parser: Deprecation warning should not have been backported
Outputing the deprecation warning is a change in behavior that is not
a bug fix.
Signed-off-by: John Johansen <email address hidden>
(cherry picked from commit ca7f79174e7eb86ec744943a1f0155734c2f538f)
Signed-off-by: Rodrigo Figueiredo Zaiden <email address hidden>
636739f...
by
John Johansen <email address hidden>
Merge fix subprofile name in profile serialization
Given the following profile:
profile foo {
profile bar {
profile baz {
}
}
}
The parser would correctly serialize the "foo" profile and the
"foo//bar" profile, but it would incorrectly name "bar//baz" when it
should be "foo//bar//baz". This would cause issues loading the profile
in certain kernels causing a "parent does not exist" error.
3c6d767...
by
John Johansen <email address hidden>
Merge profiles: remove @{etc_ro} variable which is not available on 2.13
The variable @{etc_ro} was cherry-picked from a commit from a later
apparmor version, but it is not available on 2.13. Therefore it should
be replaced by the actual string.
profiles: remove @{etc_ro} variable which is not available on 2.13
The variable @{etc_ro} was cherry-picked from a commit from a later
apparmor version, but it is not available on 2.13. Therefore it should
be replaced by the actual string.
e1660df...
by
John Johansen <email address hidden>
Merge tests: fix regression tests to run on kernels that only have network_v8
upstream kernels only have network_v8 unfortunately the tcp tests were
only being run against kernels that had network (which is v7). Kernels
that support both (Ubuntu) would be tested against v8, so v8 has been
tested but pure upstream kernels were failing to be tested correctly.
This patch will only make sure one of the supported verserions are
tested. This is determined by the parser which prefers v8. In the
future the tests need to be extended to run the tests against all
kernel supported versions.
Signed-off-by: John Johansen <email address hidden>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1120
Approved-by: Christian Boltz <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit dcc719c69c0473a4060c3314679b0ec8fc4c716d)
Signed-off-by: John Johansen <email address hidden>
d90649a...
by
John Johansen <email address hidden>
Merge Allow reading /etc/authselect/nsswitch.conf
On systems with authselect installed, /etc/nsswitch.conf is a symlink to
/etc/authselect/nsswitch.conf.
Out of the box the KDE plasma-browser-integration package does not work
after a user installed the corresponding Firefox extension: The browser
can't start the native host binary. The same is probably true for
Chromium.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1115
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 1e7f63415a6cff0fb22a7b18b9169d5db6091dc1)
Signed-off-by: John Johansen <email address hidden>
1b300f5...
by
John Johansen <email address hidden>
Merge [2.13..3.1] Ignore ´//null-` peers in signal and ptrace events
Ideally we'd update them to the chosen exec target - but until this is
implemented, it doesn't make sense to ask about adding a //null-* peer
to a profile.
Merge tests/regression/apparmor/capabilities.sh: fail iopl/ioperm with lockdown
In MR #1063 the tests/regression/apparmor/syscall.sh script was updated to
account for kernel lockdown, but the capabilities.sh script also exercises these
system calls so this also needs to be updated as well.