Package: apparmor / 2.13.2-10

Metadata

Package Version Patches format
apparmor 2.13.2-10 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
upstream commit 1244b81 limit expr tree simplification passes.patch | (download)

parser/libapparmor_re/expr-tree.cc | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 parser: limit the number of passes expr tree simplification does


upstream commit 0d5ab43 rc.apparmor.functions drop module loading support.patch | (download)

parser/rc.apparmor.functions | 42 8 + 34 - 0 !
1 file changed, 8 insertions(+), 34 deletions(-)

 rc.apparmor.functions: drop module loading support

The apparmor kernel "module" has not been a loadable module for more
than a decade, it must be built into the kernel and due configuration
requirements it will never go back to being a loadable module.

Remove the long unfunctioning load_module support from the init script.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/257
Signed-off-by: John Johansen <john.johansen@canonical.com>
upstream commit 94ff870 remove subdomainfs support.patch | (download)

changehat/mod_apparmor/mod_apparmor.pod | 2 1 + 1 - 0 !
parser/Makefile | 6 1 + 5 - 0 !
parser/apparmor.pod | 2 1 + 1 - 0 !
parser/apparmor_parser.pod | 4 2 + 2 - 0 !
parser/parser_include.c | 68 5 + 63 - 0 !
parser/rc.apparmor.functions | 98 3 + 95 - 0 !
parser/subdomain.conf | 53 0 + 53 - 0 !
parser/subdomain.conf.pod | 104 0 + 104 - 0 !
tests/stress/apparmor/Makefile | 24 24 + 0 - 0 !
tests/stress/apparmor/change_hat.c | 51 51 + 0 - 0 !
tests/stress/apparmor/change_hat.profile.pre | 24 24 + 0 - 0 !
tests/stress/apparmor/child.c | 35 35 + 0 - 0 !
tests/stress/apparmor/child.profile.pre | 12 12 + 0 - 0 !
tests/stress/apparmor/kill.sh | 19 19 + 0 - 0 !
tests/stress/apparmor/open.c | 34 34 + 0 - 0 !
tests/stress/apparmor/open.profile.pre | 15 15 + 0 - 0 !
tests/stress/apparmor/s-2.4.20.sh | 18 18 + 0 - 0 !
tests/stress/apparmor/s.sh | 18 18 + 0 - 0 !
tests/stress/apparmor/sh.profile.pre | 24 24 + 0 - 0 !
tests/stress/apparmor/stress.sh | 20 20 + 0 - 0 !
tests/stress/apparmor/stress.sh-2.4.20 | 18 18 + 0 - 0 !
tests/stress/apparmor/uservars.inc | 42 42 + 0 - 0 !
tests/stress/subdomain/Makefile | 24 0 + 24 - 0 !
tests/stress/subdomain/change_hat.c | 51 0 + 51 - 0 !
tests/stress/subdomain/change_hat.profile.pre | 24 0 + 24 - 0 !
tests/stress/subdomain/child.c | 35 0 + 35 - 0 !
tests/stress/subdomain/child.profile.pre | 12 0 + 12 - 0 !
tests/stress/subdomain/kill.sh | 20 0 + 20 - 0 !
tests/stress/subdomain/open.c | 34 0 + 34 - 0 !
tests/stress/subdomain/open.profile.pre | 15 0 + 15 - 0 !
tests/stress/subdomain/s-2.4.20.sh | 19 0 + 19 - 0 !
tests/stress/subdomain/s.sh | 19 0 + 19 - 0 !
tests/stress/subdomain/sh.profile.pre | 24 0 + 24 - 0 !
tests/stress/subdomain/stress.sh | 21 0 + 21 - 0 !
tests/stress/subdomain/stress.sh-2.4.20 | 19 0 + 19 - 0 !
tests/stress/subdomain/uservars.inc | 42 0 + 42 - 0 !
utils/apparmor/config.py | 2 1 + 1 - 0 !
37 files changed, 368 insertions(+), 684 deletions(-)

 remove subdomainfs support

It has been over 10 years since transition from subdomainfs to
using securityfs. Lets drop this deprecated code.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/258
Signed-off-by: John Johansen <john.johansen@canonical.com>
upstream commit 3a89e98 Remove traces of aa eventd.patch | (download)

parser/rc.apparmor.functions | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 remove traces of aa-eventd

aa-eventd and its initscripts have been moved to deprecated/ in 2014 and
didn't get any serious updates for several more years, so it's most
probably useless and/or broken nowadays.

