Change log for apparmor package in Ubuntu
| 1 → 75 of 397 results | First • Previous • Next • Last |
| Published in oracular-release |
| Published in noble-release |
| Deleted in noble-proposed (Reason: Moved to noble) |
apparmor (4.0.0-beta3-0ubuntu3) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 07:27:03 +0000
Available diffs
apparmor (4.0.0-beta3-0ubuntu2) noble; urgency=medium
* d/apparmor.install
- install new profiles
- geary
- goldendict
- kchmviewer
- loupe
- notepadqq
- pageedit
- privacybrowser
- qmapshack
- qutebrowser
- rssguard
- scide
- tuxedo-control-center
- unix-chkpwd
Available diffs
| Superseded in noble-proposed |
apparmor (4.0.0~beta2-0ubuntu3) noble; urgency=medium
* Add fix for failing mount rule tests
- d/p/u/Minor-improvements-for-MountRule.patch
Available diffs
| Published in jammy-proposed |
apparmor (3.0.4-2ubuntu2.4) jammy-security; urgency=medium * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017) - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h and fix multiple test cases in parser/tst/simple_tests/mount/*. - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch: update rule qualifiers in regression tests in tests/regression/apparmor/mkprofile.pl and tests/regression/apparmor/capabilities.sh. - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount regression tests in tests/regression/apparmor/mount.c, tests/regression/apparmor/mount.sh and tests/regression/apparmor/mkprofile.pl. - d/p/CVE-2016-1585/Check-for-newer-mount-options-in-regression-test.patch: add check for newer mount options in regression tests in tests/regression/apparmor/Makefile, tests/regression/apparmor/mount.c and tests/regression/apparmor/mount.sh. - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch: add missing kernel mount options flag in parser/apparmor.d.pod, parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh and parser/tst/simple_tests/mount/*. - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update test profiles in parser/tst/simple_tests/mount/*. - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch: update gen_policy_change_mount_type() in parser/mount.cc and also updated tests on parser/tst/simple_tests/mount/* and tests/regression/apparmor/mount.sh. - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch: remove deprecation warning message in parser/mount.cc. - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch: add device checks in gen_flag_rules() in parser/mount.cc and tests in parser/tst/simple_tests/mount/*, parser/tst/equality.sh, tests/regression/apparmor/mount.sh and utils/test/test-parser-simple-tests.py. - CVE-2016-1585 -- Rodrigo Figueiredo Zaiden <email address hidden> Tue, 06 Mar 2024 15:35:00 -0300
Available diffs
- diff from 3.0.4-2ubuntu2.3 (in Ubuntu) to 3.0.4-2ubuntu2.4 (22.2 KiB)
- diff from 3.0.4-2ubuntu3 to 3.0.4-2ubuntu2.4 (pending)
| Published in focal-proposed |
apparmor (2.13.3-7ubuntu5.4) focal-security; urgency=medium * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017) - d/p/CVE-2016-1585/parser-Fix-expansion-of-variables-in-unix-rules-addr.patch: add calls to filter_slashes() in parser/af_unix.cc, make it external in parser/parser.h and change it to void in parser/parser_regex.c. - d/p/CVE-2016-1585/parser-enable-variable-expansion-for-mount-type-and-.patch: add variable expansion with expand_entry_variables() in parser/mount.cc. - d/p/CVE-2016-1585/parser-call-filter-slashes-for-mount-conditionals.patch: add calls to filter_slashes() in parser/mount.cc. - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch: update rule qualifiers in regression tests in tests/regression/apparmor/mkprofile.pl and tests/regression/apparmor/capabilities.sh. - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h and fix multiple test cases in parser/tst/simple_tests/mount/*. - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount regression tests in tests/regression/apparmor/Makefile, tests/regression/apparmor/mount.c, tests/regression/apparmor/mount.sh and tests/regression/apparmor/mkprofile.pl. - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch: add missing kernel mount options flag in parser/apparmor.d.pod, parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh and parser/tst/simple_tests/mount/*. - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update test profiles in parser/tst/simple_tests/mount/*. - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch: update gen_policy_change_mount_type() in parser/mount.cc and also updated tests on parser/tst/simple_tests/mount/* and tests/regression/apparmor/mount.sh. - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch: add device checks in gen_flag_rules() in parser/mount.cc and tests in parser/tst/simple_tests/mount/*, parser/tst/equality.sh, tests/regression/apparmor/mount.sh and utils/test/test-parser-simple-tests.py. - d/p/CVE-2016-1585/Fix-build-failure-in-df4ed537e-allow-reading-of-etc-.patch: remove the WARN_DEPRECATED flag in pwarn call in parser/mount.cc. - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch: remove deprecation warning message in parser/mount.cc. - CVE-2016-1585 -- Rodrigo Figueiredo Zaiden <email address hidden> Tue, 06 Mar 2024 15:40:00 -0300
Available diffs
- diff from 2.13.3-7ubuntu5.3 (in Ubuntu) to 2.13.3-7ubuntu5.4 (23.1 KiB)
- diff from 2.13.3-7ubuntu5.2 to 2.13.3-7ubuntu5.4 (pending)
| Deleted in noble-updates (Reason: superseded by release) |
| Superseded in noble-release |
| Deleted in noble-proposed (Reason: Moved to noble) |
apparmor (4.0.0~alpha4-0ubuntu1) noble; urgency=medium
[Georgia Garcia]
* New upstream release.
