-
apparmor (2.12-4ubuntu5.3) bionic-security; urgency=medium
* debian/lib/apparmor/functions: remove support for loading snapd
generated profiles in /var/lib/snapd/apparmor/profiles as these are
handled by snapd.apparmor.service (LP: #2024637)
-- Alex Murray <email address hidden> Wed, 21 Jun 2023 09:21:13 +0930
-
apparmor (2.12-4ubuntu5.1) bionic-security; urgency=medium
* lp1788929+1794848.patch:
- disallow writes to thumbnailer dir (LP: #1788929)
- disallow access to the dirs of private files (LP: #1794848)
-- Jamie Strandboge <email address hidden> Thu, 27 Sep 2018 18:20:54 +0000
-
apparmor (2.12-4ubuntu5) bionic; urgency=medium
[ Didier Roche ]
* debian/patches/ubuntu/communitheme-snap-support.patch:
- support communitheme snap (LP: #1762983)
[ Jamie Strandboge ]
* debian/patches/ubuntu/add-chromium-browser.patch: adjust for newer
chromium (LP: #1101298, LP: #1594589, LP: #1647142)
- add attach_disconnected
- allow reading /proc/vmstat
- don't require owner match for /proc/pid/{stat,status} and task
counterparts
- adjust pci[0-9] to be pci[0-9a-f]
- allow reading all uevents and /sys/devices/virtual/tty/tty0/active
- allow ptracing xdgsettings and lsb-release
- xdgsettings uses head and tr and looks at /usr/share/ubuntu/applications/
- lsb-release uses python 3.6 and looks at apport, apt.conf, dpkg and
distro-info
- use 'm' on on sandbox
* debian/patches/ubuntu/mimeinfo-snap-support.patch: allow reading
/var/lib/snapd/desktop/applications *.desktop and mimeinfo.cache
(LP: #1712039)
-- Jamie Strandboge <email address hidden> Tue, 17 Apr 2018 20:15:16 +0000
-
apparmor (2.12-4ubuntu4) bionic; urgency=medium
* Remove another Ubuntu Touch profile (LP: #1761176)
- debian/control: Breaks on messaging-app
- debian/postinst: on upgrade, remove profile for usr.bin.messaging-app
-- Jamie Strandboge <email address hidden> Wed, 04 Apr 2018 13:58:26 +0000
-
apparmor (2.12-4ubuntu3) bionic; urgency=medium
* Remove old Ubuntu Touch profiles for packages removed from the archive
since they need apparmor-easyprof-ubuntu to compile, and it was also
removed from the archive (LP: #1756800)
- debian/control: Breaks on media-hub, mediascanner2.0 and webbrowser-app
- debian/postinst: on upgrade, remove profiles for usr.bin.webbrowser-app,
usr.bin.media-hub-server, usr.lib.mediascanner-2.0.mediascanner-extractor
and usr.bin.mediascanner-service-2.0
-- Jamie Strandboge <email address hidden> Tue, 03 Apr 2018 13:12:46 +0000
-
apparmor (2.12-4ubuntu2) bionic; urgency=medium
* Remove old click and snapv1 support since those packages no longer exist
in bionic
- debian/apparmor.dirs: don't install /var/lib/apparmor/profiles
- debian/apparmor.init: remove click and snapv1 additions
- debian/apparmor.postinst: don't update the md5sums for click/snapv1
- debian/apparmor.postrm: remove code for handling
/var/lib/apparmor/profiles
- debian/apparmor.preinst: remove md5sums files from
/var/lib/apparmor/profiles
- debian/lib/apparmor/functions: remove compare_and_save_debsums() and
compare_previous_version() since nothing in the archive uses them any
more. For now, leave snap v2 support, but eventually we'll want to move
to the upstream init recommendations
* profiles-grant-access-to-systemd-resolved.patch: fix typo in DEP-3 headers
-- Jamie Strandboge <email address hidden> Thu, 22 Mar 2018 19:27:44 +0000
-
apparmor (2.12-4ubuntu1) bionic; urgency=medium
[ Tyler Hicks ]
* Merge from Debian to get gbp-pq related packaging improvements. Thanks to
intrigeri for making those improvements! Remaining Ubuntu changes:
- debian/gbp.conf: Use ubuntu/master as the debian-branch
- Update package maintainer to be Ubuntu Developers in the control file
- Call handle_system_policy_package_updates in apparmor.init.
