apparmor:master

Branch merges

Related source package recipes

1 recipe using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

81bc26c... by Christian Boltz on 2023-11-26

Merge add steam profile for applications in unconfined mode

Steam needs to use user namespaces, hence it needs an unconfined
profile when user namespaces are restricted from unconfined like other
applications in MR1123

  https://gitlab.com/apparmor/apparmor/-/merge_requests/1123

In addition this serves as a handle to uniquely identify stream
instead of unconfined to peers in policy.

    Note that unconfined mode should be changed for default_allow
    when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is
    merged.

Signed-off-by: John Johansen <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1125
Merged-by: Christian Boltz <email address hidden>

71e28e9... by Christian Boltz on 2023-11-26

Merge profiles: convert local include to match profile name

The recently added unconfined profiles use the binary name for the
local include instead of the profile name. Switch to using the
profile name for the local include.

Signed-off-by: John Johansen <email address hidden>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1126
Merged-by: Christian Boltz <email address hidden>

7c684f9... by John Johansen on 2023-11-25

profiles: convert local include to match profile name

The recently added unconfined profiles use the binary name for the
local include instead of the profile name. Switch to using the
profile name for the local include.

Signed-off-by: John Johansen <email address hidden>

6c01b90... by John Johansen on 2023-11-24

add steam profile for applications in unconfined mode

Steam needs to use user namespaces, hence it needs an unconfined
profile when user namespaces are restricted from unconfined like other
applications in MR1123

  https://gitlab.com/apparmor/apparmor/-/merge_requests/1123

In addition this serves as a handle to uniquely identify stream
instead of unconfined to peers in policy.

    Note that unconfined mode should be changed for default_allow
    when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is
    merged.

Signed-off-by: John Johansen <email address hidden>

e0bc90f... by John Johansen <email address hidden> on 2023-11-23

Merge Add profiles for applications in unconfined mode

Adding profiles for applications even if they allow all operations
will allow them to be referenced as peer by other policies. This is
a step towards a more comprehensive system policy, adding names,
instead of just unconfined, to peers of existing policy and to
applications that are known to use unprivileged user namespaces.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1123
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>

6a96067... by John Johansen <email address hidden> on 2023-11-23

Merge parser: fix regex parser leak on parsing failure

When the regex parser failed, the Chars objects created/used in rules
charset and cset_chars would not be cleaned up properly and would
leak.

Closes #361

Closes #361
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1124
Merged-by: John Johansen <email address hidden>

dcad01c... by Georgia Garcia on 2023-11-23

parser: fix regex parser leak on parsing failure

When the regex parser failed, the Chars objects created/used in rules
charset and cset_chars would not be cleaned up properly and would
leak.

Closes #361

Signed-off-by: Georgia Garcia <email address hidden>

2594d93... by Georgia Garcia on 2023-11-22

add profiles for applications in unconfined mode

Adding profiles for applications even if they allow all operations
will allow them to be referenced as peer by other policies. This is a
step towards a more comprehensive system policy, adding names, instead
of just unconfined, to peers of existing policy and to applications
that are known to use unprivileged user namespaces.

Note that unconfined mode should be changed for default_allow
when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is
merged.

Signed-off-by: Georgia Garcia <email address hidden>

9bba464... by Christian Boltz on 2023-11-08

Merge Allow reading /run/systemd/sessions/

Several applications use it now that utmp and wtmp are
being removed because they are not Y2038 compliant

This is the case for example in openSUSE Tumbleweed and
openSUSE MicroOS:
https://microos.opensuse.org/blog/2023-11-06-utmp-and-wtmp-are-gone/

Closes https://gitlab.com/apparmor/apparmor/-/issues/360

Closes #360

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216878

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1121
Approved-by: Christian Boltz <email address hidden>
Merged-by: Christian Boltz <email address hidden>

96b1aa5... by Julio Gonzalez Gil <email address hidden> on 2023-11-08

Allow reading /run/systemd/sessions/

Several applications use it now that utmp and wtmp are
being removed because they are not Y2038 compliant

This is the case for example in openSUSE Tumbleweed and
openSUSE MicroOS:
https://microos.opensuse.org/blog/2023-11-06-utmp-and-wtmp-are-gone/

Closes https://gitlab.com/apparmor/apparmor/-/issues/360