* Add unconfined profiles to support the use unprivileged user namespace
(LP: #2052297, LP: #2046844)
- d/p/u/add-keybase-unconfined-profile.patch
- d/p/u/add-more-unconfined-profiles.patch
* Fix regression tests failures on regex.sh, exec.sh and userns.sh
- d/p/u/tests-fix-usr-merge-failures-on-exec-and-regex-tests.patch
- d/p/u/tests-handle-unprivileged_userns-transition-in-usern.patch
* Drop patches which have now been applied upstream
- d/p/u/userns-unconfined-profiles.patch
- d/p/u/tests-fix-userns-setns-opening-pipe-order.patch
- d/p/u/tests-replace-individual-socket-permissions.patch
- d/p/u/tests-fix-test-specifying-path-on-attach-disconnected.patch
- d/p/u/binutils-aa_status.c-quiet-verbose-outputs-when-json.patch
- d/p/u/oot-unconfined-profiles.patch
* Refresh patches
- d/p/d/etc-writable.patch
- d/p/u/profiles-grant-access-to-systemd-resolved.patch
- d/p/u/userns-runtime-disable.patch
* d/apparmor.install
- install new profiles
- plasmashell
- surfshark
- unprivileged_userns
- keybase
- devhelp
- epiphany
- evolution
- opam
- renamed profiles
- ch-checkns
- ch-run
- crun
- flatpak
- linux-sandbox
- busybox
- buildah
- cam
- ipa_verify
- lc-compliance
- libcamerify
- qcam
- podman
- lxc-attach
- lxc-create
- lxc-destroy
- lxc-execute
- lxc-stop
- lxc-unshare
- lxc-usernsexec
- mmdebstrap
- vpnns
- QtWebEngineProcess
- systemd-coredump
- rootlesskit
- rpm
- runc
- virtiofsd
- sbuild
- sbuild-abort
- sbuild-adduser
- sbuild-apt
- sbuild-checkpackages
- sbuild-clean
- sbuild-createchroot
- sbuild-destroychroot
- sbuild-distupgrade
- sbuild-hold
- sbuild-shell
- sbuild-unhold
- sbuild-update
- sbuild-upgrade
- slirp4netns
- stress-ng
- thunderbird
- toybox
- trinity
- tup
- userbindmount
- uwsgi-core
- vdens
- chrome
- msedge
- brave
- vivaldi-bin
* d/apparmor.maintscript
- add renamed profiles so they are removed on upgrade
* d/libapache2-mod-apparmor.install
- remove etc/apparmor.d/local/usr.sbin.apache2, no longer needed
[John Johansen]
* debian/rules:
- don't run debian/put-all-profiles-in-complain-mode.sh on install
[Alex Murray]
* debian/apparmor.lintian-overrides:
- suppress false-positive warning about needing a Depends: on adduser
for the apparmor binary package
-- Georgia Garcia <email address hidden> Fri, 02 Feb 2024 16:12:21 -0300
Available diffs
apparmor (4.0.0~alpha2-0ubuntu8) noble; urgency=medium * Add unconfined userns profile for systemd-coredump -- Nick Rosbrook <email address hidden> Wed, 10 Jan 2024 09:55:51 -0500
Available diffs
apparmor (4.0.0~alpha2-0ubuntu7) noble; urgency=medium [Alex Murray] * Enable user namespace restrictions by default (LP: #2046477) - d/p/u/userns-runtime-disable.patch: add logic to disable user namespace restrictions if kernel lacks support - debian/usr/lib/sysctl.d/10-apparmor.conf: set sysctl value to 1 and update comment to match - debian/apparmor.service: run After systemd-sysctl.service [John Johansen] * Add additional AppArmor profiles to support third-party applications that use unprivileged user namespace - add d/p/u/oot-unconfined-profiles.patch - add profiles to debian/apparmor.install - /etc/apparmor.d/1password - /etc/apparmor.d/Discord - /etc/apparmor.d/MongoDB_Compass - /etc/apparmor.d/code - /etc/apparmor.d/firefox - /etc/apparmor.d/github-desktop - /etc/apparmor.d/obsidian - /etc/apparmor.d/opera - /etc/apparmor.d/polypane - /etc/apparmor.d/signal-desktop - /etc/apparmor.d/slack - /etc/apparmor.d/steam [Alex Murray] * Drop duplicate profiles for usr.share.code.bin.code and * usr.lib.multiarch.opera.opera since they are now also in d/p/u/oot-unconfined-profiles.patch - modified d/p/u/userns-unconfined-profiles.patch to remove them - removed from debian/apparmor.install - added to debian/apparmor.maintscript to ensure they are removed on upgrade -- John Johansen <email address hidden> Wed, 13 Dec 2023 20:38:45 -0800
Available diffs
apparmor (4.0.0~alpha2-0ubuntu6) noble; urgency=medium * No-change rebuild with Python 3.12 as supported version -- Graham Inggs <email address hidden> Tue, 31 Oct 2023 16:45:44 +0000
Available diffs
apparmor (2.13.3-7ubuntu5.3) focal; urgency=medium
* apparmor.preinst: recursively remove cache directories during a
upgrade. (LP: #2032851)
-- Georgia Garcia <email address hidden> Tue, 10 Oct 2023 09:20:12 -0300
Available diffs
- diff from 2.13.3-7ubuntu5.2 to 2.13.3-7ubuntu5.3 (552 bytes)
| Superseded in noble-release |
| Published in mantic-release |
| Deleted in mantic-proposed (Reason: Moved to mantic) |
apparmor (4.0.0~alpha2-0ubuntu5) mantic; urgency=medium
* Add additional AppArmor profiles to support third-party applications
that use unprivileged user namespace restrictions (LP: #2036698)
- Refreshed d/p/u/userns-unconfined-profiles.patch to add additional
profiles and added to debian/apparmor.install
- usr.share.code.bin.code
- opt.microsoft.msedge.msedge
- usr.lib.multiarch.opera.opera
- opt.brave.com.brave.brave
- opt.vivaldi.vivaldi-bin
* Clarify comment in sysctl.d conf file that this feature is not
enabled by default but can be overridden by the user if desired.
-- Alex Murray <email address hidden> Fri, 22 Sep 2023 16:50:22 +0930
Available diffs
apparmor (4.0.0~alpha2-0ubuntu4) mantic; urgency=medium * Remove conflicting profile for usr.bin.lxc-start (LP: #2036302) - d/p/u/userns-unconfined-profiles.patch: Don't ship a profile for usr.bin.lxc-start as this is already shipped in liblxc-common - debian/apparmor.install: Remove usr.bin.lxc-start profile -- Alex Murray <email address hidden> Mon, 18 Sep 2023 10:59:37 +0930
Available diffs
apparmor (4.0.0~alpha2-0ubuntu3) mantic; urgency=medium
* Add remaining AppArmor profiles to support unprivileged user
namespace restrictions (LP: #2035315)
- Refreshed d/p/u/userns-unconfined-profiles.patch to add remaining
profiles and added to debian/apparmor.install
- usr.libexec.multiarch.bazel.linux-sandbox
- usr.bin.busybox
- usr.bin.buildah
- usr.bin.cam
- usr.bin.ipa_verify
- usr.bin.lc-compliance