This is needed for snappy and system-images. Note that this prevents
using a remove /var.
- Apply Ubuntu-specific patches
+ parser-include-usr-share-apparmor.patch
+ profiles-grant-access-to-systemd-resolved.patch
+ add-chromium-browser.patch
- Install Ubuntu chromium-browser profile and abstraction
- Feature pinning is not used in Ubuntu
[ intrigeri ]
* Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
the Ubuntu packaging is maintained.
apparmor (2.12-4) unstable; urgency=medium
* Migrate patch handling to gbp-pq (Closes: #888244).
* Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
- upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
new patch, properly identify empty ouid/fsuid fields in logs.
- upstream-commit-130958a-allow-shell-helper-read-locale.patch:
new patch, allow the shell helper regression test program read
the locale.
-- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000
-
apparmor (2.12-3ubuntu1) bionic; urgency=medium
* New upstream bug fix release. Bugs fixed:
- abstraction/nameservice should include allow access to
/var/lib/sss/mc/initgroups (LP: #1751402)
- Cannot Add Request Hat or Use Default Hat in aa-logprof and mod_apparmor
(LP: #1752365)
- python tools do not understand 'non-magic' include rules (LP: #1733700)
- "Unable to open external link" in Evince when google-chrome-unstable is
the default browser (LP: #1730536)
- apparmor_parser is missing fix for rule down grades (LP: #1728120)
- base abstraction missing glibc /proc/$pid/ things (LP: #1658239)
- logparser.py parse_event_for_tree() doesn't care about owner vs. all in
file events(LP: #1538340)
- aa-decode can't decode the audit log which contains the proctitle string
(LP: #1736841)
- aa-logprof asks for "a" rule even if "deny w" is present (LP: #1385474)
* Merge from Debian. Remaining Ubuntu changes:
- debian/gbp.conf: Use ubuntu/master as the debian-branch
- Update package maintainer to be Ubuntu Developers in the control file
- Call handle_system_policy_package_updates in apparmor.init.
This is needed for snappy and system-images. Note that this prevents
using a remove /var.
- Apply Ubuntu-specific patches
+ parser-include-usr-share-apparmor.patch
+ profiles-grant-access-to-systemd-resolved.patch
+ add-chromium-browser.patch
- Install Ubuntu chromium-browser profile and abstraction
* Dropped patches that were not merged upstream:
- ubuntu-manpage-updates.patch: The changes were out of date because
they only addressed upstart based systems
- utils-keep-shebang.patch: A different solution was merged upstream
so that the shebang lines aren't rewritten
* Feature pinning is not used in Ubuntu
* Properly identify empty ouid/fsuid fields in logs
* Allow the shell helper regression test program read the locale
apparmor (2.12-3) unstable; urgency=medium
* dnsmasq-profile-allow-chown-capability.patch: new patch (Closes: #889806)
* Update-base-abstraction-for-ld.so.conf-and-friends.patch: new patch,
cherry-picked from upstream (solves a minor part of #887973).
* libapparmor-perl: install example program.
apparmor (2.12-2) unstable; urgency=medium
* This release is dedicated to the memory of Ursula K. Le Guin.
* Install the "extra" profiles to the default upstream directory
(Closes: #832984).
* Cherry-pick policy improvements from upstream Git (Closes: #887591).
* Stop recommending the apparmor-profile package to the general public:
- apparmor: drop "Suggests: apparmor-profile".
- apparmor-profile: make it clear in the package description that
these profiles cannot be expected to work out-of-the-box.
* Bump debhelper compatibility level to 10.
