when-test-was-skipped.patch
    - parser-allow-unspec-in-network-rules.patch
  * debian/rules, debian/apparmor.install, debian/apparmor.manpages: Update
    for new upstream binutils directory and aa-enabled binary
    - Continue installing aa-exec into /usr/sbin/ for now since
      click-apparmor's aa-exec-click autopkgtest expects it to be there
  * debian/libapparmor-dev.manpages: Include the new aa_stack_profile.2 man
  * debian/patches/r3424-nscd-profile-allow-paranoia-mode.patch: Allow file
    access needed for nscd's paranoia mode
  * debian/patches/r3425-adjust-stacking-tests-version-check.patch: Adjust the
    regression test build time checks, for libapparmor stacking support, to
    look for the 2.10.95 versioning rather than 2.11
  * debian/patches/r3426-allow-debugedit-to-work-on-apparmor-parser.patch:
    Remove extra slash in the parser Makefile so that debugedit(8) can work on
    apparmor_parser(8) (LP: #1561939)
  * debian/patches/allow-stacking-tests-to-use-system.patch: Adjust the file
    rules of the new stacking tests so that the generated profiles allow the
    system binaries and libraries to be tested
  * debian/libapparmor1.symbols: update symbols file for added symbols
    in libapparmor

apparmor (2.10-3ubuntu2) xenial; urgency=medium

  * debian/patches/parser-allow-unspec-in-network-rules.patch: Allow
    apparmor_parser to support rules that use 'unspec' as the network protocol
    family. (LP: #1546455)

apparmor (2.10-3ubuntu1) xenial; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    -  debian/apparmor.init,apparmor.upstart,debian/lib/apparmor/functions:
       clear only the system cache if apparmor version has changed on snappy
       flavors since snappy will handle the app's cache itself
    - debian/apparmor.install: install tunables/home.d and
    - debian/apparmor-utils.dirs: install usr/bin and usr/share/apparmor
    - debian/control:
      + make libnotify-bin a Suggests rather than a Recommends since it is
        assumed to already be installed on the desktop and so server
        environments don't have to pull in a lot of X dependencies
        (LP: #1061879)
      + apparmor-easyprof in section 'admin'
      + apparmor Depends on initramfs-tools | linux-initramfs-tool [linux-any]
      + apparmor Breaks on lightdm (<< 1.11.8-0ubuntu2~),
        lxc (<< 1.1.0~alpha1-0ubuntu5~)
    - drop debian/patches/reproducible-pdf.patch (not applied in series)
  * drop debian/patches/fix-abstraction-for-python3.5.patch in favor of
  * debian/patches/series: comment out notify-group.patch
  * debian/patches/non-linux.patch: refresh
  * debian/patches/r3366-networkd.patch: use this instead of dropped Ubuntu
    lp1529074.patch for NetworkManager and networkd support

apparmor (2.10-3) unstable; urgency=medium

  * Team upload.

  [ intrigeri ]
  * Drop libapparmor-mention-dbus-method-in-getcon-man.patch (Closes: #800132)

  [ Felix Geyer ]
  * Update python abstraction for python 3.5.
    - Pull r3277-update-python-abstraction.patch from upstream

apparmor (2.10-2) unstable; urgency=medium

  [ Felix Geyer ]
  * Apply aa-status-dont_require_python3-apparmor.patch, to keep
    the hard dependencies of the apparmor binary package minimal.
  * python{,3}-apparmor: require at least the same upstream version
    of python{,3}-libapparmor.

