apparmor:apparmor-2.10

Last commit made on 2020-12-07
Get this branch:
git clone -b apparmor-2.10 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-2.10
Repository:
lp:apparmor

Recent commits

ac03ae4... by John Johansen

Release: Bump revision for 2.10.6 release

Signed-off-by: John Johansen <email address hidden>

085d4cd... by Christian Boltz

abstractions/X: Allow (only) reading X compose cache

... (/var/cache/libx11/compose/*), and deny any write attempts

Reported by darix,
https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/685
(cherry picked from commit 78bd811e2a23f55974991cd208f6a17749655c21)
Signed-off-by: John Johansen <email address hidden>

f305bb1... by Christian Boltz

Add CAP_CHECKPOINT_RESTORE to severity.db

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/656
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit 2c2dbdc3a3012ce06371edc1e9be6f58711d8565)

9f0415e... by Christian Boltz

Add CAP_BPF and CAP_PERFMON to severity.db

These capabilities were introduced in Linux 5.8

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/589
References: https://bugs.launchpad.net/bugs/1890547
(cherry picked from commit ae012502095596df4675555da635c868e3b3c04a)
Signed-off-by: John Johansen <email address hidden>

0acc2cd... by John Johansen

parser: call filter slashes for mount conditionals

The mnt_point and devices conditionals in mount rules are generally
paths and should have slashes filtered after variable expansion.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit a1978fb1b2f9c97ae6ea7efb752e3d25ac261830)
Signed-off-by: John Johansen <email address hidden>

41091fd... by John Johansen

parser: call filter slashes for the dbus path conditional

Similar to unix addr rules, the dbus path conditional is more a path
than a profile name and should get its slashes filtered after variable
expansion.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit 35f6d49ec679f41ac30a2dd22780881c03ca01c9)
Signed-off-by: John Johansen <email address hidden>

b5ffee5... by John Johansen

parser: enable variable expansion for mount type= and options=

Currently mount options type= and options= do not expand variables
but they should. Fix it.

Note: this does not treat either as paths because their use is
too device dependent for it to be safe to filter slashes.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/99
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/638
Signed-off-by: John Johansen <email address hidden>
Acked-by: Steve Beattie <email address hidden>
(cherry picked from commit 882380ad3d8e90a9ac9fe489485ce9f652a1a80a)
Signed-off-by: John Johansen <email address hidden>

ab49c3d... by Patrick Steinhardt

libapparmor: add missing include for `socklen_t`

While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
include the `<sys/socket.h>` header to make its declaration available.
While this works on systems using glibc via transitive includes, it
breaks compilation on musl libc.

Fix the issue by including the header.

Signed-off-by: Patrick Steinhardt <email address hidden>
(cherry picked from commit 47263a3a74d7973e7a54b17db6aa903701468ffd)
Signed-off-by: John Johansen <email address hidden>

92a6360... by Patrick Steinhardt

libapparmor: add _aa_asprintf to private symbols

While `_aa_asprintf` is supposed to be of private visibility, it's used
by apparmor_parser and thus required to be visible when linking. This
commit thus adds it to the list of private symbols to make it available
for linking in apparmor_parser.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <email address hidden>
(cherry picked from commit 9a8fee6bf1c79c261374d928b838b5eb9244ee9b)

f4346f6... by John Johansen

parser: Fix expansion of variables in unix rules addr= conditional

The parser is not treating unix addr as a path and filtering slashes
after variable expansion. This can lead to errors where

@{foo}=/a/
unix bind addr=@{foo}/bar,

will always fail because addr is being matched as /a//bar instead of
/a/bar.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Fixes: https://bugs.launchpad.net/apparmor/+bug/1856738
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit 6af05006d9dd1bfaa36e555841496a4cbf3992ee)