Package: apparmor / 2.13.4-3

Metadata

Package Version Patches format
apparmor 2.13.4-3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
upstream commit 1244b81 limit expr tree simplification passes.patch | (download)

parser/libapparmor_re/expr-tree.cc | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 parser: limit the number of passes expr tree simplification does


upstream commit 0d5ab43 rc.apparmor.functions drop module loading support.patch | (download)

parser/rc.apparmor.functions | 42 8 + 34 - 0 !
1 file changed, 8 insertions(+), 34 deletions(-)

 rc.apparmor.functions: drop module loading support

The apparmor kernel "module" has not been a loadable module for more
than a decade, it must be built into the kernel and due configuration
requirements it will never go back to being a loadable module.

Remove the long unfunctioning load_module support from the init script.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/257
Signed-off-by: John Johansen <john.johansen@canonical.com>
upstream commit 94ff870 remove subdomainfs support.patch | (download)

changehat/mod_apparmor/mod_apparmor.pod | 2 1 + 1 - 0 !
parser/Makefile | 6 1 + 5 - 0 !
parser/apparmor.pod | 2 1 + 1 - 0 !
parser/apparmor_parser.pod | 4 2 + 2 - 0 !
parser/parser_include.c | 68 5 + 63 - 0 !
parser/rc.apparmor.functions | 98 3 + 95 - 0 !
parser/subdomain.conf | 53 0 + 53 - 0 !
parser/subdomain.conf.pod | 104 0 + 104 - 0 !
tests/stress/apparmor/Makefile | 24 24 + 0 - 0 !
tests/stress/apparmor/change_hat.c | 51 51 + 0 - 0 !
tests/stress/apparmor/change_hat.profile.pre | 24 24 + 0 - 0 !
tests/stress/apparmor/child.c | 35 35 + 0 - 0 !
tests/stress/apparmor/child.profile.pre | 12 12 + 0 - 0 !
tests/stress/apparmor/kill.sh | 19 19 + 0 - 0 !
tests/stress/apparmor/open.c | 34 34 + 0 - 0 !
tests/stress/apparmor/open.profile.pre | 15 15 + 0 - 0 !
tests/stress/apparmor/s-2.4.20.sh | 18 18 + 0 - 0 !
tests/stress/apparmor/s.sh | 18 18 + 0 - 0 !
tests/stress/apparmor/sh.profile.pre | 24 24 + 0 - 0 !
tests/stress/apparmor/stress.sh | 20 20 + 0 - 0 !
tests/stress/apparmor/stress.sh-2.4.20 | 18 18 + 0 - 0 !
tests/stress/apparmor/uservars.inc | 42 42 + 0 - 0 !
tests/stress/subdomain/Makefile | 24 0 + 24 - 0 !
tests/stress/subdomain/change_hat.c | 51 0 + 51 - 0 !
tests/stress/subdomain/change_hat.profile.pre | 24 0 + 24 - 0 !
tests/stress/subdomain/child.c | 35 0 + 35 - 0 !
tests/stress/subdomain/child.profile.pre | 12 0 + 12 - 0 !
tests/stress/subdomain/kill.sh | 20 0 + 20 - 0 !
tests/stress/subdomain/open.c | 34 0 + 34 - 0 !
tests/stress/subdomain/open.profile.pre | 15 0 + 15 - 0 !
tests/stress/subdomain/s-2.4.20.sh | 19 0 + 19 - 0 !
tests/stress/subdomain/s.sh | 19 0 + 19 - 0 !
tests/stress/subdomain/sh.profile.pre | 24 0 + 24 - 0 !
tests/stress/subdomain/stress.sh | 21 0 + 21 - 0 !
tests/stress/subdomain/stress.sh-2.4.20 | 19 0 + 19 - 0 !
tests/stress/subdomain/uservars.inc | 42 0 + 42 - 0 !
utils/apparmor/config.py | 2 1 + 1 - 0 !
37 files changed, 368 insertions(+), 684 deletions(-)

 remove subdomainfs support

It has been over 10 years since transition from subdomainfs to
using securityfs. Lets drop this deprecated code.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/258
Signed-off-by: John Johansen <john.johansen@canonical.com>
upstream commit 3a89e98 Remove traces of aa eventd.patch | (download)

parser/rc.apparmor.functions | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 remove traces of aa-eventd

aa-eventd and its initscripts have been moved to deprecated/ in 2014 and
didn't get any serious updates for several more years, so it's most
probably useless and/or broken nowadays.

