Package: apparmor / 2.11.0-3+deb9u2

Metadata

Package Version Patches format
apparmor 2.11.0-3+deb9u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
pin feature set.patch | (download)

parser/parser.conf | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 pin the apparmor feature set to the one shipped by the apparmor package
 .
 Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
 policy in a relaxed manner.
Bug-Debian: https://bugs.debian.org/879585
notify group.patch | (download)

utils/notify.conf | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 the group for reading /var/log/kern.log is "adm", not "admin".
add debian integration to lighttpd.patch | (download)

profiles/apparmor/profiles/extras/usr.sbin.lighttpd | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 add entries for lighttpd to work in a debian/ubuntu install
ubuntu manpage updates.patch | (download)

parser/apparmor.pod | 65 62 + 3 - 0 !
1 file changed, 62 insertions(+), 3 deletions(-)

 adjust apparmor(5) to describe policy load on ubuntu
Bug-Ubuntu: https://launchpad.net/bugs/974089
Forward: no (Ubuntu specific)


libapparmor layout deb.patch | (download)

libraries/libapparmor/swig/python/Makefile.am | 2 1 + 1 - 0 !
utils/Makefile | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 always install python modules in the proper location when creating
 deb files
etc writable.patch | (download)

profiles/apparmor.d/abstractions/base | 1 1 + 0 - 0 !
profiles/apparmor.d/abstractions/ubuntu-browsers.d/java | 2 2 + 0 - 0 !
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 1 1 + 0 - 0 !
3 files changed, 4 insertions(+)

 allow reading time configuration from /etc/writable, as we have it on the phone.
parser include usr share apparmor.patch | (download)

parser/parser.conf | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 resolve includes for hardware specific accesses directory
 When using the #include directive in an AppArmor profile, the parser should
 search /usr/share/apparmor in addition to /etc/apparmor.d.
 .
 This is needed because Ubuntu places hardware specific access rules in
 /usr/share/apparmor/hardware.
 .
 Note that the addition of this search patch may result in namespace collisions
 among the two include directories.
parser dont skip read cache with optimizations.patch | (download)

parser/parser_main.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 when specifying '-o' to the parser, it skips reading the cache.
 On Ubuntu, due to LP: #1383858 we want to use no-expr-simplify, but also use
 the cache if it is there.
allow access to ibus socket.patch | (download)

profiles/apparmor.d/abstractions/ibus | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 allow access to the ubuntu-specific path for ibus-daemon
 im-config, in Ubuntu, was modified to start the ibus-daemon with the
 "--address 'unix:tmpdir=/tmp/ibus'" command line option. It previously
 used a UNIX domain socket path that was indistinguishable from the
 session bus daemon's path. This patch adjusts the ibus abstraction so
 that access to the new path can be granted to confined ibus-daemon
 client applications.
utils add aa remove unknown.patch | (download)

utils/Makefile | 2 1 + 1 - 0 !
utils/aa-remove-unknown | 104 104 + 0 - 0 !
utils/aa-remove-unknown.pod | 51 51 + 0 - 0 !
3 files changed, 156 insertions(+), 1 deletion(-)

 utils: add aa-remove-unknown utility to unload unknown profiles
 .
 https://launchpad.net/bugs/1668892
 .
 This patch creates a new utility, with the code previously used in the
 init script 'restart' action, that removes unknown profiles which are
 not found in /etc/apparmor.d/. The functionality was removed from the
 common init script code in the fix for CVE-2017-6507.
 .
 The new utility prints a message containing the name of each unknown
 profile before the profiles are removed. It also supports a dry run mode
 so that an administrator can check which profiles will be removed before
 unloading any unknown profiles.
 .
 If you backport this utility with the fix for CVE-2017-6507 to an
 apparmor 2.10 release and your backported aa-remove-unknown utility is
 sourcing the upstream rc.apparmor.functions file, you'll want to include
 the following bug fix to prevent the aa-remove-unknown utility from
 removing child profiles that it shouldn't remove:
 .
   r3440 - Fix: parser: incorrect output of child profile names
 .
 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
pass compiler flags.patch | (download)

changehat/pam_apparmor/Makefile | 2 1 + 1 - 0 !
libraries/libapparmor/swig/perl/Makefile.PL.in | 1 1 + 0 - 0 !
parser/Makefile | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 2 deletions(-)

 pass ldflags fully into build.
raise test timeout.patch | (download)

parser/tst/simple.pl | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 raises the self-test timeout to 4 minutes for really slow machines.
non linux.patch | (download)

common/Make.rules | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 allow parser to build even when not on linux.