This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE
variables in rc.apparmor.functions anymore.

upstream commit 7ba8dc7 Drop APPARMOR_ENABLE_AAEVENTD.patch | (download)

parser/rc.apparmor.functions | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 drop apparmor_enable_aaeventd

This is another trace of aa-eventd which is deprecated since years.

upstream mr 252 Make rc.apparmor.functions suitable for Debian and Ubuntu.patch | (download)

parser/rc.apparmor.functions | 217 125 + 92 - 0 !
1 file changed, 125 insertions(+), 92 deletions(-)

 make rc.apparmor.functions suitable for debian and ubuntu

upstream commit 29f1260 Make tunables share play well with aliases.patch | (download)

profiles/apparmor.d/tunables/share | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 make tunables/share play well with aliases.
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

This reverts commit aa3022208f539978f137c918ede01c80cacd8567.

Space-separated list of values don't play well with aliases.
For example, in Tails, despite this alias rule:

  alias / -> /lib/live/mount/rootfs/*.squashfs/,

… the Tor Browser profile denies access to
/lib/live/mount/rootfs/filesystem.squashfs/usr/share/mime/mime.cache, which
should be equivalent to /usr/share/mime/mime.cache. That's fixed by using
alternations instead; too bad they're less readable.

Possibly related:
https://bugs.launchpad.net/apparmor/+bug/888077
https://bugs.launchpad.net/apparmor/+bug/1703692
https://bugs.launchpad.net/apparmor/+bug/1703692

Cherry-picked from master branch: a91d199ab1da3004cf3744d7087a32c91097a16e.

upstream commit 86974e6 mesa allow reading drirc.d.patch | (download)

profiles/apparmor.d/abstractions/mesa | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 mesa: allow reading drirc.d


upstream commit 2d8d2f0 Move drirc.d access to dri common abstraction.patch | (download)

profiles/apparmor.d/abstractions/dri-common | 1 1 + 0 - 0 !
profiles/apparmor.d/abstractions/mesa | 1 0 + 1 - 0 !
2 files changed, 1 insertion(+), 1 deletion(-)

 move drirc.d access to dri-common abstraction

Commit b5be5964609b4e0927af7c9e4f0276e50ccdc3e3 added ability to read
/usr/share/drirc.d/ directory to mesa abstraction.

This seems to be a mistake, as it was noted that not all GUI
applications, that need access to drirc.d, also need whole mesa-related
rules (including writing caches).

upstream commit 7a91411 Support dehydrated default path in Debian.patch | (download)

profiles/apparmor.d/abstractions/ssl_certs | 7 4 + 3 - 0 !
profiles/apparmor.d/abstractions/ssl_keys | 2 1 + 1 - 0 !
2 files changed, 5 insertions(+), 4 deletions(-)

 support dehydrated default path in debian


upstream commit bae9410 Update font paths.patch | (download)

profiles/apparmor.d/abstractions/fonts | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 update font paths


upstream commit 0016e02 dnsmasq allow peer libvirtd to support named profile.patch | (download)

profiles/apparmor.d/usr.sbin.dnsmasq | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 dnsmasq: allow peer=libvirtd to support named profile


upstream commit 9dbb1bc audio Fix alsa settings access.patch | (download)

profiles/apparmor.d/abstractions/audio | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 audio: fix alsa settings access


upstream mr 320 audio abstraction grant read access to the system wide as.patch | (download)

profiles/apparmor.d/abstractions/audio | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 audio abstraction: grant read access to the system-wide asound.conf.

Bug-Debian: https://bugs.debian.org/920669
upstream mr 320 audio abstraction grant read access to the libao configur.patch | (download)

profiles/apparmor.d/abstractions/audio | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 audio abstraction: grant read access to the libao configuration
 files.

