apparmor:apparmor-2.12

Last commit made on 2022-12-16
Get this branch:
git clone -b apparmor-2.12 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-2.12
Repository:
lp:apparmor

Recent commits

70686e4... by Georgia Garcia

Merge log parsing fixes

small fixes on log parsing

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/959
Approved-by: Jon Tourville <email address hidden>
Approved-by: Christian Boltz <email address hidden>
Merged-by: Georgia Garcia <email address hidden>
(cherry picked from commit 4f2d2a8cab285a725bf72d0322ddf17df312abe4)
Signed-off-by: Georgia Garcia <email address hidden>

ad90017... by John Johansen

Prepare for AppArmor 2.12.4 release

- update version file
- update library version

Signed-off-by: John Johansen <email address hidden>

edf69b3... by Christian Ehrhardt 

Allow access to possible cpus for glibc-2.36

Glibc in 2.36 and later will [1] access sysfs at
/sys/devices/system/cpu/possible when usig sysconf
for _SC_NPROCESSORS_CONF.

That will make a lot of different code, for example
anything linked against libnuma, trigger this apparmor
denial.

  apparmor="DENIED" operation="open" class="file" ...
  name="/sys/devices/system/cpu/possible" ...
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This entry seems rather safe, and it follows others
that are already in place. Instead of fixing each
software individually this should go into the base
profile as well.

Initially reported via
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
MR: none - ML
Signed-off-by: Christian Ehrhardt <email address hidden>
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit c159d0925a2c016a39c27b9c6587d9c41114fdf9)
Signed-off-by: John Johansen <email address hidden>

a343462... by John Johansen <email address hidden>

Merge [2.11..2.13] Add 'mctp' network domain keyword [only to utils]

Reported as comment on https://build.opensuse.org/request/show/951354
(update to glibc 2.35)

This is a partial backport of
https://gitlab.com/apparmor/apparmor/-/merge_requests/832

I propose this patch for 2.11, 2.12 and 2.13.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/911
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 157c8ee36a09330601ec7667e8ead6d58d2ef4c8)
Signed-off-by: John Johansen <email address hidden>

609fe42... by John Johansen <email address hidden>

Merge [2.11..2.13] Support setuptools >= 61.2 in Python tests

Fix for #253, by mirroring the change from https://github.com/pypa/setuptools/pull/3258/commits/1c23f5e1e4b18b50081cbabb2dea22bf345f5894

On top of that, fix setuptools version detection in buildpath.py. libraries/libapparmor/swig/python/test/buildpath.py: The changes introduced in https://gitlab.com/apparmor/apparmor/-/commit/cc7f549665282c0a527d5424a6f9d726c50ddbb1 targetted a wrong setuptools version (61.2). The change in build directory naming has been introduced with 62.0.

Fixes #259 Fixes #39

The first 3 commits are based on https://gitlab.com/apparmor/apparmor/-/merge_requests/897, the other two come from https://gitlab.com/apparmor/apparmor/-/merge_requests/904. Since there are several differences between 2.13 and >= 3.0, I had to adjust the patches at several places.

I propose this MR for 2.11, 2.12 and 2.13.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/910
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 3c047517a4c2f157ef2a4756d83be583748ff425)
Signed-off-by: John Johansen <email address hidden>

62a0549... by John Johansen <email address hidden>

Merge dnsmasq: Add missing r permissions for libvirt_leaseshelper

Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since
this is probably unrelated to the path or a path change, this commit
also adds r permissions for the previous path.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161

I propose this patch for 3.0 and master (optionally also for 2.12 and 2.13 - please tell me if you want that after reviewing the patch, or just merge ;-)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/905
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>

(cherry picked from commit f51049ea2eaecadf516fb8ac8e122ca84a1dfde6)

c9c5208f dnsmasq: Add missing r permissions for libvirt_leaseshelper

06f5eed... by Christian Boltz

Merge [2.11..2.13] Grep away deprecation warning for distutils

... which will be removed in Python 3.12, and that probably won't be
used on systems running the AppArmor 2.1x branches.

This prevents CI failures on gitlab.com, which uses a new-enough python
to show

    DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives

For 3.0 and master, the proper fix (switching to setuptools) was done in
!813.

I propose this patch for 2.11, 2.12 and 2.13.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/908
Approved-by: John Johansen <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit fd1b463643d15d47a29a6ed380bcc6826b0ebbea)

ca3e5be5 Grep away deprecation warning for distutils

1cccb93... by Christian Boltz

Merge Set (instead of compare) exresult

Interestingly this accidentally worked because `if exresult` is true for
both a non-empty string ("PASS") as well as a real `True` value.

Found by Mark Grassi as part of
https://gitlab.com/apparmor/apparmor/-/merge_requests/906

I propose this patch for all branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/907
Approved-by: Jon Tourville <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit c06ea77445683898df690f09ea6277240b1a33bb)

5a2fb856 Set (instead of compare) exresult

ae03462... by John Johansen <email address hidden>

Merge profiles: update snap_browsers permissions

The snap_browsers abstraction requires more permissions
due to updates on snaps.

Some of the permissions are not required in older versions of
Ubuntu that use 2.12 and 2.13, but are introduced for unification
and ease of maintenance purposes. These include:
```
    all dbus permissions,
    @{PROC}/sys/kernel/random/uuid r,
    owner @{PROC}/@{pid}/cgroup r,
    /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
```

I also propose a cherry-pick of this commit to 2.12, 2.13 and 3.0

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/877
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit bfa67b369df97ec86b532fd686c8240ecbbd9f06)
Signed-off-by: John Johansen <email address hidden>

80400e0... by Christian Boltz

Merge Allow dovecot to use all signals

similar to commit 2f9d172c641bd21671721e76e0d65ba4bd914107
we discovered that there was a service outage
when dovecot tried to send a usr1 signal

type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/865
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit 83685ba703572a119988f48b43ecae4a45b4b424)

f0919f83 Allow dovecot to use all signals