  [ intrigeri ]
  * Drop abstractions-ubuntu-browsers.patch: integrated upstream
    (in a slightly different way).
  * debian/control: don't start short description with capital letter.
    (Closes: #795434)
  * r3227-locale-indep-capabilities-sorting.patch: cherry-pick from upstream,
    to make (more of?) the build reproducible. (Closes: #797415)
  * Merge from ubuntu-citrain up to revision 1578, that is changes brought
    by 2.10-0ubuntu3 to 2.10-0ubuntu6.
  * Upload to unstable.

apparmor (2.10-1) experimental; urgency=medium

  [ intrigeri ]
  * Merge ubuntu-citrain up to revision 1575, except:
    - previously documented changes
    - debian/patches/aa-status-dont_require_python3-apparmor.patch:
      don't apply, only relevant for Ubuntu Phone
  * debian/patches/r3209-dnsmasq-allow-dash: cherry-pick from upstream.
  * debian/patches/pass-compiler-flags.patch: refresh.
  * Update upstream signing key.
  * apparmor-utils: make the Depends on python3-apparmor versioned.
    (Closes: #785436)
  * Override the "apparmor source: usr-lib-perl5-mentioned rules" error.
    We replace usr/lib/perl5 with the corresponding multiarch path
    in debian/rules, as a consequence this file contains this string.
  * python-apparmor, python3-apparmor: add Lintian overrides for
    the extended-description-is-probably-too-short tag.
  * debian/control: stuff out a bit apparmor-utils' extended description.

  [ Felix Geyer ]
  * Add Brazilian Portuguese translation of debconf messages.
    Thanks to Adriano Rafael Gomes. (Closes: #788342)
  * Use dh_apparmor from this source package for apparmor-profiles.
    (Closes: #656451)
  * Make debian/rules safer:
    - Add set -e to loops.
    - Use "&&" when chaining shell commands.

apparmor (2.10-0ubuntu12) xenial; urgency=medium

  * Call systemd-detect-virt instead of the Ubuntu specific
    running-in-container wrapper. (LP: #1539016)

apparmor (2.10-0ubuntu11) xenial; urgency=medium

  * No-change rebuild to drop python3.4 support.

apparmor (2.10-0ubuntu10) xenial; urgency=medium

  * debian/patches/lp1529074.patch: for systems using networkd, add read on
    /run/systemd/resolve/resolv.conf (LP: #1529074)

apparmor (2.10-0ubuntu9) xenial; urgency=medium

  * No change rebuild for perl 5.22

apparmor (2.10-0ubuntu8) xenial; urgency=medium

  * debian/patches/fix-abstraction-for-python3.5.patch: adjust python
    abstraction for python 3.5

apparmor (2.10-0ubuntu7) xenial; urgency=medium

  * debian/apparmor.init,apparmor.upstart: clear only the system cache if
    apparmor version has changed on snappy flavors since snappy will handle
    the app's cache itself
  * debian/lib/apparmor/functions:
    - compile /var/lib/snappy/apparmor/profiles policy
    - add compare_previous_version()
    - refactor clear_cache()
    - compare_and_save_debsums() checks if $PROFILES_VAR exists

apparmor (2.10-0ubuntu6) wily; urgency=medium

  * debian/libapparmor-dev.manpages: add 5 missing libapparmor manpages
    (LP: #1491147, LP: #1384431)

apparmor (2.10-0ubuntu4) wily; urgency=medium

  * Rebuild against python3.5.

apparmor (2.10-0ubuntu3) wily; urgency=medium

  * debian/patches/parser-fix-cache-file-mtime-regression.patch: Fix a bug
    that resulted in the mtime of generate policy cache files to be set
    incorrectly. The mtime of cache files should be the newest mtime detected
    on the profile and abstraction files used to generate the policy cache
    file. However, the bug caused the mtime of the policy cache file to either
    not be updated or to be updated to an incorrect time. (LP: #1484178)
  * debian/patches/parser-verify-cache-file-mtime.patch: Add tests to verify
    that the policy cache file's mtime is being set correctly and that cache
    handling is correct when the profile or abstraction files are newer than
    the policy cache file.
  * debian/patches/parser-run-caching-tests-without-apparmorfs.patch,
    debian/patches/parser-do-cleanup-when-test-was-skipped.patch: Enable the
    caching tests to run on the buildds even though apparmorfs isn't mounted.