This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE
variables in rc.apparmor.functions anymore.

upstream commit 7ba8dc7 Drop APPARMOR_ENABLE_AAEVENTD.patch | (download)

parser/rc.apparmor.functions | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 drop apparmor_enable_aaeventd

This is another trace of aa-eventd which is deprecated since years.

upstream mr 252 Make rc.apparmor.functions suitable for Debian and Ubuntu.patch | (download)

parser/rc.apparmor.functions | 217 125 + 92 - 0 !
1 file changed, 125 insertions(+), 92 deletions(-)

 make rc.apparmor.functions suitable for debian and ubuntu

upstream mr 464 Mesa_i915_perf_interface.patch | (download)

profiles/apparmor.d/abstractions/mesa | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 abstractions/mesa: allow checking if the kernel supports the i915
 perf interface

On current Debian sid, applications that use mesa need this access.

upstream mr 465 fix build with make 4.3.patch | (download)

common/Make.rules | 34 0 + 34 - 0 !
common/list_af_names.sh | 19 19 + 0 - 0 !
common/list_capabilities.sh | 14 14 + 0 - 0 !
parser/Makefile | 15 6 + 9 - 0 !
utils/Makefile | 2 1 + 1 - 0 !
utils/test/test-network.py | 2 1 + 1 - 0 !
utils/vim/create-apparmor.vim.py | 6 3 + 3 - 0 !
7 files changed, 44 insertions(+), 48 deletions(-)

 fix build with make 4.3


lp1824812.patch | (download)

parser/rc.apparmor.functions | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 set sfs_mountpoint in is_container_with_internal_policy() since it

Bug: https://launchpad.net/bugs/1824812
Avoid blhc CPPFLAGS missing false positive.patch | (download)

libraries/libapparmor/src/Makefile.am | 2 1 + 1 - 0 !
libraries/libapparmor/src/Makefile.in | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 avoid blhc "cppflags missing" false positive.


upstream commit 1f319c3 systemd userdbd compat.patch | (download)

profiles/apparmor.d/abstractions/nameservice | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 abstractions/nameservice: allow accessing /run/systemd/userdb/

On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .

(cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
Signed-off-by: nl6720 <nl6720@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

Patch slightly edited to avoid depending on the @{run} tunable,
that's not available in any upstream release yet.

debian/add debian integration to lighttpd.patch | (download)

profiles/apparmor/profiles/extras/usr.sbin.lighttpd | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 add entries for lighttpd to work in a debian/ubuntu install

debian/libapparmor layout deb.patch | (download)

libraries/libapparmor/swig/python/Makefile.am | 2 1 + 1 - 0 !
utils/Makefile | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 always install python modules in the proper location when creating

deb files
debian/etc writable.patch | (download)

profiles/apparmor.d/abstractions/base | 1 1 + 0 - 0 !
profiles/apparmor.d/abstractions/ubuntu-browsers.d/java | 2 2 + 0 - 0 !
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 1 1 + 0 - 0 !
3 files changed, 4 insertions(+)

 allow reading time configuration from /etc/writable,
 as we have it on the phone.

debian/allow access to ibus socket.patch | (download)

profiles/apparmor.d/abstractions/ibus | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 allow access to the ubuntu-specific path for ibus-daemon

im-config, in Ubuntu, was modified to start the ibus-daemon with the
"--address 'unix:tmpdir=/tmp/ibus'" command line option. It previously
used a UNIX domain socket path that was indistinguishable from the
session bus daemon's path. This patch adjusts the ibus abstraction so
that access to the new path can be granted to confined ibus-daemon
client applications.

Later updated for ibus 1.5.22, due to LP: #1856738

Bug-Ubuntu: https://launchpad.net/bugs/1580463
debian/Enable writing cache.patch | (download)

parser/rc.apparmor.functions | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 enable writing cache.


debian/Make the systemd unit a no op in containers with no inter.patch | (download)

parser/apparmor.systemd | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 make the systemd unit a no-op in containers with no internal policy.


debian/smbd include snippet generated at runtime.patch | (download)

profiles/apparmor.d/usr.sbin.smbd | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 smbd: include snippet generated at runtime


debian/dont include site local with dovecot.patch | (download)

profiles/apparmor.d/usr.lib.dovecot.anvil | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.auth | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.config | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.deliver | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.dict | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.dovecot-auth | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.dovecot-lda | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.imap | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.imap-login | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.lmtp | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.log | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.managesieve | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.managesieve-login | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.pop3 | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.pop3-login | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.ssl-params | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.lib.dovecot.stats | 2 1 + 1 - 0 !
profiles/apparmor.d/usr.sbin.dovecot | 2 1 + 1 - 0 !
18 files changed, 18 insertions(+), 18 deletions(-)

 don't include /etc/apparmor.d/local in the dovecot extra profiles

since the directory may not exist (breaks QRT)
debian only/pin feature set.patch | (download)

parser/parser.conf | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 pin the apparmor feature set to the one shipped by the apparmor
 package

Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
policy in a relaxed manner.
Bug-Debian: https://bugs.debian.org/879584 
debian only/aa notify point to Debian documentation.patch | (download)

utils/notify.conf | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 aa-notify: point to debian documentation

debian only/Document which AppArmor features are not supported on Deb.patch | (download)

parser/apparmor.d.pod | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 document which apparmor features are not supported on debian

Bug-Debian: https://bugs.debian.org/807369