- usr.bin.libcamerify
- usr.bin.qcam
- usr.bin.podman
- usr.bin.lxc-attach
- usr.bin.lxc-create
- usr.bin.lxc-destroy
- usr.bin.lxc-execute
- usr.bin.lxc-start
- usr.bin.lxc-stop
- usr.bin.lxc-unshare
- usr.bin.lxc-usernsexec
- usr.bin.mmdebstrap
- usr.bin.vpnns
- usr.lib.qt6.libexec.QtWebEngineProcess
- usr.lib.multiarch.qt5.libexec.QtWebEngineProcess
- usr.bin.rootlesskit
- usr.bin.rpm
- usr.sbin.runc
- usr.libexec.virtiofsd
- usr.bin.sbuild
- usr.bin.sbuild-abort
- usr.bin.sbuild-apt
- usr.bin.sbuild-checkpackages
- usr.bin.sbuild-clean
- usr.bin.sbuild-createchroot
- usr.bin.sbuild-distupgrade
- usr.bin.sbuild-hold
- usr.bin.sbuild-shell
- usr.bin.sbuild-unhold
- usr.bin.sbuild-update
- usr.bin.sbuild-upgrade
- usr.sbin.sbuild-adduser
- usr.sbin.sbuild-destroychroot
- usr.bin.slirp4netns
- usr.bin.stress-ng
- usr.bin.thunderbird
- bin.toybox
- usr.bin.trinity
- usr.bin.tup
- usr.bin.userbindmount
- usr.bin.uwsgi-core
- usr.bin.vdens
- opt.google.chrome.chrome
-- Alex Murray <email address hidden> Thu, 14 Sep 2023 15:58:40 +0930
Available diffs
apparmor (4.0.0~alpha2-0ubuntu2) mantic; urgency=medium
* Fix invalid JSON output from aa-status --json via upstream patch
(LP: #2032994)
- d/p/u/binutils-aa_status.c-quiet-verbose-outputs-when-json.patch
-- Alex Murray <email address hidden> Fri, 25 Aug 2023 09:48:24 +0930
Available diffs
| Superseded in mantic-proposed |
apparmor (4.0.0~alpha2-0ubuntu1) mantic; urgency=medium
[ John Johansen ]
* New upstream release 4.0-alpha2
[ Alex Murray ]
* Infrastructure to enable AppArmor userns restrictions
(LP: #2030353, LP: #2032602)
- debian/usr/lib/sysctl.d/10-apparmor.conf: disable userns restrictions
for now until we have a complete set of profiles for the whole
Ubuntu archive
- debian/apparmor.install: ship sysctl.d file in the apparmor binary
package
- d/p/u/userns-unconfined.patch: add some additional profiles that
specify the userns permission with the unconfined flag for a currently
incomplete list of applications within the Ubuntu archive that use
unprivileged user namespaces
- usr.bin.ch-checkns
- usr.bin.ch-run
- usr.bin.crun
- usr.bin.flatpak
- debian/put-all-profiles-in-complain-mode.sh: don't put unconfined
profiles in complain mode
* Add patches from upstream to fix test failures
- d/p/u/tests-fix-userns-setns-opening-pipe-order.patch
- d/p/u/tests-replace-individual-socket-permissions.patch
- d/p/u/tests-fix-test-specifying-path-on-attach-disconnected.patch
* Add new symbols
Available diffs
apparmor (3.0.8-1ubuntu4) mantic; urgency=medium * Backport 4.0 ABI from upstream (LP: #2026227) - d/p/u/add-4.0-abi.patch -- Alex Murray <email address hidden> Thu, 06 Jul 2023 12:14:15 +0930
Available diffs
apparmor (2.12-4ubuntu5.3) bionic-security; urgency=medium
* debian/lib/apparmor/functions: remove support for loading snapd
generated profiles in /var/lib/snapd/apparmor/profiles as these are
handled by snapd.apparmor.service (LP: #2024637)
-- Alex Murray <email address hidden> Wed, 21 Jun 2023 09:21:13 +0930
Available diffs
- diff from 2.12-4ubuntu5.1 (in ~ubuntu-security/ubuntu/ppa) to 2.12-4ubuntu5.3 (988 bytes)
- diff from 2.12-4ubuntu5.2 to 2.12-4ubuntu5.3 (pending)
apparmor (2.10.95-0ubuntu2.12) xenial-security; urgency=medium
* debian/lib/apparmor/functions: remove support for loading snapd
generated profiles in /var/lib/snapd/apparmor/profiles as these are
handled by snapd.apparmor.service (LP: #2024637)
-- Alex Murray <email address hidden> Thu, 22 Jun 2023 16:58:05 +0930
Available diffs
apparmor (3.0.8-1ubuntu2.1) lunar; urgency=medium
* Update abstractions/snap-browsers to include lock permissions
(LP: #1794064)
- d/p/u/update-snap-browsers-permissions-lp1794064.patch
-- Georgia Garcia <email address hidden> Tue, 06 Jun 2023 08:49:17 -0300
Available diffs
apparmor (3.0.4-2ubuntu2.3) jammy; urgency=medium
* Add support for applications like evince opening browsers
distributed as snaps (LP: #1794064)
- d/p/u/add-snap-browsers-profile-lp1794064.patch: add
a snap-browsers abstraction profile to let applications like
evince spawn browsers distributed as snaps
- d/p/u/update-snap-browsers-permissions-lp1794064.patch: update
snap-browsers abstraction with missing permissions
-- Georgia Garcia <email address hidden> Mon, 05 Jun 2023 15:58:43 -0300
Available diffs
apparmor (3.0.8-1ubuntu3) mantic; urgency=medium
* Update abstractions/snap-browsers to include lock permissions
(LP: #1794064)
- d/p/u/update-snap-browsers-permissions-lp1794064.patch
-- Georgia Garcia <email address hidden> Tue, 06 Jun 2023 08:52:13 -0300
Available diffs
| Superseded in mantic-release |
| Published in lunar-release |
| Deleted in lunar-proposed (Reason: Moved to lunar) |
apparmor (3.0.8-1ubuntu2) lunar; urgency=medium * Rebuild to drop Python 3.10 extension -- Jeremy Bicha <email address hidden> Tue, 28 Feb 2023 17:18:12 -0500
Available diffs
- diff from 3.0.8-1ubuntu1 to 3.0.8-1ubuntu2 (328 bytes)
apparmor (3.0.8-1ubuntu1) lunar; urgency=medium
* Merge from Debian unstable; remaining changes:
- Enable Ubuntu specific patches:
- d/p/u/communitheme-snap-support.patch
- d/p/u/mimeinfo-snap-support.patch
- d/p/u/profiles-grant-access-to-systemd-resolved.patch
- d/p/u/enable-pinning-of-pre-AppArmor-3.x-poli.patch
- d/p/u/regression-tests-fix-aa_policy_cache-when-using-syst.patch
- d/p/u/samba-systemd-interaction.patch
- d/p/u/add-mqueue-support.patch
- d/p/u/add-userns-support.patch
- Disable Debian specific patches:
- d/p/d-o/pin-feature-set.patch
- d/p/d-o/aa-notify-point-to-Debian-documentation.patch
- d/p/d-o/Document-which-AppArmor-features-are-not-supported-on-Deb.patch
- d/{control,gbp.conf}:
- Update Vcs / git branch for ubuntu
- d/apparmor.install:
- Disable debian feature pinning
- d/rules:
- Create empty files of expected mqueue testcase err output added in
d/p/u/add-mqueue-support.patch since quilt does not support creating
new empty files
* Dropped Ubuntu specific changes which have now been applied upstream