apparmor (2.10-0ubuntu2) wily; urgency=medium

  * debian/patches/aa-status-dont_require_python3-apparmor.patch:
    make aa-status(8) work even when python3-apparmor is not installed,
    otherwise dh_apparmor postinst snippets can fail (LP: #1480492)
  * debian/control: make apparmor-utils depend on the same package
    version of python3-apparmor

apparmor (2.10-0ubuntu1) wily; urgency=medium

  * Update to apparmor 2.10
    - libapparmor added functions to ease loading profile cache files to
      help support systemd on-demand load of policy (LP: #1385414)
    - apparmor parser: fixed policy generation to allow matching
      embedded NULs in abstract unix socket names (LP: #1413410)
    - aa-status: don't traceback when not permitted to read current
      set of apparmor policy (LP: #1466768)
    - aa-logprof: don't crash on policies that have an #include of a
      directory (LP: #1471425)
    - aa-logprof: fix crash when network rejections occur when file
      operations are performed on network sockets (LP: #1466812)
  * dropped reproducible-pdf.patch, incorporated upstream
  * debian/patches/tests-fix_sysctl_test.patch: fix sysctl test failure
    with 4.1 kernel and newer.
  * debian/control: add alternate dependency on linux-initramfs-tool
    (LP: #1109029)
  * debian/libapparmor1.symbols: update symbols file for added symbols
    in libapparmor

apparmor (2.9.2-0ubuntu2) wily; urgency=medium

  * No-change rebuild for python3.5 transition

apparmor (2.9.2-0ubuntu1) wily; urgency=medium

  * Update to apparmor 2.9.2
    - Fix minitools to work with multiple profiles at once (LP: #1378095)
    - Parse mounts that have non-ascii UTF-8 chars (LP: #1310598)
    - Update dovecot profiles (LP: #1296667)
    - Allow ubuntu-helpers to build texlive fonts (LP: #1010909)
  * dropped patches incorporated upstream:
    add-mir-abstraction-lp1422521.patch, systemd-dev-log-lp1413232.patch
    GDM_X_authority-lp1432126.patch, and
  * Partial merge with debian apparmor package:
    - debian/rules: enable the bindnow hardening flag during build.
    - debian/upstream/signing-key.asc: add new upstream public
      signing key
    - debian/watch: fix watch file, add gpg signature checking
    - install libapparmor.so dev symlink under /usr not /lib
    - debian/patches/reproducible-pdf.patch: make techdoc.pdf
      reproducible even in face of timezone variations.
    - debian/control: sync fields
    - debian/debhelper/postrm-apparmor: remove
      /etc/apparmor.d/{disable,} on package purge
    - debian/libapache2-mod-apparmor.postrm: on package purge, delete
      /etc/apparmor.d/{,disable} if empty
    - debian/libapparmor1.symbols: Use Build-Depends-Package in the
      symbols file.
    - debian/copyright: sync

apparmor (2.9.1-0ubuntu9) vivid; urgency=medium

  * Make debian/lib/apparmor/profile-load executable.

apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)

apparmor (2.9.1-0ubuntu7) vivid; urgency=medium

  * systemd-dev-log-lp1413232.patch: Allow writes to the systemd journal
    socket /{,var}/run/systemd/journal/dev-log. This can be dropped with
    with AppArmor 2.9.2. (LP: #1413232)

apparmor (2.9.1-0ubuntu6) vivid; urgency=medium

  * add-mir-abstractions-lp1422521.patch: add correct location of
    mir specific libraries and mir unprivileged client socket
    to mir abstraction (LP: #1422521)

apparmor (2.9.1-0ubuntu5) vivid; urgency=medium

  * debian/apparmor.init: Replace unnecessary $remote_fs dependency with
    $local_fs. This is sufficient as during boot we don't use anything from
    /usr. It's also necessary to avoid dependency cycles when using NFS (as
    its dependencies should be covered by AppArmor). (LP: #1312976)