Bug-Debian: https://bugs.debian.org/920670
upstream commit aae838f Update kde abstraction for common settings.patch | (download)

profiles/apparmor.d/abstractions/kde | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 update kde abstraction for common settings

Add rules to allow reading common KDE-specific settings, used mostly by
native KDE file dialog.

upstream commit dc3b73d kde fix global settings access for Kubuntu and openSUSE.patch | (download)

profiles/apparmor.d/abstractions/kde | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 kde: fix global settings access for kubuntu and opensuse

On Kubuntu, these denies are being produced:
```
type=AVC msg=audit(1549301888.419:91): apparmor="DENIED" operation="open"
profile="qtox"
name="/usr/share/kubuntu-default-settings/kf5-settings/kdeglobals" pid=1603
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1549301964.008:126): apparmor="DENIED" operation="open"
profile="qtox" name="/usr/share/kubuntu-default-settings/kf5-settings/breezerc"
pid=1822 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

type=AVC msg=audit(1549302031.194:155): apparmor="DENIED" operation="open"
profile="qtox"
name="/usr/share/kubuntu-default-settings/kf5-settings/baloofilerc" pid=1899
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Meanwhile, on openSUSE:
```
type=AVC msg=audit(1549302286.921:205): apparmor="DENIED" operation="open" profile="qtox" name="/etc/xdg/kdeglobals" pid=12781 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Add read only rules for allowing access to global KDE settings.

upstream commit 6fd3abe vulkan allow reading etc vulkan icd.d.patch | (download)

profiles/apparmor.d/abstractions/vulkan | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 vulkan: allow reading /etc/vulkan/icd.d/

See merge request apparmor/apparmor!329

upstream commit f75ec6f usr merge fixups.patch | (download)

tests/regression/apparmor/mkprofile.pl | 4 2 + 2 - 0 !
tests/regression/apparmor/ptrace.sh | 21 12 + 9 - 0 !
tests/regression/apparmor/ptrace_v5.inc | 118 59 + 59 - 0 !
tests/regression/apparmor/ptrace_v6.inc | 488 244 + 244 - 0 !
utils/test/fake_ldd | 2 1 + 1 - 0 !
utils/test/test-aa.py | 10 5 + 5 - 0 !
6 files changed, 323 insertions(+), 320 deletions(-)

 usr merge fixups

Debian and Ubuntu have releases coming out with usr-merge in place. For
these systems, /bin and /sbin are symlinks to their respective /usr
directories. This breaks a few tests in the python utils and in the
regression tests. This patch series fixes them, mostly by performing
realpath() calls when necessary. For the ptrace regression test,
it copies the called /bin/true binary into the created temporary
directory and executes it from there. (Good for other reasons, too.)

(cherry picked from commit b4ab8476e4721b922d2de193b9203bba0c192bf9)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
upstream commit 394d086 parser Fix parser failing to handle errors when setting u.patch | (download)

parser/parser.h | 14 12 + 2 - 0 !
parser/parser_main.c | 57 42 + 15 - 0 !
2 files changed, 54 insertions(+), 17 deletions(-)

 parser: fix parser failing to handle errors when setting up work

The parser is not correctly handling some error conditions when
dealing with work units. Failure to spawn work, access files, etc
should be returned where appropriate, and be able to abort processing
if abort_on_error is set.

In addition some errors are leading to a direct exit without checking
for abort_on_error.

BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921866
BugLink: http://bugs.launchpad.net/bugs/1815294

Signed-off-by: John Johansen <john.johansen@canonical.com>
upstream mr 344 tunables share fix buggy syntax that broke the .local sha.patch | (download)

profiles/apparmor.d/tunables/share | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 tunables/share: fix buggy syntax that broke the ~/.local/share part
 of the @{user_share_dirs} tunable

Fixes regression introduced in a91d199ab1da3004cf3744d7087a32c91097a16e.