- d/p/u/lp1990692-update-samba-profile.patch
- d/p/u/samba-rpcd-spoolss.patch
Available diffs
- diff from 3.0.7-1ubuntu4 to 3.0.8-1ubuntu1 (12.4 KiB)
| Obsolete in kinetic-proposed |
apparmor (3.0.7-1ubuntu2.1) kinetic; urgency=medium
* d/p/u/samba-rpcd-spoolss.patch: fix samba-rpcd-spoolss apparmor
profile (LP: #1993572)
-- Andreas Hasenack <email address hidden> Wed, 23 Nov 2022 14:55:15 -0300
Available diffs
- diff from 3.0.7-1ubuntu2 to 3.0.7-1ubuntu2.1 (937 bytes)
apparmor (3.0.7-1ubuntu4) lunar; urgency=medium
* d/p/u/samba-rpcd-spoolss.patch: fix samba-rpcd-spoolss apparmor
profile (LP: #1993572)
-- Andreas Hasenack <email address hidden> Wed, 23 Nov 2022 14:47:14 -0300
Available diffs
- diff from 3.0.7-1ubuntu2 to 3.0.7-1ubuntu4 (1004 bytes)
- diff from 3.0.7-1ubuntu3 to 3.0.7-1ubuntu4 (952 bytes)
| Superseded in lunar-proposed |
apparmor (3.0.7-1ubuntu3) lunar; urgency=medium * No-change rebuild with Python 3.11 as supported -- Graham Inggs <email address hidden> Wed, 02 Nov 2022 10:11:19 +0000
Available diffs
- diff from 3.0.7-1ubuntu2 to 3.0.7-1ubuntu3 (342 bytes)
apparmor (3.0.4-2ubuntu2.2) jammy; urgency=medium * Add mqueue patches. LP: #1993353 - u/mqueue1-parser-add-parser-support-for-message-queue-mediatio.patch: add parser support for mqueue mediation - u/mqueue2-tests-add-posix-message-queue-regression-tests.patch: add posix mqueue regression tests - u/mqueue3-utils-add-message-queue-rules-parsing-in-python-tool.patch: add support in python tools to parse mqueue rules - u/mqueue4-parser-add-parser-simple-tests-for-mqueue-rules.patch: add parser simple tests for mqueue - u/mqueue5-parser-Add-a-set-of-debug-flags-that-can-be-passed-t.patch: add debug flags that can be passed to the kernel - u/mqueue6-parser-Set-the-DEBUG1-flag-on-profiles-that-use-mque.patch: set DEBUG1 on mqueue rules - u/mqueue7-parser-place-perm-on-name-as-well-as-name-label-comb.patch: add permissions on name and also on name + label - u/mqueue8-libapparmor-add-support-for-requested-and-denied-on-.patch: add parsing support for "denied" and "requested" from audit logs - u/mqueue9-libapparmor-add-support-for-class-in-logparsing.patch: add parsing support for "class" from audit logs - u/mqueue10-utils-add-logparser-support-for-mqueue.patch: add logparser support for mqueue rules - u/mqueue11-tests-add-sysv-message-queue-regression-tests.patch: add sysv mqueue regression tests - debian/rules: create mqueue testcase empty files for libapparmor tests. * Closes LP: #1994146 -- Georgia Garcia <email address hidden> Wed, 19 Oct 2022 11:52:00 -0300
Available diffs
apparmor (2.13.3-7ubuntu5.2) focal; urgency=medium * Add capability upstream patches to fix LP: #1964636 - u/cap1-Generate-CAPABILITIES-in-a-script-due-to-make-4.3.patch: move code that generates a list of capabilities to a script in common/ - u/cap2-parser-Move-to-a-pre-generated-cap_names.h.patch: use a pre-generated list of capabilities so that all capabilities are supported even when building against older kernels. - u/cap3-parser-cleanup-capability_table-generation-by-droppi.patch: drop sys_log static declaration because it's already in the generated list. - u/cap4-parser-unify-capability-name-handling.patch: drop internal hardcoded capability table. - u/cap5-parser-Makefile-use-LC_ALL-C-when-invoking-sed.patch: use LC_ALL=C when invoking sed. - u/cap6-parser-Add-warning-to-capability_table-about-the-nee.patch: add warning to capability_table about the need to update the Makefile. - u/cap7-Add-CAP_BPF-and-CAP_PERFMON-to-severity.db.patch: add support for cap_bpf and cap_perfmon - u/cap8-parser-Makefile-fix-generated-cap-comparison-against.patch: fix generated cap comparison against known list * Add upstream patches for abi support. LP: #1728130 - u/abi1-parser-feature-abi-setup-parser-to-intersect-policy-.patch: add the ability to intersect parser and kernel features in the parser. - u/abi2-parser-add-basic-support-for-feature-abis.patch: add support to specify a feature abi. - u/abi3-pin-abi-2.13.patch: add and pin a policy abi for 2.13 - u/abi4-parser-fix-abi-rule-and-pinned-feature-file-interact.patch: fix abi rule and pinned feature file interaction - apparmor.install: add 2.13 abi file to be installed in /etc/apparmor.d/abi/ * Add mqueue patches. LP: #1993353 - u/mqueue1-parser-add-parser-support-for-message-queue-mediatio.patch: add parser support for mqueue mediation - u/mqueue2-tests-add-posix-message-queue-regression-tests.patch: add posix mqueue regression tests - u/mqueue3-utils-add-message-queue-rules-parsing-in-python-tool.patch: add support in python tools to parse mqueue rules - u/mqueue4-parser-add-parser-simple-tests-for-mqueue-rules.patch: add parser simple tests for mqueue - u/mqueue5-parser-place-perm-on-name-as-well-as-name-label-comb.patch: add permissions on name and also on name + label - u/mqueue6-libapparmor-add-support-for-requested-and-denied-on-.patch: add parsing support for "denied" and "requested" from audit logs - u/mqueue7-libapparmor-add-support-for-class-in-logparsing.patch: add parsing support for "class" from audit logs - u/mqueue8-utils-add-logparser-support-for-mqueue.patch: add logparser support for mqueue rules - u/mqueue9-tests-add-sysv-message-queue-regression-tests.patch: add sysv mqueue regression tests - u/mqueue10-parser-enable-mqueue-rules-when-abi-is-not-set.patch: override pinned features for mqueue rules when abi is not set in policy. - debian/rules: create mqueue testcase empty files for libapparmor tests. * Closes LP: #1994146 -- Georgia Garcia <email address hidden> Mon, 10 Oct 2022 17:52:45 -0300
Available diffs
| Superseded in lunar-release |
| Obsolete in kinetic-release |
| Deleted in kinetic-proposed (Reason: Moved to kinetic) |
apparmor (3.0.7-1ubuntu2) kinetic; urgency=medium
* ubuntu/add-mqueue-support.patch: add message queue IPC support to
parser, python tools, and regression tests.
* ubuntu/add-userns-support.patch: add user namespace support to
parser.