apparmor (2.9.1-0ubuntu4) vivid; urgency=medium

  * Update to apparmor 2.9.1
    - make parser mount rule options consistent with documentation
      (LP: #1401619)
    - make parser fail if unknown mount options are encountered
      (LP: #1401621)
    - stop aa-logprof from asking about already allowed network rules
      (LP: #1380367)
    - make utils offer abstractions for network rules (LP: #1380367)
    - make libapparmor understand logs generated by syslog-ng
      (LP: #1399027)
    - stop python utilities from adding duplicate quotes (LP: #1328707)
    - work around aa-cleanprof crashes (LP: #1382236)
    - other bug fixes, performance improvements, and testcases added to
      the python utils.
    - policy updates for dnsmasq, nscd, and others
    - translation updates
  * Partial sync with debian apparmor package:
    - debian/apparmor-profiles.install: add additional dovecot and
      smbldap-useradd profiles
    - debian/control: fix typo in apparmor-docs description, fix file
      overwrite issues with python-apparmor, apparmor-docs
    - debian/rules: improved repeat-build cleanup logic.
    - Add Turkish translation of debconf messages. Thanks to
      Mert Dirik <mertdirik at gmail.com> for the patch!
    - debian/apparmor.postrm: Remove
      /var/lib/apparmor/profiles/.apparmor.md5sums and parent
      directories on package purge.
  * add-mir-abstractions-lp1422521.patch: add mir abstraction to cover
    mir specific libraries (LP: #1422521)
  * debian/rules: remove no longer needed references to PERLDIR when
    installing from utils/

apparmor (2.8.98-0ubuntu4) vivid; urgency=medium

  * Ship libapparmor in /lib instead of /usr as we want to use it in systemd
    now. (LP: #1397960)

apparmor (2.8.98-0ubuntu3) vivid; urgency=medium

  * debian/lib/apparmor/functions: disable expr tree simplification for
    /var/lib/apparmor/profiles (LP: #1383858)
  * parser-dont-skip-read-cache-with-optimizations.patch: don't skip read
    cache when specifying '-O' (LP: #1385947)

apparmor (2.8.98-0ubuntu2) utopic; urgency=medium

  * Updated to apparmor 2.9.beta4 (aka apparmor 2.8.98)
    - fix logparsing memory leak (LP: #1340927)
    - incorporate fixes to regression testsuite to compensate for
      af_unix mediation, as well as extend test coverage
      (LP: #1375403, LP: #1375516)
    - fix libapparmor's log parsing code to accept additional rejection
      types (LP: #1375413)
    - fix X abstraction for changed lightdm xauthority file locations
      (LP: #1339727)
    - parser: disable downgrade and not enforced rule messages
      by default (LP: #1302735)
    - fix error when using regex profile names in IPC rules
      (LP: #1373085)
    - update base abstraction for /proc/sys/kernel/cap_last_cap for dnsmasq
      (LP: #1378977)
    - update freedesktop.org for @{HOME}/.config/mimeapps.list (LP: #1377140)
    - update gnome abstraction for access to @/dbus-vfs-daemon/socket-*
      (LP: #1375067)
    - update ubuntu-browsers.d/java abstraction for icedtea plugin access
      in /{,var/}run/user/*/icedteaplugin-* (LP: #1293439)
    - update user-mail abstraction for /var/mail (LP: #1192965)
    - updates and fixes to the python utilities
    - translation updates

  [ Steve Beattie ]
  * Removed upstreamed patches:
    fix_socketpair_tests.patch, sanitized-helpers-updates.patch,
    10-lp1371771.patch, 11-lp1371765.patch,
  * refreshed etc-writable.patch and libapparmor-layout-deb.patch
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/apport/source_apparmor.py:
   - fixes the apparmor apport hook so it does not raise an exception if
     a non-unicode character is found in /var/log/kern.log or in
     /var/log/syslog. This should work under python3 or python2.7
     (LP: #1304447)
   - adjusts the add_info() function to take the expected additional ui
     argument, though it has no need for it.
   - converts the log parsing code to use with statements so as not to
     leak open file descriptors
   - updates the set of packages to query to see if installed and if so,
     report the version of.
   - adjust import to make pyflakes job easier
   - minor pep8 cleanups

