Changelog
apparmor (2.13.2-10) unstable; urgency=medium
* Don't load AppArmor policy when running in a Debian Live environment
that uses overlayfs (Closes: #922378).
Rationale: the storage stack set up by live-boot with overlayfs
is not supported by our AppArmor policy at the moment, resulting
in breakage of confined software such as Evince and LibreOffice.
* Ship nvidia_modprobe in enforce mode (Closes: #923273).
- Rationale: as explained by Seth Arnold <email address hidden>
on #923273#32, profiles in complain mode can chew up essentially
unlimited amounts of non-swappable kernel memory and huge amounts
of IO bandwidth logging ALLOWED messages, which can in turn
use large amounts of storage. This is why Ubuntu has applied this change
already for their upcoming release.
- Scope of this change: in Buster, this profile is used in one single place
— the usr.lib.libreoffice.program.soffice.bin profile — for which it was
developed and tested in the first place. So the risk and potential
problematic impact of this change seems pretty low.
* Cherry-pick the most important and non-invasive fixes
from the upstream apparmor-2.13 maintenance branch:
- base abstraction: allow mr on *.so* in common library paths,
i.e. don't assume all common libraries' name starts with "lib".
At the very least, this fixes Qt5 applications under some
VirtualBox graphics configuration, where otherwise they would
not start at all (Closes: Tails#16414).
Upstream commits: 8dff7dc, 08f9d16
- Fix 2 segfaults spotted upstream while writing automated tests
for the multicache support (upstream MR!348):
· in overlaydirat_for_each, segfault caused by repeatedly freeing
the same memory area;
· when loading policy cache files, due to incorrect size passed
to qsort().
Upstream commits: 5704fba, 01aec04
-- intrigeri <email address hidden> Sat, 30 Mar 2019 13:23:11 +0000