Package: apparmor / 2.13.3-5

Metadata

Package Version Patches format
apparmor 2.13.3-5 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
upstream commit 1244b81 limit expr tree simplification passes.patch | (download)

parser/libapparmor_re/expr-tree.cc | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 parser: limit the number of passes expr tree simplification does


upstream commit 0d5ab43 rc.apparmor.functions drop module loading support.patch | (download)

parser/rc.apparmor.functions | 42 8 + 34 - 0 !
1 file changed, 8 insertions(+), 34 deletions(-)

 rc.apparmor.functions: drop module loading support

The apparmor kernel "module" has not been a loadable module for more
than a decade, it must be built into the kernel and due configuration
requirements it will never go back to being a loadable module.

Remove the long unfunctioning load_module support from the init script.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/257
Signed-off-by: John Johansen <john.johansen@canonical.com>
upstream commit 94ff870 remove subdomainfs support.patch | (download)

changehat/mod_apparmor/mod_apparmor.pod | 2 1 + 1 - 0 !
parser/Makefile | 6 1 + 5 - 0 !
parser/apparmor.pod | 2 1 + 1 - 0 !
parser/apparmor_parser.pod | 4 2 + 2 - 0 !
parser/parser_include.c | 68 5 + 63 - 0 !
parser/rc.apparmor.functions | 98 3 + 95 - 0 !
parser/subdomain.conf | 53 0 + 53 - 0 !
parser/subdomain.conf.pod | 104 0 + 104 - 0 !
tests/stress/apparmor/Makefile | 24 24 + 0 - 0 !
tests/stress/apparmor/change_hat.c | 51 51 + 0 - 0 !
tests/stress/apparmor/change_hat.profile.pre | 24 24 + 0 - 0 !
tests/stress/apparmor/child.c | 35 35 + 0 - 0 !
tests/stress/apparmor/child.profile.pre | 12 12 + 0 - 0 !
tests/stress/apparmor/kill.sh | 19 19 + 0 - 0 !
tests/stress/apparmor/open.c | 34 34 + 0 - 0 !
tests/stress/apparmor/open.profile.pre | 15 15 + 0 - 0 !
tests/stress/apparmor/s-2.4.20.sh | 18 18 + 0 - 0 !
tests/stress/apparmor/s.sh | 18 18 + 0 - 0 !
tests/stress/apparmor/sh.profile.pre | 24 24 + 0 - 0 !
tests/stress/apparmor/stress.sh | 20 20 + 0 - 0 !
tests/stress/apparmor/stress.sh-2.4.20 | 18 18 + 0 - 0 !
tests/stress/apparmor/uservars.inc | 42 42 + 0 - 0 !
tests/stress/subdomain/Makefile | 24 0 + 24 - 0 !
tests/stress/subdomain/change_hat.c | 51 0 + 51 - 0 !
tests/stress/subdomain/change_hat.profile.pre | 24 0 + 24 - 0 !
tests/stress/subdomain/child.c | 35 0 + 35 - 0 !
tests/stress/subdomain/child.profile.pre | 12 0 + 12 - 0 !
tests/stress/subdomain/kill.sh | 20 0 + 20 - 0 !
tests/stress/subdomain/open.c | 34 0 + 34 - 0 !
tests/stress/subdomain/open.profile.pre | 15 0 + 15 - 0 !
tests/stress/subdomain/s-2.4.20.sh | 19 0 + 19 - 0 !
tests/stress/subdomain/s.sh | 19 0 + 19 - 0 !
tests/stress/subdomain/sh.profile.pre | 24 0 + 24 - 0 !
tests/stress/subdomain/stress.sh | 21 0 + 21 - 0 !
tests/stress/subdomain/stress.sh-2.4.20 | 19 0 + 19 - 0 !
tests/stress/subdomain/uservars.inc | 42 0 + 42 - 0 !
utils/apparmor/config.py | 2 1 + 1 - 0 !
37 files changed, 368 insertions(+), 684 deletions(-)

 remove subdomainfs support

It has been over 10 years since transition from subdomainfs to
using securityfs. Lets drop this deprecated code.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/258
Signed-off-by: John Johansen <john.johansen@canonical.com>
upstream commit 3a89e98 Remove traces of aa eventd.patch | (download)

parser/rc.apparmor.functions | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 remove traces of aa-eventd

aa-eventd and its initscripts have been moved to deprecated/ in 2014 and
didn't get any serious updates for several more years, so it's most
probably useless and/or broken nowadays.