Bug: https://bugs.launchpad.net/apparmor/+bug/1816470
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920833, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921888

upstream commit 5704fba library fix segfault in overlaydirat_for_each.patch | (download)

libraries/libapparmor/src/private.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 library: fix segfault in overlaydirat_for_each

(cherry picked from commit abbca9435f4ca427f73176e2dd2500819e491662)
Signed-off-by: John Johansen <john.johansen@canonical.com>
upstream commit 01aec04 libapparmor Fix segfault when loading policy cache files.patch | (download)

libraries/libapparmor/src/private.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 libapparmor: fix segfault when loading policy cache files

qsort()'s _size_ parameter is used to indicate the size of the elements
in the _base_ array parameter. Adjust the third argument to qsort() to
indicate that we're dealing with an array of struct dirent pointers
rather than an array of struct dirent.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit 8b218718204062efa2dd093d95d2b05e0d722f92)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

upstream commit 8dff7dc base abstraction allow mr on .so in common library paths.patch | (download)

profiles/apparmor.d/abstractions/base | 10 4 + 6 - 0 !
1 file changed, 4 insertions(+), 6 deletions(-)

 base abstraction: allow mr on *.so* in common library paths.
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

For example, VirtualBox guests have /usr/lib/VBoxOGL.so.

Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:

  ImportError: libGL.so.1: failed to map segment from shared object

… and the system logs have:

  apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.

So let's not assume all libraries have a name that starts with "lib".

PR: https://gitlab.com/apparmor/apparmor/merge_requests/345
(cherry picked from commit 5cbb7df95ef241725b327bccfb5aa21f8be14695)
Signed-off-by: John Johansen <john.johansen@canonical.com>

upstream commit 08f9d16 Adjust tests to match base abstraction update.patch | (download)

utils/test/test-aa.py | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 adjust tests to match base abstraction update.

Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.

(cherry picked from commit 0170e98f9c7342a614bbda5ce9e64a1444f47413)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/358
Signed-off-by: John Johansen <john.johansen@canonical.com>

debian/add debian integration to lighttpd.patch | (download)

profiles/apparmor/profiles/extras/usr.sbin.lighttpd | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 add entries for lighttpd to work in a debian/ubuntu install

debian/libapparmor layout deb.patch | (download)

libraries/libapparmor/swig/python/Makefile.am | 2 1 + 1 - 0 !
utils/Makefile | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 always install python modules in the proper location when creating

deb files
debian/etc writable.patch | (download)

profiles/apparmor.d/abstractions/base | 1 1 + 0 - 0 !
profiles/apparmor.d/abstractions/ubuntu-browsers.d/java | 2 2 + 0 - 0 !
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 1 1 + 0 - 0 !
3 files changed, 4 insertions(+)

 allow reading time configuration from /etc/writable,
 as we have it on the phone.

debian/allow access to ibus socket.patch | (download)

profiles/apparmor.d/abstractions/ibus | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 allow access to the ubuntu-specific path for ibus-daemon

im-config, in Ubuntu, was modified to start the ibus-daemon with the
"--address 'unix:tmpdir=/tmp/ibus'" command line option. It previously
used a UNIX domain socket path that was indistinguishable from the
session bus daemon's path. This patch adjusts the ibus abstraction so
that access to the new path can be granted to confined ibus-daemon
client applications.
Bug-Ubuntu: https://launchpad.net/bugs/1580463
debian/non linux.patch | (download)

common/Make.rules | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 allow parser to build even when not on linux.


debian/Enable writing cache.patch | (download)

parser/rc.apparmor.functions | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 enable writing cache.


debian/Make the systemd unit a no op in containers with no inter.patch | (download)

parser/apparmor.systemd | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 make the systemd unit a no-op in containers with no internal policy.


debian/dnsmasq revert own profile name and libvirt s.patch | (download)

profiles/apparmor.d/usr.sbin.dnsmasq | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 dnsmasq: revert own profile name and libvirt's.

The libvirtd profile expects the dnsmasq one to be called /usr/sbin/dnsmasq,
let's revert to this for now. Symmetrically, the libvirtd profile is called
debian/smbd include snippet generated at runtime.patch | (download)

profiles/apparmor.d/usr.sbin.smbd | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 smbd: include snippet generated at runtime


debian only/pin feature set.patch | (download)

parser/parser.conf | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 pin the apparmor feature set to the one shipped by the apparmor
 package

Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
policy in a relaxed manner.
Bug-Debian: https://bugs.debian.org/879584 
debian only/aa notify point to Debian documentation.patch | (download)

utils/notify.conf | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 aa-notify: point to debian documentation

debian only/Document which AppArmor features are not supported on Deb.patch | (download)

parser/apparmor.d.pod | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 document which apparmor features are not supported on debian

Bug-Debian: https://bugs.debian.org/807369