  [ Jamie Strandboge ]
  * add-chromium-browser.patch:
    - don't allow writing to the oom score and adjust files since this allows
      chromium to change the values for any process matching our UID
    - allow writing to /run/shm/shmfd-*
    - add a few signal rules from base abstraction for the sandbox
  * debian/apparmor.upstart: check if click-apparmor md5sums changed so we
    regenerate the policy if it changes too (LP: #1371574)
  * debian/apparmor.init: make corresponding upstart change to initscript
  * debian/lib/apparmor/functions: fall back to using -n1 if the parser failed
    to load a profile set. This should be removed when the parser properly
    handles profile sets with corrupted profiles (LP: 1377338)
  * debian/control: fix typo (LP: #1187447)

apparmor (2.8.96~2652-0ubuntu7) utopic; urgency=medium

  * add-chromium-browser.patch: user addr=none instead of peer=(addr=none)
    (LP: #1374363)

apparmor (2.8.96~2652-0ubuntu6) utopic; urgency=medium

  * lp1169881.patch: add /usr/bin/gnome-gmail to ubuntu-email (LP: #1169881)
  * debian/control: update Breaks on lxc 1.1.0~alpha1-0ubuntu5~ (LP: #1373555)

apparmor (2.8.96~2652-0ubuntu5) utopic; urgency=medium

  [ Jamie Strandboge ]
  * sanitized-helpers-updates.patch: update ubuntu-helpers for unix mediation
  * 10-lp1371771.patch: don't exit prematurely and fail to load remaining
    policy if encounter a corrupt cache file (LP: #1371771)
  * 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it
    (LP: #1371765)
  * debian/lib/apparmor/functions:
    - don't return 0 on parsing failure. Patch thanks to Felix Geyer
      (LP: #1370228)
    - use xargs -n1 when we don't have cache files, but omit it when we do.
      This allows taking full advantage of xargs -P when we need it most,
      without the cost when we don't.

  [ Steve Beattie ]
  * update_socketpair_tests_for_af_unix.patch,
    fix_socketpair_tests.patch: update socketpair regression tests for
    af_unix socket mediation

apparmor (2.8.96~2652-0ubuntu4) utopic; urgency=medium

  * debian/apparmor.{upstart,init}: make sure we always update the .md5sums
    for apparmor-easyprof-ubuntu even when apparmor is updated (before if both
    were updated, aa-clickhook -f would be run on the 1st and 2nd boot rather
    than just the 1st)
  * debian/apparmor.postinst: update the cached .md5sums file on upgrade to
    avoid running on install and then again on first boot after upgrade. This
    change only affects apt upgrades and not system-image upgrades since
    system-image upgrades always use the existing .md5sums if they exist (see
  * ubuntu-manpage-updates.patch: adjust for move to upstart job and click
  * debian/lib/apparmor/functions: don't pass costly '-n1' to xargs in
    foreach_configured_profile() when loading valid cache files. This used to
    be needed when apparmor_parser would generate different binary caches when
    compiling policy one profile at a time and all at once. That bug is long
    fixed and removing -n1 gives a significant performance improvement for
    boots with valid cache files (~65% on armhf)

apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium

  * 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu
  * 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu
  * debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin,
    and lightdm. Add Breaks on rsyslog.

apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium

  * 07-parser-fix_local_perms.patch: do not output local permissions for rules
    that have peer_conditionals. Patch from John Johansen

apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium

  * Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152)

  [ Steve Beattie ]
  * removed upstreamed patches:
    - dnsmasq-libvirtd-signal-ptrace.patch
    - update-base-abstraction-for-signals-and-ptrace.patch
    - update-nameservice-abstraction-for-extrausers.patch
  - debian/apparmor-profiles.install: dropped program-chunks/postfix-common,
    moved to abstractions/ and covered by apparmor.install
  - refreshed libapparmor-layout-deb.patch patch
  * Add in Tyler Hicks' regression test improvements:
    - 01-tests-unix_socket_lists.patch,
    - 02-tests-accept_unix_rules_in_mkprofile.patch,
    - 03-tests-unix_sockets_v7_pathnames.patch,
    - 04-tests-migrate_from_poll_to_sockio_timeout.patch,
    - 05-tests-add_abstract_socket_tests.patch,
  * 07-parser-fix_local_perms.patch: do not output local permissions
    for rules that have peer_conditionals