* ubuntu/lp1990692-update-samba-profile.patch: update samba policy to
enable the printing subsystem to work (LP: #1990692)
-- Georgia Garcia <email address hidden> Fri, 23 Sep 2022 18:21:44 -0300
Available diffs
- diff from 3.0.7-1ubuntu1 to 3.0.7-1ubuntu2 (33.0 KiB)
apparmor (3.0.7-1ubuntu1) kinetic; urgency=medium
* Merge from Debian unstable; remaining changes:
- Enable Ubuntu specific patches:
- d/p/u/communitheme-snap-support.patch
- d/p/u/mimeinfo-snap-support.patch
- d/p/u/profiles-grant-access-to-systemd-resolved.patch
- d/p/u/enable-pinning-of-pre-AppArmor-3.x-poli.patch
- Add additional Ubuntu specific patches:
- d/p/u/regression-tests-fix-aa_policy_cache-when-using-syst.patch
- d/p/u/samba-systemd-interaction.patch
- Disable Debian specific patches:
- d/p/d-o/pin-feature-set.patch
- d/p/d-o/aa-notify-point-to-Debian-documentation.patch
- d/p/d-o/Document-which-AppArmor-features-are-not-supported-on-Deb.patch
- d/{control,gbp.conf}:
- Update Vcs / git branch for ubuntu
- d/apparmor.install:
- Disable debian feature pinning
* Dropped Ubuntu specific changes which have now been applied upstream
- d/p/u/abstraction-exo-open-Remove-dbus-deny-rule.patch
Available diffs
- diff from 3.0.4-3ubuntu1 to 3.0.7-1ubuntu1 (390.5 KiB)
apparmor (3.0.4-3ubuntu1) kinetic; urgency=medium
* Merge from Debian unstable; remaining changes:
- Ubuntu specific changes:
- d/p/u/communitheme-snap-support.patch
- d/p/u/mimeinfo-snap-support.patch
- d/p/u/profiles-grant-access-to-systemd-resolved.patch
- d/p/u/enable-pinning-of-pre-AppArmor-3.x-poli.patch
- d/p/u/regression-tests-fix-aa_policy_cache-when-using-syst.patch
- d/p/u/samba-systemd-interaction.patch
- d/p/u/abstraction-exo-open-Remove-dbus-deny-rule.patch
- d/{control,gbp.conf}:
- Update Vcs / git branch for ubuntu
- d/apparmor.install:
- Disable debian feature pinning
- d/rules:
- Disable lto builds
* Dropped Ubuntu specific changes which have now been added by Debian:
- d/p/u/abstractions-nss-systemd-Allow-access-for-systemd-ma.patch
* Drop unnecessary libnss-systemd patch as this is already present in
the nss-systemd abstraction
- d/p/u/libnss-systemd.patch
Available diffs
apparmor (3.0.4-2ubuntu2.1) jammy; urgency=medium
* Add upstream commit to remove dbus deny rule from exo-open abstraction
to fix evince startup (LP: #1969896)
- d/p/u/abstraction-exo-open-Remove-dbus-deny-rule.patch
-- Alex Murray <email address hidden> Tue, 21 Jun 2022 14:16:01 +0930
Available diffs
apparmor (3.0.4-2ubuntu3) kinetic; urgency=medium
* Add upstream commit to remove dbus deny rule from exo-open abstraction
to fix evince startup
(LP: #1969896)
- d/p/u/abstraction-exo-open-Remove-dbus-deny-rule.patch
-- Alex Murray <email address hidden> Fri, 17 Jun 2022 20:34:25 +0930
Available diffs
| Superseded in kinetic-release |
| Published in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
apparmor (3.0.4-2ubuntu2) jammy; urgency=medium
* Update abstractions/nss-systemd to add support for systemd-machined
(LP: #1964325)
- d/p/u/ubuntu/abstractions-nss-systemd-Allow-access-for-systemd-ma.patch
* Drop unnecessary libnss-systemd patch as this is already present in
the nss-systemd abstraction
- d/p/u/libnss-systemd.patch (dropped)
-- Alex Murray <email address hidden> Thu, 10 Mar 2022 12:05:06 +1030
Available diffs
apparmor (3.0.4-2ubuntu1) jammy; urgency=medium
* Merge from Debian unstable; remaining changes:
- Ubuntu specific changes:
- d/p/u/communitheme-snap-support.patch
- d/p/u/enable-pinning-of-pre-AppArmor-3.x-poli.patch
- d/p/u/libnss-systemd.patch
- d/p/u/mimeinfo-snap-support.patch
- d/p/u/profiles-grant-access-to-systemd-resolved.patch
- d/p/u/regression-tests-fix-aa_policy_cache-when-using-syst.patch
- d/p/u/samba-systemd-interaction.patch
- d/{control,gbp.conf}:
- Update Vcs / git branch for ubuntu
- d/apparmor.install:
- Disable debian feature pinning
- d/rules:
- Disable lto builds
* Dropped changes:
- d/p/ubuntu/fix-test-aa-notify.patch
Available diffs
apparmor (3.0.4-1ubuntu1) jammy; urgency=medium
* Merge from Debian unstable; remaining changes:
- Drop the following patches that have been included in the upstream
release or which Debian has also included:
- d/p/ubuntu/adjust-for-ibus-1.5.22.patch
- d/p/ubuntu/0011-add-mctp-network-protocol.patch
- Refresh
d/p/regression-tests-fix-aa_policy_cache-when-using-syst.patch to the
official version from upstream
- d/p/u/samba-systemd-interaction.patch: allow smbd to interact with
systemd
- d/p/u/libnss-systemd.patch: allow accessing the libnss-systemd
VarLink sockets and DBus APIs
- Disable lto builds
- Fix autotest test-aa-notify.py
- d/p/ubuntu/fix-test-aa-notify.patch
- Drop outdated lintian-overrides
Available diffs
| Superseded in jammy-proposed |
apparmor (3.0.3-0ubuntu9) jammy; urgency=medium * fix test-aa-notify.py and test-network.py autotests (LP: #1961196): - debian/patches/ubuntu/0010-fix-test-aa-notify-help-check.patch - debian/patches/ubuntu/0011-add-mctp-network-protocol.patch -- Andrea Righi <email address hidden> Thu, 17 Feb 2022 12:18:31 +0000
Available diffs
| Superseded in jammy-proposed |
apparmor (3.0.3-0ubuntu8) jammy; urgency=medium * fix test-aa-notify.py and test-network.py autotests (LP: #1961196): - debian/patches/ubuntu/0010-fix-test-aa-notify-help-check.patch - debian/patches/ubuntu/0011-add-mctp-network-protocol.patch -- Andrea Righi <email address hidden> Thu, 17 Feb 2022 12:18:31 +0000
Available diffs
| Superseded in jammy-proposed |
apparmor (3.0.3-0ubuntu7) jammy; urgency=medium * No-change rebuild to update maintainer scripts, see LP: 1959054 -- Dave Jones <email address hidden> Wed, 16 Feb 2022 16:44:45 +0000
Available diffs
- diff from 3.0.3-0ubuntu6 to 3.0.3-0ubuntu7 (327 bytes)
| Superseded in jammy-proposed |
apparmor (3.0.3-0ubuntu6) jammy; urgency=medium * No-change rebuild for the perl update. -- Matthias Klose <email address hidden> Sun, 06 Feb 2022 13:39:44 +0100
Available diffs
- diff from 3.0.3-0ubuntu5 to 3.0.3-0ubuntu6 (310 bytes)
apparmor (3.0.3-0ubuntu5) jammy; urgency=medium
[ intrigeri ]
* upstream-6cfc6eee-python-3.10.patch: new patch,
for compatibility with Python 3.10
* debian/rules: let "set -e" take effect (Closes: #998843)
* Add support for Python 3.10 (Closes: #998686):
- upstream-ab4cfb5e-replace-distutils-with-setuptools.patch: new patch,
edited to drop changes to upstream .gitignore.
