Created by Steve Beattie and last modified
Get this branch:
bzr branch lp:apparmor/2.10
Members of AppArmor Developers can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

AppArmor Developers

Recent revisions

3410. By intrigeri

profiles: allow OpenAL HRTF support in audio abstraction

merge from trunk commit 3726

The files are "head-related transfer function" data sets, used by
OpenAL for better spatialization of sounds when headphones are detected.

Acked-by: Steve Beattie <email address hidden>

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665

3409. By Christian Boltz

Add python3.6 line to utils/logprof.conf

This is a backport of trunk r3718 by intrigeri

Acked-by: John Johansen <email address hidden> for 2.11 and 2.10 (on IRC)

3408. By Christian Boltz

Allow reading /etc/netconfig in abstractions/nameservice

/etc/netconfig is required by the tirpc library which nscd and several
other programs use.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244

Acked-by: Seth Arnold <email address hidden> for 2.9, 2.10, 2.11 and trunk

3407. By John Johansen

Bump version to 2.10.3

Signed-off-by: John Johansen <email address hidden>

3406. By John Johansen

parser: Allow AF_UNSPEC family in network rules


Don't filter out AF_UNSPEC from the list of valid protocol families so
that the parser will accept rules such as 'network unspec,'.

There are certain syscalls, such as socket(2), where the LSM hooks are
called before the protocol family is validated. In these cases, AppArmor
was emitting denials even though socket(2) will eventually fail. There
may be cases where AF_UNSPEC sockets are accepted and we need to make
sure that we're mediating those appropriately.

cherry-pick: r3376
Signed-off-by: Tyler Hicks <email address hidden>
Suggested-by: Steve Beattie <email address hidden>
Acked-by: John Johansen <email address hidden>
[cboltz: Add 'unspec' to the network domain keywords of the utils]

3405. By Steve Beattie

libapparmor: fix swig test_apparmor.py for zero length ptrace records
Merge from trunk revision 3715

The added testcase for a ptrace target with an empty string
(ptrace_garbage_lp1689667_1.in) was causing the swig python test script
to fail. The generated python swig record for libapparmor ends up
setting a number of fields to None or other values that indicate the
value is unset, and the test script was checking if the value in the
field didn't evaluate to False in a python 'if' test.

Unfortunately, python evaluates the empty string '' as False in 'if'
tests, resulting in the specific field that contained the empty string
to be dropped from the returned record. This commit fixes that by
special case checking for the empty string.

Signed-off-by: Steve Beattie <email address hidden>
Acked-by: John Johansen <email address hidden>

3404. By John Johansen

Fix af_unix downgrade of network rules

with unix rules we output a downgraded rule compatible with network rules
so that policy will work on kernels that support network socket controls
but not the extended af_unix rules

however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support
the extended af_unix rules.

cherry-pick: lp:apparmor r3700
Signed-off-by: John Johansen <email address hidden>
Acked-by: timeout

3403. By Christian Boltz

Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles

Acked-by: Seth Arnold <email address hidden> for trunk, 2.11, 2.10 and 2.9.

3402. By Christian Boltz

Merge updated traceroute profile into 2.10 and 2.9 branch

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1057900

revno: 3690 [merge]
committer: Steve Beattie <email address hidden>
branch nick: apparmor
timestamp: Wed 2017-08-09 08:57:36 -0700
  traceroute profile: support TCP SYN for probes, quite net_admin request

  Merge from Vincas Dargis, approved by intrigeri.
  fix traceroute denies in tcp mode

  Acked-by: Steve Beattie <email address hidden>

Backport to 2.10 and 2.9 branch

Acked-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3401. By Christian Boltz

abstractions/freedesktop.org: support /usr/local/applications; support subdirs of applications folder

Merge request by Cameron Norman 2015-06-07

Acked-by: Christian Boltz <email address hidden> for trunk, 2.11, 2.10 and 2.9

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.