- This reintroduces --parallel building, which was fixed upstream
since we disabled it.
- Don't manually enable the systemd debhelper sequence: now done
by default.
- Drop now useless build-dependency on autotools-dev.
* Declare compliance with Standards-Version 4.1.3 (no change required).
* debian/control: add Rules-Requires-Root: no.
- Cherry-pick upstream fix to pam_apparmor's Makefile.
* Packaging cleanup:
- Remove Kees Cook <email address hidden> from the Uploaders control field.
Thanks a lot for the inspiring work you've done on this package
in the past!
- Remove obsolete calls to rm_conffile.
- debian/copyright: use canonical URL to copyright-format/1.0.
- debian/copyright: sort licenses in lexical order.
- Use canonical URL to Debian bug in patch header.
- debian/*.install: remove duplicates.
- Stop versioning dependencies that are satisfied on Debian Wheezy
and Ubuntu Trusty.
- Reformat debian/* with 'cme fix dpkg' + wrap-and-sort.
apparmor (2.12-1) unstable; urgency=medium
* New upstream release (Closes: #885522, #882043, #884014, #886732,
#875892, #882070, #874665, #884280, #881936, #882135).
- Drop obsolete patches.
* dh-apparmor postinst snippet: create empty files in
/etc/apparmor.d/local/ instead of repeating boilerlate.
* dh-apparmor postinst snippet: simplify local overrides directory
creation code.
* Migrate to Git:
- Configure gbp for DEP-14
- Configure gbp-pq to avoid prefixing patches with numbers
- README.source: adjust to Git
- Update Vcs-* control fields: migrate to Git
* Move libpam to Section: admin
apparmor (2.11.1-4) unstable; urgency=medium
* Bump pinned feature set to linux-image-4.14.0-1's, version 4.14.2-1
- Pinning a feature set without "mount", as we did before this change,
breaks mount operations due to a bug in the kernel (Closes: #883703).
Thanks to Fabian Grünbichler and Felix Geyer for reporting this.
- AppArmor maintainers in Debian have been testing 4.14 without pinning
for a while and all the known issues were fixed; it's time to enable
4.14's features so we can learn what parts of our policy still need
updates (Closes: #880078, #877581).
* Move features file to /usr/share/apparmor-features (Closes: #883682).
Thanks to Fabian Grünbichler <email address hidden> for the patch.
* Document in apparmor/README.Debian where online documentation wrt. AppArmor
on Debian lives (Closes: #845232). Thanks to Wouter Verhelst and Jean-Michel
Vourgère for the suggestion.
* Improve usability of apparmor-notify:
- notify.conf: unset use_group.
aa-notify checks that it can read the selected log file — and aborts
if it can't — before it checks group membership vs. use_group, so in
practice setting use_group is only useful for users who are allowed
to read logs but don't want to see notifications. This seems to be
a corner case, easily addressed per-user (~/.apparmor/notify.conf)
or system-wide (by deinstalling apparmor-notify).
So let's instead optimize for a more common use case, i.e. users who can
read logs and want to see the notifications. This change does not
impact the most common use case, i.e. desktop users who are not allowed
to read logs (Closes: #880859).
- Document in apparmor-notify/README.Debian that one must be in the "adm"
group to use aa-notify.
Thanks to Lisandro Damián Nicanor Pérez Meyer and Salvatore Bonaccorso
whose combined bug reports lead to this solution.
* /lib/apparmor/functions: don't delete /etc/apparmor.d/cache/CACHEDIR.TAG
ourselves (necessary, but not sufficient, to fix #883584).
* Declare compliance with Standards-Version 4.1.2.
apparmor (2.11.1-3) unstable; urgency=medium
* upstream-commit-92752f5-support-Google-Chrome-beta.patch:
new patch, backported from upstream (Closes: #880923).
apparmor (2.11.1-2) unstable; urgency=medium
* apparmor: drop obsolete dependency on libapparmor-perl.