- Add build-dependency on python3-setuptools
-- Graham Inggs <email address hidden> Fri, 10 Dec 2021 12:32:27 +0000
Available diffs
apparmor (3.0.3-0ubuntu4) jammy; urgency=medium
* d/p/u/samba-systemd-interaction.patch: allow smbd to interact with
systemd (LP: #1952242):
- allow notify access
- allow specific /proc access
- allow ptrace read
-- Andreas Hasenack <email address hidden> Mon, 29 Nov 2021 14:43:28 +0000
Available diffs
apparmor (3.0.3-0ubuntu3) jammy; urgency=medium * No-change rebuild with fixed py3versions -- Graham Inggs <email address hidden> Sat, 06 Nov 2021 08:23:55 +0000
Available diffs
- diff from 3.0.3-0ubuntu2 to 3.0.3-0ubuntu3 (310 bytes)
apparmor (3.0.3-0ubuntu2) jammy; urgency=medium * No-change rebuild to add python3.10. -- Matthias Klose <email address hidden> Sat, 16 Oct 2021 09:34:02 +0200
Available diffs
| Superseded in jammy-release |
| Obsolete in impish-release |
| Deleted in impish-proposed (Reason: Moved to impish) |
apparmor (3.0.3-0ubuntu1) impish; urgency=medium
* New upstream release 3.0.3
- Fix regression tests when using system installed parser
+ d/p/ubuntu/regression-tests-fix-aa_policy_cache-when-using-syst.patch
- Drop the following patches that have been included in the upstream
release:
+ d/p/ubuntu/lp1891338.patch
+ d/p/ubuntu/lp1889699.patch
+ d/p/ubuntu/lp1881357.patch
+ d/p/ubuntu/parser-Fix-warning-message-when-complain-mode-is-for.patch
+ d/p/ubuntu/parser-Add-support-for-cap-checkpoint-restore.patch
+ d/p/ubuntu/Add-CAP_CHECKPOINT_RESTORE-to-severity.db.patch
+ d/p/ubuntu/lp1934005.patch
+ d/p/ubuntu/lp1932331.patch
-- Alex Murray <email address hidden> Mon, 09 Aug 2021 15:53:39 +0930
Available diffs
apparmor (3.0.0-0ubuntu7.1) hirsute; urgency=medium * Make X11 socket writable again (LP: #1934005): - d/p/ubuntu/lp1934005.patch * Fix i18n.sh regression test on arm64 (LP: #1932331): - d/p/ubuntu/lp1932331.patc Thanks to Georgia Garcia for the patch. -- Thomas Ward <email address hidden> Wed, 30 Jun 2021 17:42:41 -0400
Available diffs
apparmor (3.0.0-0ubuntu8) impish; urgency=medium [ Andrea Righi ] * add support for CAP_CHECKPOINT_RESTORE in /etc/apparmor/severity.db (LP: #1923432): - d/p/ubuntu/Add-CAP_CHECKPOINT_RESTORE-to-severity.db.patch [ Steve Beattie ] * fix adt compile-test to handle the changed name of the tcpdump apparmor profile (LP: #1925411) - d/t/compile-test: test against usr.bin.tcpdump -- Andrea Righi <email address hidden> Mon, 12 Apr 2021 15:51:45 +0000
Available diffs
| Superseded in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: Moved to hirsute) |
apparmor (3.0.0-0ubuntu7) hirsute; urgency=medium * Disable lto builds, not yet ready upstream. -- Matthias Klose <email address hidden> Tue, 23 Mar 2021 12:42:52 +0100
Available diffs
- diff from 3.0.0-0ubuntu6 to 3.0.0-0ubuntu7 (530 bytes)
apparmor (3.0.0-0ubuntu6) hirsute; urgency=medium
* Backport upstream patch to support CAP_CHECKPOINT_RESTORE to fix
failing autopkgtests
- d/p/ubuntu/parser-Add-support-for-cap-checkpoint-restore.patch
-- Alex Murray <email address hidden> Wed, 24 Feb 2021 21:33:07 +1030
Available diffs
apparmor (3.0.0-0ubuntu5) hirsute; urgency=medium * No-change rebuild to drop python3.8 extensions. -- Matthias Klose <email address hidden> Mon, 07 Dec 2020 18:39:21 +0100
Available diffs
- diff from 3.0.0-0ubuntu4 to 3.0.0-0ubuntu5 (352 bytes)
apparmor (3.0.0-0ubuntu4) hirsute; urgency=medium * Remove kopanocore dependencies from the testsuite-triggers, to be removed. -- Matthias Klose <email address hidden> Wed, 11 Nov 2020 12:32:09 +0100
Available diffs
- diff from 3.0.0-0ubuntu2 to 3.0.0-0ubuntu4 (699 bytes)
- diff from 3.0.0-0ubuntu3 to 3.0.0-0ubuntu4 (653 bytes)
| Superseded in hirsute-proposed |
apparmor (3.0.0-0ubuntu3) hirsute; urgency=medium * No-change rebuild for the perl update. -- Matthias Klose <email address hidden> Mon, 09 Nov 2020 12:40:54 +0100
Available diffs
- diff from 3.0.0-0ubuntu2 to 3.0.0-0ubuntu3 (321 bytes)
apparmor (3.0.0-0ubuntu2) hirsute; urgency=medium * No-change rebuild to build with python3.9 as supported. -- Matthias Klose <email address hidden> Sat, 24 Oct 2020 10:51:45 +0200
Available diffs
- diff from 3.0.0-0ubuntu1 to 3.0.0-0ubuntu2 (326 bytes)
| Superseded in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
apparmor (3.0.0-0ubuntu1) groovy; urgency=medium
[ Alex Murray ]
* Update to the final AppArmor 3.0 upstream release
- d/apparmor.install:
+ install new aa-features-abi binary to /usr/bin
- d/apparmor.manpages:
+ install new aa-features-abi.1 man page
- d/apparmor-profiles.install:
+ install new usr.lib.dovecot.script-login
+ adjust for renamed postfix profiles
- d/tests/test-installed:
+ include libraries/ in workdir so tests have access to private
headers
- Drop the following patches that were originally backported from
upstream but are now incorporated in the final release:
+ d/p/parser-fix_cap_match.patch
+ d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch
+ d/p/parser-add-abi-warning-flags.patch
+ d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch
+ d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch
+ d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch
+ d/p/fix-change-profile-stack-abstraction.patch
+ d/p/ubuntu/stop-loading-snapd-profiles.patch
[ Emilia Torino ]
* d/control: adjust apparmor-notify to depends on python3-psutil and
python3-apparmor (LP: #1899046)
[ Steve Beattie ]
* d/p/u/parser-Fix-warning-message-when-complain-mode-is-for.patch:
Provide better message about caching not happening due to a profile
being in force-complain mode. (LP: #1899218)
-- Alex Murray <email address hidden> Sun, 11 Oct 2020 16:26:32 -0700
Available diffs
apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium
* Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not
3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the
wrong directory in is_container_with_internal_policy(), which causes
policy to always fail to load in containers. Thanks to Christian Ehrhardt
for the analysis. (LP: #1895967)
Available diffs
| Superseded in groovy-proposed |
apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium
[ John Johansen ]
* d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch:
fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the
parser to emit rules needed for change_hat in the hat profiles but
broke the rule being emitted for the parent profile, this fixes it for
both so that it is emitted for any profile that is a hat or that
contains a hat.
