apparmor:apparmor-3.0

Last commit made on 2023-12-05
Get this branch:
git clone -b apparmor-3.0 https://git.launchpad.net/apparmor

Branch merges

Branch information

Name:
apparmor-3.0
Repository:
lp:apparmor

Recent commits

caccb88... by John Johansen <email address hidden>

Merge Fix typo in apparmor_parser manpage

man apparmor_parser gives examples for the --warn command line option as

             apparmor_parser --warn=rules-not-enforced ...
and
             apparmor_parser --warn=no-rules-not-enforced ...

but the actual --warn options are rule-not-enforced / no-rule-not-enforced
(without s)

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057453

I propose this fix for 2.13..master

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1128
Merged-by: John Johansen <email address hidden>

(cherry picked from commit 15d8e21945ccc7ef7ca258a18e0ba5f7a3ffcb01)

3ee47af4 Fix typo in apparmor_parser manpage

ff45506... by John Johansen <email address hidden>

Merge fix subprofile name in profile serialization

Given the following profile:

profile foo {
  profile bar {
    profile baz {
    }
  }
}

The parser would correctly serialize the "foo" profile and the
"foo//bar" profile, but it would incorrectly name "bar//baz" when it
should be "foo//bar//baz". This would cause issues loading the profile
in certain kernels causing a "parent does not exist" error.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1127
Merged-by: John Johansen <email address hidden>
(cherry picked from commit eb6fa022513f60ef340bf5ebe6d6aae3269f1f87)
Signed-off-by: John Johansen <email address hidden>

0be90d6... by Christian Boltz

Merge Allow reading /run/systemd/sessions/

Several applications use it now that utmp and wtmp are
being removed because they are not Y2038 compliant

This is the case for example in openSUSE Tumbleweed and
openSUSE MicroOS:
https://microos.opensuse.org/blog/2023-11-06-utmp-and-wtmp-are-gone/

Closes https://gitlab.com/apparmor/apparmor/-/issues/360

Closes #360

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216878

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1121
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

(cherry picked from commit 9bba464d931af09e6d8e6c29b206af4c877123fc)

96b1aa54 Allow reading /run/systemd/sessions/

dc614a0... by John Johansen <email address hidden>

Merge tests: fix regression tests to run on kernels that only have network_v8

upstream kernels only have network_v8 unfortunately the tcp tests were
only being run against kernels that had network (which is v7). Kernels
that support both (Ubuntu) would be tested against v8, so v8 has been
tested but pure upstream kernels were failing to be tested correctly.

This patch will only make sure one of the supported verserions are
tested. This is determined by the parser which prefers v8. In the
future the tests need to be extended to run the tests against all
kernel supported versions.

Signed-off-by: John Johansen <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1120
Approved-by: Christian Boltz <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit dcc719c69c0473a4060c3314679b0ec8fc4c716d)
Signed-off-by: John Johansen <email address hidden>

c509d9e... by John Johansen <email address hidden>

Merge Allow reading /etc/authselect/nsswitch.conf

On systems with authselect installed, /etc/nsswitch.conf is a symlink to
/etc/authselect/nsswitch.conf.

Fixes: https://gitlab.com/apparmor/apparmor-profiles/-/issues/13

I propose this patch for 3.0..master.

Closes apparmor-profiles#13
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1119
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>

(cherry picked from commit 54915dabc4b8b7e1a02d40619af625c8bd147d8b)
Signed-off-by: John Johansen <email address hidden>

afe0226... by John Johansen <email address hidden>

Merge ubuntu-browsers.d/kde: fix plasma-browser-integration

Out of the box the KDE plasma-browser-integration package does not work
after a user installed the corresponding Firefox extension: The browser
can't start the native host binary. The same is probably true for
Chromium.

This was originally reported to KDE at https://bugs.kde.org/show_bug.cgi?id=397399

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1115
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 1e7f63415a6cff0fb22a7b18b9169d5db6091dc1)
Signed-off-by: John Johansen <email address hidden>

1ada934... by John Johansen <email address hidden>

Merge abstractions: pipewire rt conf

Pipewire also uses the client-rt.conf file, add this to the audio abstraction.

See pipewire source: https://github.com/PipeWire/pipewire/blob/master/src/daemon/client-rt.conf.in

Hit this during normal usage of Firefox.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1113
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 28f336cb91d48bd0ea879cb86f8e147d45467156)
Signed-off-by: John Johansen <email address hidden>

4d3831d... by John Johansen <email address hidden>

Merge parser/rc.apparmor: Handle Incus

Add init function support to skip incus prefixed policy like is done for lxc and lxd

Signed-off-by: Stéphane Graber <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1112
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit 7eff621fc715d2dbf6363540a2654d978672a050)
Signed-off-by: John Johansen <email address hidden>

b8094eb... by Christian Boltz

Merge [3.0] Fix aa-cleanprof to work with named profiles

This needed replacement of "program" with "profile" at various places in
tools.py (of course this description is over-simplified).

The changes in get_next_to_profile() (which is used by several aa-*
minitools) are restricted to cleanprof to avoid side effects in the
other aa-* minitools.

However, the other aa-* minitools possibly also suffer from problems
with named profiles, but checking and fixing that is left for another
commit ;-)

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/351

.

The fix needs an additional function in ProfileList (`profile_from_attachment()`) to get the profile name for a given attachment.

Since this is not very different from filename_from_attachment(), move
most of the code into a thing_from_attachment() function, and make
{profile,filename}_from_attachment wrappers for it.

Also adjust the tests to the changed internal data structure, and add
tests for profile_from_attachment().

Closes #351

This is the 3.0 version of https://gitlab.com/apparmor/apparmor/-/merge_requests/1108

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1110
Approved-by: Georgia Garcia <email address hidden>
Merged-by: Christian Boltz <email address hidden>

fa60f19... by Christian Boltz

Fix aa-cleanprof to work with named profiles

This needed replacement of "program" with "profile" at various places in
tools.py (of course this description is over-simplified).

The changes in get_next_to_profile() (which is used by several aa-*
minitools) are restricted to cleanprof to avoid side effects in the
other aa-* minitools.

However, the other aa-* minitools possibly also suffer from problems
with named profiles, but checking and fixing that is left for another
commit ;-)

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/351

(cherry picked from commit 151bf26bb9f33d8862c7200238213805c5225474,
 adjusted for 3.0 branch)