This dependency was added in 2.8.0-0ubuntu15, when aa-exec (that was
written in Perl back then) got moved to the apparmor package.
Nowadays aa-exec is written in C and AFAICT there's nothing in the
apparmor package that uses libapparmor-perl.
* apparmor-utils: drop obsolete dependency on libapparmor-perl.
All the programs shipped in this package were rewritten in Python.
* Drop obsolete dependencies on python{,3}-pkg-resources.
They were added to "fix autopkgtests in click-apparmor and
apparmor-easyprof-ubuntu". We don't ship these packages in Debian,
and I'm told they're going away in Ubuntu anyway.
apparmor (2.11.1-1) unstable; urgency=medium
* Import upstream 2.11.1 release.
Drop obsolete patches and refresh remaining ones as need.
* pin-feature-set.patch: new patch, that pins the AppArmor feature set
to Linux 4.13.4-2's (Closes: #879584).
The AppArmor policy we ship is not fully ready for Linux 4.14 yet.
Once our policy has been updated (#877581) we can bump the pinned
feature set to Linux 4.14's.
Note, however, that this is not fully effective in the specific case
of 4.14-rcN up to 4.14-rc6 due to a kernel bug with pinned older
feature sets, that will likely be fixed in Linux 4.14-rc7.
For example, with Linux 4.14-rc5 some network (e.g. unix, inet, inet6)
operations are denied despite the fact this pinned feature does not
enable network mediation support. For details, see:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278
* Disable parser-include-usr-share-apparmor.patch: it's not used on Debian
and would be made fuzzy by pin-feature-set.patch, thus causing useless
maintenance busywork.
* Improve phrasing of long packages description, based on a patch
by Vincas Dargis <email address hidden> (Closes: #795431).
* Replace build-dependency on dh-systemd with a versioned one
on debhelper, that now ships dh_systemd_*.
* Set priority to "optional": "extra" is deprecated.
* Bump Standards-Version to 4.1.1.
* Drop "Testsuite: autopkgtest" control field: it is automatically added
by dpkg-source(1) since dpkg 1.17.1 when a debian/tests/control file exists,
which is the case here.
* Move libapache2-mod-apparmor to Section "httpd", as suggested by Lintian.
apparmor (2.11.0-11) unstable; urgency=medium
* Only use systemd-detect-virt when it's installed (Closes: #871953).
* dh_apparmor: include the version of the package, so that one can find
packages that were built with a particular version of dh_apparmor.
(Closes: #872167).
* Import patch submitted upstream to support Flatpak exports
(Closes: #865206).
* Revert "Build with GCC-6 on mips64el to workaround Debian#871538":
that gcc-7 bug was fixed in 7.2.0-3 on 2017-09-02, presumably all buildd's
chroot should have it by now.
* Merge from Ubuntu citrain up to revision 1627, aka. 2.11.0-2ubuntu17.
Applied all changes (filtering from that list what had already been
done in Debian):
- Remove apparmor system upstart job on upgrades.
- r3631-apparmor-utils-python3.6-LOCALE.patch: fix utils to avoid
breakage with python 3.6 (LP: #1661766).
- nameservice-add-stub-resolv.patch: allow read access to systemd stub
resolver configuration
apparmor (2.11.0-10) unstable; urgency=medium
* Build with GCC-6 on mips64el to workaround #871538.
apparmor (2.11.0-9) unstable; urgency=medium
* debian-chromium-paths.patch: new patch, fixes e.g. opening links
(e.g. from Thunderbird) when Chromium is the default web browser
(reported in #858911).
apparmor (2.11.0-8) unstable; urgency=medium
* firefox-non-esr.patch: new patch, fixes e.g. opening links from
Thunderbird when Firefox non-ESR is the default web browser
(Closes: #858911).
* Adjust metadata for wayland-cursor.patch: applied upstream.
apparmor (2.11.0-7) unstable; urgency=medium
* compare_and_save_debsums(): fix quieting of diff on initial installation
(Closes: #870696).