* d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile
abstraction so that it allows access to the apparmor attribute paths
under LSM stacking.
Available diffs
| Deleted in groovy-proposed (Reason: copied without FFe approval (talk to jdstrand)) |
apparmor (3.0.0~beta1-0ubuntu4) groovy; urgency=medium [ Jamie Strandboge ] * no change rebuild for FFe approval (LP: #1895060)
Available diffs
| Deleted in groovy-proposed (Reason: copied without FFe approval (talk to jdstrand)) |
apparmor (3.0.0~beta1-0ubuntu3) groovy; urgency=medium
[ John Johansen ]
* d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch:
fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the
parser to emit rules needed for change_hat in the hat profiles but
broke the rule being emitted for the parent profile, this fixes it for
both so that it is emitted for any profile that is a hat or that
contains a hat.
* d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile
abstraction so that it allows access to the apparmor attribute paths
under LSM stacking.
Available diffs
| Deleted in groovy-proposed (Reason: copied without FFe approval (talk to jdstrand)) |
apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium [ John Johansen ] * New upstream release (LP: #1895060, LP: #1887577, LP: #1880841) * Drop all patches backported from upstream: applied in 3.0 * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide example and base abi to pin pre 3.0 policy * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning of pre AppArmor 3.x policy * drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer needed with upstream 'include if exists' [ Steve Beattie ] * d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important now that groovy has a 5.8 kernel. * d/apparmor-profiles.install: + adjust for renamed postfix profiles + add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles + remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in apparmor-profiles) * d/apparmor.install: include abi/ directory and tunables/etc. * d/apparmor.manpages: add apparmor_xattrs.7 manpage * d/control: + apparmor-utils: no more shipped perl tools, drop perl dependency + apparmor-notify: aa-notify was converted to python3 from perl; adjust -notify dependencies to compensate * d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch: fix sed expression in settest() [ Emilia Torino ] * Removing Ubuntu specific chromium-browser profile. This is safe to do since groovy's chromium-browser deb installs the snap. If apparmor3 is backported to 18.04 or earlier, the profile will need to be taken into consideration - d/profiles/chromium-browser: remove chromium-browser profile - d/apparmor-profiles.postinst: remove postinst script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.postrm: remove postrm script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.install: remove ubuntu-specific chromium-browser abstraction and profile - d/apparmor-profiles.lintian-overrides: remove chromium-browser profile lintian overrides - d/p/ubuntu/add-chromium-browser.patch: remove patch which added chrome-browser [ Alex Murray ] * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: refresh this patch with the official upstream version * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: refresh this patch to match the above * d/p/parser-add-abi-warning-flags.patch: enable parser warnings to be silenced or to be treated as errors [ Jamie Strandboge ] * d/p/adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus 1.5.22. This can be dropped with AppArmor 3.0 final. * d/p/parser-add-abi-warning-flags.patch: refresh to avoid lintian warnings * d/p/ubuntu/lp1891338.patch: adjust ubuntu-integration to use abstractions/exo-open (LP: #1891338) * d/p/ubuntu/lp1889699.patch: adjust to support brave in ubuntu abstractions. Patch thanks to François Marier (LP: #1889699) * d/p/ubuntu/lp1881357.patch: adjust for new ICEauthority path in /run (LP: #1881357) -- Jamie Strandboge <email address hidden> Wed, 09 Sep 2020 21:48:17 +0000
Available diffs
apparmor (2.13.3-7ubuntu5.1) focal-proposed; urgency=medium
* upstream-lp1872564.patch: adjust nameservice abstraction for nss-systemd
- LP: #1872564
-- Jamie Strandboge <email address hidden> Tue, 19 May 2020 16:59:49 +0000
Available diffs
- diff from 2.13.3-7ubuntu5 to 2.13.3-7ubuntu5.1 (949 bytes)
apparmor (2.13.3-7ubuntu6) groovy; urgency=medium * Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564) - d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the definition for the "@{run}" variable. - d/p/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch: Add trailing slash to the "@{run}" variable. - d/p/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch: Add a missing rule to allow systemd to access @{PROC}/sys/kernel/random/boot_id and @{run}/systemd/userdb. - d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'. -- Sergio Durigan Junior <email address hidden> Mon, 11 May 2020 09:55:16 -0400
Available diffs
| Superseded in groovy-release |
| Published in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
apparmor (2.13.3-7ubuntu5) focal; urgency=medium
* snapd 2.44.3+20.04 introduced an apparmor unit of its own to load snap
policy in /var/lib/snapd/apparmor/profiles. As such, don't load snapd
policy twice by not loading it in the apparmor unit (LP: 1871148)
- ubuntu/stop-loading-snapd-profiles.patch: stop loading snapd profiles
- debian/control: add Breaks on snapd < 2.44.3+20.04~ since prior snapd
versions assume that apparmor will load the snapd policy on boot
- debian/apparmor.service: remove the now unneeded RequiresMountsFor on
/var/lib/snapd/apparmor/profiles
* drop ubuntu/parser-conf-no-expr-simplify.patch: Optimize=no-expr-simplify
was added to parser.conf to mitigate slow snap policy compiles on 32bit
ARM. These days, snapd calls apparmor_parser with "-O no-expr-simplify"
and loads its snap policy, so drop this delta with upstream and Debian.
-- Jamie Strandboge <email address hidden> Sun, 12 Apr 2020 16:11:31 +0000
Available diffs
apparmor (2.13.3-7ubuntu4) focal; urgency=medium
* debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to
RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it
(LP: #1871148)
* libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets
and DBus APIs. Patch partially based on work by Simon Deziel.