  [ Jamie Strandboge ]
  * add-chromium-browser.patch: update for unix socket mediation
  * drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none)
    with getattr, getopt, setopt and shutdown

  [ Tyler Hicks ]
  * debian/lib/apparmor/functions, debian/apparmor.init,
    debian/apparmor.upstart: Ensure system policy cache cannot become stale
    after image based upgrades that update the system profiles (LP: #1350673)
  * parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust
    the default parser.conf file, to add /usr/share/apparmor as an additional
    search path when resolving include directives in profiles, and install the
    file in /etc/apparmor. Ubuntu places hardware specific access rules in
    /usr/share/apparmor/hardware. This change allows these files to be
    included without using an absolute path (e.g.,
    '#include <hardware/graphics.d>').

apparmor (2.8.96~2541-0ubuntu3.1) utopic; urgency=medium

  * Updates for perl 5.20 multiarch transition
    - debian/libapparmor-perl.install: don't hardcode usr/lib/perl5 but
      instead use $Config{vendorarch} in an executable install file. Make it
    - debian/control: Build-Depends on debhelper (>= 9) (9 is needed to use
      an executable install file)
    - debian/patches/perl-multiarch.patch:
      + add @{multiarch} paths to perl abstraction
      + update logprof.conf, severity.db and corresponding tests for updated
        perl path

apparmor (2.8.96~2541-0ubuntu2) utopic; urgency=medium

  * update-nameservice-abstraction-for-extrausers.patch: update nameservice
    abstraction to allow passwd and group when using libnss-extrausers

apparmor (2.8.96~2541-0ubuntu1) utopic; urgency=medium

  * Updated to r2541 snapshot of 2.8.96:
    - removed upstreamed patches: convert-to-rules.patch, list-fns.patch,
      parse-mode.patch, add-decimal-interp.patch, policy_mediates.patch,
      fix-failpath.patch, feature_file.patch, fix-network.patch,
      aare-to-class.patch, add-mediation-unix.patch, parser_version.patch,
      caching.patch, label-class.patch, fix-lexer-debug.patch,
      use-diff-encode.patch, fix-serialize.patch,
      fix-ppc-endian-ftbfs.patch, opt_arg.patch, tests-cond-dbus.patch,
      initialize-mount-flags.patch, fix-typo-in-dbus_write.patch,
      limited-mount-rule-support.patch, bare-capability-rule-support.patch,
      check-config-for-sysctl.patch, increase-swap-size.patch,
      test-v6-policy.patch, test-mount-mediation.patch,
      mediate-signals.patch, change-signal-syntax.patch,
      mediate-ptrace.patch, change-ptrace-syntax.patch,
      test-signal-rules.patch, test-ptrace-rules.patch,
      symtab-tests-and-seenlist-bug.patch, add-profile-name-variable.patch,
      fix-names-treated-as-condlistid.patch, manpage-signal-ptrace.patch,
      python-utils-file-support.patch, python-utils-signal-support.patch,
  * Added upstart job (LP: #1305108)
    - debian/apparmor.upstart: new upstart job.
    - debian/apparmor.init: added click handling, move some code to
    - debian/lib/apparmor/functions: add unload_obsolete_profiles().
    - debian/apparmor.postinst, debian/apparmor-profiles.postinst: reload
      profiles directly since invoke-rc.d won't allow to do this easily
      with upstart and systemd jobs.
    - debian/rules: pass --no-start to dh_installinit since we're handling
      reloading profiles manually in the postinst scripts.
    - debian/control: add a versioned apparmor Depends to the
      apparmor-profiles package to make sure the required tools are
      installed for the postinst script.

Date: 2016-12-01 21:54:11.414430+00:00
Changed-By: Tyler Hicks <tyhicks at canonical.com>
Signed-By: Robie Basak <robie.basak at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Trusty-changes mailing list