* Don't explicitly pass runlevel nor sequence number to update-rc.d
via dh_installinit (Closes: #870695).
Thanks to Michael Biebl for the hint!
* wayland-cursor.patch: new patch, to allow wayland-cursor-shared-*
(Closes: #870807).
* Merge from Ubuntu citrain up to revision 1620, i.e. 2.11.0-2ubuntu11.
Applied all changes:
- fix-aa-status-pod.patch: updates aa-status for newer podchecker
(LP: #1707614)
- adjust-python-for-3.6.patch: update python abstraction for 3.6
- adjust-nameservice-for-systemd-resolved.patch: grant access to
systemd-resolved in the nameservice abstraction (LP: #1598759).
… and then disabled adjust-nameservice-for-systemd-resolved.patch
that's dangerous without fine-grained AppArmor mediation of
D-Bus traffic.
* Remove upstart configuration: Upstart was removed in Debian Stretch
so this file is no longer useful.
* Drop ubuntu-manpage-updates.patch, that was only relevant with Upstart.
apparmor (2.11.0-6) unstable; urgency=medium
* libapparmor-dev: stop installing /lib/*/libapparmor.la (Closes: #866636).
apparmor (2.11.0-5) unstable; urgency=medium
* pass-compiler-flags-binutils.patch: new patch, fixes missing
hardening flags in aa-enabled and aa-exec.
* Merge from Ubuntu citrain up to revision 1617, i.e. 2.11.0-2ubuntu8.
apparmor (2.11.0-4) unstable; urgency=medium
* Run parts of the upstream test suite as autopkgtests.
* Declare compliance with Standards-Version 4.0.0 (no change required).
* Add mentions-deprecated-usr-lib-perl5-directory to Lintian overrides,
since usr-lib-perl5-mentioned has been renamed.
* libapparmor1.symbols: require 2.8.94 instead of 2.8.94-0ubuntu1.
* debian/rules: use variables provided by dpkg/pkg-info.mk instead
of parsing the output of dpkg-parsechangelog.
* Override mistaken apache2-module-depends-on-real-apache2-package
Lintian check.
* Merge from Ubuntu citrain up to revision 1616, i.e. 2.11.0-2ubuntu5
(more recent changes, up to 2.11.0-2ubuntu8, have not been pushed
to the citrain repo yet; they don't seen critical though).
apparmor (2.11.0-3) unstable; urgency=medium
* Fix CVE-2017-6507: don't unload unknown profiles during package
configuration or when restarting the apparmor init script, upstart job, or
systemd unit as this could leave processes unconfined (Closes: #858768).
Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
- debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
Remove calls to unload_obsolete_profiles()
- debian/patches/utils-add-aa-remove-unknown.patch,
debian/apparmor.install debian/apparmor.manpages: Include a new utility,
aa-remove-unknown, which can be used to unload unknown profiles. Based
on an upstream patch but adjusted to source the /lib/apparmor/functions
shipped in Debian/Ubuntu.
-- Tyler Hicks <email address hidden> Thu, 15 Mar 2018 15:39:10 +0000
-
apparmor (2.11.0-2ubuntu19) bionic; urgency=medium
* d/p/0001-Allow-seven-digit-pid.patch:
On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
(2^22), which results in seven digit pids. Adjust the @{PID} variable in
tunables/global to accept this. (LP: #1717714)
-- Seyeong Kim <email address hidden> Mon, 08 Jan 2018 07:52:32 -0800
-
apparmor (2.11.0-2ubuntu18) bionic; urgency=medium
* No-change rebuild against perlapi-5.26.1
-- Steve Langasek <email address hidden> Thu, 02 Nov 2017 05:31:55 +0000
-
apparmor (2.11.0-2ubuntu17) artful; urgency=medium
* nameservice-add-stub-resolv.patch: allow read access to systemd stub
resolver configuration
-- Jamie Strandboge <email address hidden> Fri, 15 Sep 2017 12:52:05 +0000