(LP: #1796911, LP: #1869024)
* upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient:
allow reading /etc/krb5.conf.d/
* upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading
per-user themes from $XDG_DATA_HOME (Closes: #930031)
* upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access
to top-level ecryptfs directories (LP: #1848919)
* upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access
to /run/uuidd/request
* upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the
kernel supports the i915 perf interface. Patch from Debian
-- Jamie Strandboge <email address hidden> Mon, 06 Apr 2020 17:47:20 +0000
Available diffs
apparmor (2.13.3-7ubuntu3) focal; urgency=medium
* Add upstream-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch
(LP: #1869629)
-- John Johansen <email address hidden> Wed, 01 Apr 2020 01:05:30 -0700
Available diffs
apparmor (2.13.3-7ubuntu2) focal; urgency=medium * No-change rebuild to drop python3.7. -- Matthias Klose <email address hidden> Tue, 18 Feb 2020 10:42:36 +0100
Available diffs
- diff from 2.13.3-7ubuntu1 to 2.13.3-7ubuntu2 (327 bytes)
apparmor (2.13.3-7ubuntu1) focal; urgency=medium
* Merge from Debian. Remaining changes:
- Ubuntu-specific patches:
+ ubuntu/add-chromium-browser.patch
+ ubuntu/communitheme-snap-support.patch
+ ubuntu/mimeinfo-snap-support.patch
+ ubuntu/parser-conf-no-expr-simplify.patch
+ ubuntu/profiles-grant-access-to-systemd-resolved.patch
+ upstream-dont-allow-fontconfig-cache-write.patch
+ upstream-tests-mult-mount-bump-size-of-created-disk.patch
- debian/apparmor.{install,maintscript}: feature pinning is not used in
Ubuntu
- debian/apparmor.preinst: remove cache files on upgrade to 2.13
- debian/apparmor-profiles.install: install Ubuntu chromium-browser
profile and abstraction
- debian/apparmor-profiles.lintian-overrides: update for chromium-browser
profile having read access to dpkg database for lsb-release
- debian/apparmor-profiles.postinst: ubuntu-browsers.d/chromium-browser
abstraction if it doesn't exist
- debian/control: adjust the Vcs-{Browser,Git} control fields to reflect
the branch where the Ubuntu packaging is maintained.
- debian/gbp.conf: use ubuntu/master as the debian-branch
- debian/patches/series: comment out debian-only patches
- debian/tests/control and debian/tests/compile-policy: don't test
thunderbird since the Ubuntu packaging doesn't ship a profile
* Drop the following patches, no longer needed:
- python3.8-ac.diff
* debian/control: drop Breaks on media-hub, mediascanner2.0, messaging-app,
and webbrowser-app which was needed for upgrades to bionic (LP: #1797242)
* upstream-adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus
1.5.22
* upstream-adjust-gnome-for-mimeapps.patch: abstractions/gnome: also allow
/etc/xdg/mimeapps.list (LP: #1792027)
Available diffs
apparmor (2.13.3-5ubuntu5) focal; urgency=medium * Don't ignore exit status in debian/rules. * Fix a Python 3.8 autoconf check. -- Matthias Klose <email address hidden> Sun, 27 Oct 2019 16:38:00 +0200
Available diffs
- diff from 2.13.3-5ubuntu2 to 2.13.3-5ubuntu5 (1.6 KiB)
- diff from 2.13.3-5ubuntu4 to 2.13.3-5ubuntu5 (659 bytes)
| Superseded in focal-proposed |
apparmor (2.13.3-5ubuntu4) focal; urgency=medium * Don't ignore exit status in debian/rules. * Fix a Python 3.8 autoconf check. -- Matthias Klose <email address hidden> Sun, 27 Oct 2019 16:38:00 +0200
Available diffs
- diff from 2.13.3-5ubuntu3 to 2.13.3-5ubuntu4 (523 bytes)
| Superseded in focal-proposed |
apparmor (2.13.3-5ubuntu3) focal; urgency=medium * Don't ignore exit status in debian/rules. * Fix a Python 3.8 autoconf check. -- Matthias Klose <email address hidden> Sun, 27 Oct 2019 16:38:00 +0200
Available diffs
apparmor (2.13.3-5ubuntu2) focal; urgency=medium * No-change rebuild for the perl update. -- Matthias Klose <email address hidden> Fri, 18 Oct 2019 19:26:58 +0000
Available diffs
- diff from 2.13.3-5ubuntu1 to 2.13.3-5ubuntu2 (337 bytes)
| Superseded in focal-release |
| Obsolete in eoan-release |
| Deleted in eoan-proposed (Reason: moved to release) |
apparmor (2.13.3-5ubuntu1) eoan; urgency=medium
* Merge new upstream release from Debian. Remaining changes:
- Ubuntu-specific patches:
+ ubuntu/add-chromium-browser.patch
+ ubuntu/communitheme-snap-support.patch
+ ubuntu/mimeinfo-snap-support.patch
+ ubuntu/parser-conf-no-expr-simplify.patch
+ ubuntu/profiles-grant-access-to-systemd-resolved.patch
- debian/apparmor.{install,maintscript}: feature pinning is not used in
Ubuntu
- debian/apparmor.preinst: remove cache files on upgrade to 2.13
- debian/apparmor-profiles.install: install Ubuntu chromium-browser
profile and abstraction
- debian/apparmor-profiles.lintian-overrides: update for chromium-browser
profile having read access to dpkg database for lsb-release
- debian/apparmor-profiles.postinst: ubuntu-browsers.d/chromium-browser
abstraction if it doesn't exist
- debian/control: adjust the Vcs-{Browser,Git} control fields to reflect
the branch where the Ubuntu packaging is maintained.
- debian/gbp.conf: use ubuntu/master as the debian-branch
- debian/patches/series: comment out debian-only patches
- debian/tests/control and debian/tests/compile-policy: don't test
thunderbird since the Ubuntu packaging doesn't ship a profile
* Drop the following patches, no longer needed:
- ubuntu/dont-include-site-local-with-dovecot.patch
- lp1820068.patch
- upstream-commit-fix-segfault-in-overlaydirat_for_each.patch
- upstream-commit-add-option-to-dump-policy-cache-with-libapparmor.patch
- upstream-commit-teach-aa_policy_cache_sh-about-the-new-cache.patch
- upstream-commit-fix-segfault-when-loading-policy-cache-files.patch
- upstream-commit-fix-variable-name-overlap-in-merge-macro.patch
* upstream-dont-allow-fontconfig-cache-write.patch: don't allow write of
fontconfig cache files
* upstream-tests-mult-mount-bump-size-of-created-disk.patch: regression
tests/mult_mount: bump size of created disk image
Available diffs
- diff from 2.13.2-9ubuntu7 to 2.13.3-5ubuntu1 (158.7 KiB)
apparmor (2.13.2-9ubuntu6.1) disco-proposed; urgency=medium * lp1820068.patch: don't skip read cache when options are set (LP: #1820068) * reenable ubuntu/parser-conf-no-expr-simplify.patch -- Jamie Strandboge <email address hidden> Thu, 06 Jun 2019 21:04:34 +0000
Available diffs
apparmor (2.13.2-9ubuntu7) eoan; urgency=medium * lp1820068.patch: don't skip read cache when options are set (LP: #1820068) * reenable ubuntu/parser-conf-no-expr-simplify.patch -- Jamie Strandboge <email address hidden> Thu, 06 Jun 2019 21:46:34 +0000
Available diffs
apparmor (2.10.95-0ubuntu2.11) xenial-security; urgency=medium
* Make dnsmasq profile and Python utility changes necessary to continue
working correctly after the Linux kernel change to address CVE-2019-11190.
Without these changes, some profile transitions may be unintentionally
denied. (LP: #1830802)
- 0001-dnsmasq-allow-libvirt_leaseshelper-m-permission-on-i.patch
- 0001-handle_children-automatically-add-m-permissions-on-i.patch
-- Tyler Hicks <email address hidden> Tue, 28 May 2019 21:33:21 +0000
Available diffs
| 1 → 75 of 397 results | First • Previous • Next • Last |
