lp:apparmor/2.10

Created by Steve Beattie on 2015-11-18 and last modified on 2017-10-26
Get this branch:
bzr branch lp:apparmor/2.10
Members of AppArmor Developers can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
AppArmor Developers
Project:
AppArmor
Status:
Mature

Recent revisions

3410. By intrigeri on 2017-10-26

profiles: allow OpenAL HRTF support in audio abstraction

merge from trunk commit 3726

The files are "head-related transfer function" data sets, used by
OpenAL for better spatialization of sounds when headphones are detected.

Acked-by: Steve Beattie <email address hidden>

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665

3409. By Christian Boltz on 2017-10-23

Add python3.6 line to utils/logprof.conf

This is a backport of trunk r3718 by intrigeri

Acked-by: John Johansen <email address hidden> for 2.11 and 2.10 (on IRC)

3408. By Christian Boltz on 2017-10-20

Allow reading /etc/netconfig in abstractions/nameservice

/etc/netconfig is required by the tirpc library which nscd and several
other programs use.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244

Acked-by: Seth Arnold <email address hidden> for 2.9, 2.10, 2.11 and trunk

3407. By John Johansen on 2017-10-19

Bump version to 2.10.3

Signed-off-by: John Johansen <email address hidden>

3406. By John Johansen on 2017-10-19

parser: Allow AF_UNSPEC family in network rules

https://launchpad.net/bugs/1546455

Don't filter out AF_UNSPEC from the list of valid protocol families so
that the parser will accept rules such as 'network unspec,'.

There are certain syscalls, such as socket(2), where the LSM hooks are
called before the protocol family is validated. In these cases, AppArmor
was emitting denials even though socket(2) will eventually fail. There
may be cases where AF_UNSPEC sockets are accepted and we need to make
sure that we're mediating those appropriately.

cherry-pick: r3376
Signed-off-by: Tyler Hicks <email address hidden>
Suggested-by: Steve Beattie <email address hidden>
Acked-by: John Johansen <email address hidden>
[cboltz: Add 'unspec' to the network domain keywords of the utils]

3405. By Steve Beattie on 2017-10-19

libapparmor: fix swig test_apparmor.py for zero length ptrace records
Merge from trunk revision 3715

The added testcase for a ptrace target with an empty string
(ptrace_garbage_lp1689667_1.in) was causing the swig python test script
to fail. The generated python swig record for libapparmor ends up
setting a number of fields to None or other values that indicate the
value is unset, and the test script was checking if the value in the
field didn't evaluate to False in a python 'if' test.

Unfortunately, python evaluates the empty string '' as False in 'if'
tests, resulting in the specific field that contained the empty string
to be dropped from the returned record. This commit fixes that by
special case checking for the empty string.

Signed-off-by: Steve Beattie <email address hidden>
Acked-by: John Johansen <email address hidden>

3404. By John Johansen on 2017-10-18

Fix af_unix downgrade of network rules

with unix rules we output a downgraded rule compatible with network rules
so that policy will work on kernels that support network socket controls
but not the extended af_unix rules

however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support
the extended af_unix rules.

cherry-pick: lp:apparmor r3700
Signed-off-by: John Johansen <email address hidden>
Acked-by: timeout

3403. By Christian Boltz on 2017-09-28

Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles

Acked-by: Seth Arnold <email address hidden> for trunk, 2.11, 2.10 and 2.9.

3402. By Christian Boltz on 2017-09-12

Merge updated traceroute profile into 2.10 and 2.9 branch

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1057900

------------------------------------------------------------
revno: 3690 [merge]
committer: Steve Beattie <email address hidden>
branch nick: apparmor
timestamp: Wed 2017-08-09 08:57:36 -0700
message:
  traceroute profile: support TCP SYN for probes, quite net_admin request

  Merge from Vincas Dargis, approved by intrigeri.
  fix traceroute denies in tcp mode

  Acked-by: Steve Beattie <email address hidden>
------------------------------------------------------------

Backport to 2.10 and 2.9 branch

Acked-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3401. By Christian Boltz on 2017-09-10

abstractions/freedesktop.org: support /usr/local/applications; support subdirs of applications folder

Merge request by Cameron Norman 2015-06-07
https://code.launchpad.net/~cameronnemo/apparmor/abstraction-fdo-applications-fixups/+merge/261336

Acked-by: Christian Boltz <email address hidden> for trunk, 2.11, 2.10 and 2.9

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:apparmor/2.12
This branch contains Public information 
Everyone can see this information.