This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE
variables in rc.apparmor.functions anymore.

upstream commit 7ba8dc7 Drop APPARMOR_ENABLE_AAEVENTD.patch | (download)

parser/rc.apparmor.functions | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 drop apparmor_enable_aaeventd

This is another trace of aa-eventd which is deprecated since years.

upstream mr 252 Make rc.apparmor.functions suitable for Debian and Ubuntu.patch | (download)

parser/rc.apparmor.functions | 217 125 + 92 - 0 !
1 file changed, 125 insertions(+), 92 deletions(-)

 make rc.apparmor.functions suitable for debian and ubuntu

lp1824812.patch | (download)

parser/rc.apparmor.functions | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 set sfs_mountpoint in is_container_with_internal_policy() since it
 is sometimes called before is_apparmor_loaded()
Bug: https://launchpad.net/bugs/1824812
Avoid blhc CPPFLAGS missing false positive.patch | (download)

libraries/libapparmor/src/Makefile.am | 2 1 + 1 - 0 !
libraries/libapparmor/src/Makefile.in | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 avoid blhc "cppflags missing" false positive.


upstream mr 419 Xwayland vs recent mutter.patch | (download)

profiles/apparmor.d/abstractions/X | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 abstractions/x: allow reading the xauth file mutter passes to
 Xwayland.
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Bug-Debian: https://bugs.debian.org/935058
debian/add debian integration to lighttpd.patch | (download)

profiles/apparmor/profiles/extras/usr.sbin.lighttpd | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 add entries for lighttpd to work in a debian/ubuntu install

debian/libapparmor layout deb.patch | (download)

libraries/libapparmor/swig/python/Makefile.am | 2 1 + 1 - 0 !
utils/Makefile | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 always install python modules in the proper location when creating

deb files
debian/etc writable.patch | (download)

profiles/apparmor.d/abstractions/base | 1 1 + 0 - 0 !
profiles/apparmor.d/abstractions/ubuntu-browsers.d/java | 2 2 + 0 - 0 !
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 1 1 + 0 - 0 !
3 files changed, 4 insertions(+)

 allow reading time configuration from /etc/writable,
 as we have it on the phone.

debian/allow access to ibus socket.patch | (download)

profiles/apparmor.d/abstractions/ibus | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 allow access to the ubuntu-specific path for ibus-daemon

im-config, in Ubuntu, was modified to start the ibus-daemon with the
"--address 'unix:tmpdir=/tmp/ibus'" command line option. It previously
used a UNIX domain socket path that was indistinguishable from the
session bus daemon's path. This patch adjusts the ibus abstraction so
that access to the new path can be granted to confined ibus-daemon
client applications.
Bug-Ubuntu: https://launchpad.net/bugs/1580463
debian/non linux.patch | (download)

common/Make.rules | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 allow parser to build even when not on linux.


debian/Enable writing cache.patch | (download)

parser/rc.apparmor.functions | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 enable writing cache.


debian/Make the systemd unit a no op in containers with no inter.patch | (download)

parser/apparmor.systemd | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 make the systemd unit a no-op in containers with no internal policy.


debian/smbd include snippet generated at runtime.patch | (download)

profiles/apparmor.d/usr.sbin.smbd | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 smbd: include snippet generated at runtime


debian/dont include site local with dovecot.patch | (download)

profiles/apparmor.d/usr.lib.dovecot.anvil | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.auth | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.config | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.deliver | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.dict | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.dovecot-auth | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.dovecot-lda | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.imap | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.imap-login | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.lmtp | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.log | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.managesieve | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.managesieve-login | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.pop3 | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.pop3-login | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.ssl-params | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.stats | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.sbin.dovecot | 2 1 + 1 - 0 !
18 files changed, 18 insertions(+), 18 deletions(-)

 don't include /etc/apparmor.d/local in the dovecot extra profiles
 since the directory may not exist (breaks QRT)

debian only/pin feature set.patch | (download)

parser/parser.conf | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 pin the apparmor feature set to the one shipped by the apparmor
 package

Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
policy in a relaxed manner.
Bug-Debian: https://bugs.debian.org/879584 
debian only/aa notify point to Debian documentation.patch | (download)

utils/notify.conf | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 aa-notify: point to debian documentation

debian only/Document which AppArmor features are not supported on Deb.patch | (download)

parser/apparmor.d.pod | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 document which apparmor features are not supported on debian

Bug-Debian: https://bugs.debian.org/807369