AppArmor

Merge lp:~apparmor-dev/apparmor/aa-2.8.95 into lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain

  1. aa-2.8.95
  2. Merge into apparmor-ubuntu-citrain
Proposed by Seth Arnold
Status: Superseded
Proposed branch: lp:~apparmor-dev/apparmor/aa-2.8.95
Merge into: lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain
Diff against target: 587 lines (+141/-203)
29 files modified
debian/apparmor.postinst (+1/-1)
debian/changelog (+6/-5)
debian/patches/0007-sanitized_helper_dbus_access.patch (+0/-21)
debian/patches/0008-libapparmor-adjust_symbol_map-more_invasive_version.patch (+0/-55)
debian/patches/0008-remove-ptrace.patch (+5/-0)
debian/patches/0009-convert-to-rules.patch (+5/-0)
debian/patches/0009-libapparmor2.patch (+0/-26)
debian/patches/0009-uservars-inc-use-system-support.patch (+0/-95)
debian/patches/0010-list-fns.patch (+6/-0)
debian/patches/0011-parse-mode.patch (+6/-0)
debian/patches/0012-add-decimal-interp.patch (+6/-0)
debian/patches/0013-policy_mediates.patch (+6/-0)
debian/patches/0014-fix-failpath.patch (+6/-0)
debian/patches/0015-feature_file.patch (+6/-0)
debian/patches/0016-fix-network.patch (+6/-0)
debian/patches/0017-aare-to-class.patch (+6/-0)
debian/patches/0018-add-mediation-unix.patch (+6/-0)
debian/patches/0019-parser_version.patch (+6/-0)
debian/patches/0020-caching.patch (+6/-0)
debian/patches/0021-label-class.patch (+6/-0)
debian/patches/0022-signal.patch (+6/-0)
debian/patches/0023-fix-lexer-debug.patch (+6/-0)
debian/patches/0024-ptrace.patch (+6/-0)
debian/patches/0025-use-diff-encode.patch (+6/-0)
debian/patches/0026-fix-serialize.patch (+6/-0)
debian/patches/0027-fix-af.patch (+5/-0)
debian/patches/0028-opt_arg.patch (+5/-0)
debian/patches/0029-tests-cond-dbus.patch (+6/-0)
debian/patches/0030-tests.diff (+6/-0)
To merge this branch: bzr merge lp:~apparmor-dev/apparmor/aa-2.8.95
Reviewer Review Type Date Requested Status
Jamie Strandboge Needs Fixing
Review via email: mp+210896@code.launchpad.net

This proposal has been superseded by a proposal from 2014-03-13.

Description of the change

This AppArmor merge is based on the "trunk" of AppArmor upstream repository; because downstream consumers include a variety of package management systems where we have had trouble with -rc releases in the past, this is labeled 2.8.95 to be strictly less than 2.9 when that is eventually released. It is more in common with the forth-coming 2.9 than with the older 2.8.

This merge dropped many distro-patches which were upstreamed and adds several patches from upstream that are not yet in the repository, for functionalities highly desired for Ubuntu trusty.

> [TBD] Is your branch in sync with latest trunk (e.g. bzr pull lp:trunk -> no changes)

Yes, this pull was current as of 2014-03-11. Some upstream commiters are not Ubuntu members nor Canonical employees, but all commits require sign-off from other upstream commiters.

> Did you build your software in a clean sbuild/pbuilder chroot or ppa?

Yes, sbuild with schroot.

> Did you build your software in a clean sbuild/pbuilder chroot or ppa on armhf? (needed for TestPlan)

A build is currently queued in the security-private PPA.

> Has your component TestPlan been executed successfully on emulator/armhf Touch build (eg, one of N4, N10, N7 (either), Galaxy Nexus) and clean Ubuntu Desktop VM?

No; jdstrand has offered to test until other team members have a suitable environment configured.

> Has a 5 minute exploratory testing run been executed on an armhf Touch build (eg, one of N4, N10, N7 (either), Galaxy Nexus)?

No; jdstrand has offered to test until other team members have a suitable environment configured.

> If you changed the packaging (debian/), did you subscribe a core-dev to this MP?

jdstrand, a core-dev, will handle the merge proposal.

> What components might get impacted by your changes?

AppArmor confinement provides the basis for touch application confinement, LXC confinement, libvirt-managed kvm confinement, in addition to confining specific daemons, services, and programs. Nearly everything may be impacted by AppArmor.

> Have you requested review by the teams of these owning components?

No, it is not expected that others should be capable of reviewing these changes; both server team and touch teams are expecting the new features to be provided by this package.

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the MP! Review based on this revision:

The mv -n is good at not clobbering, but it leaves the tempfile on disk. I think we want to do:
if [ ! -e /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local ]; then
    tmp=`mktemp`
    ...
    mv -f "$tmp" /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
    chmod 644 /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
fi
;;

Version (2.8.95~2427-0ubuntu1~sarnold1) is not correct for trusty, but it is ok for now since we are going to build in a PPA. We can fix that later

Missing the powerpc fix.

I don't see anything in debian/rules about no longer installing odt files

review: Needs Fixing
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Oh, one more thing, the distribution name in debian/changelog should be UNRELEASED.

review: Needs Fixing
lp:~apparmor-dev/apparmor/aa-2.8.95 updated
1498. By Seth Arnold

Modified patches to remove numbers, they complicated quilt handling too
much.

  - add-chromium-browser.patch
  - add-debian-integration-to-lighttpd.patch
  - ubuntu-manpage-updates.patch
  - libapparmor-layout-deb.patch
  - libapparmor-mention-dbus-method-in-getcon-man.patch
  - etc-writable.patch
  - aa-utils_are_bilingual.patch
  - convert-to-rules.patch
  - list-fns.patch
  - parse-mode.patch
  - add-decimal-interp.patch
  - policy_mediates.patch
  - fix-failpath.patch
  - feature_file.patch
  - fix-network.patch
  - aare-to-class.patch
  - add-mediation-unix.patch
  - parser_version.patch
  - caching.patch
  - label-class.patch
  - fix-lexer-debug.patch
  - use-diff-encode.patch
  - fix-serialize.patch
  - fix-ppc-endian-ftbfs.patch
  - opt_arg.patch
  - tests-cond-dbus.patch

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/apparmor.postinst'
2--- debian/apparmor.postinst 2014-03-12 02:05:16 +0000
3+++ debian/apparmor.postinst 2014-03-13 20:23:16 +0000
4@@ -84,7 +84,7 @@
5 EOM
6
7 mkdir -p /etc/apparmor.d/tunables/xdg-user-dirs.d 2>/dev/null || true
8- mv -f "$tmp" /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
9+ mv -n "$tmp" /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
10 chmod 644 /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
11 ;;
12
13
14=== modified file 'debian/changelog'
15--- debian/changelog 2014-03-12 02:05:16 +0000
16+++ debian/changelog 2014-03-13 20:23:16 +0000
17@@ -1,4 +1,4 @@
18-apparmor (2.8.95~2427-0ubuntu1) trusty; urgency=low
19+apparmor (2.8.95~2427-0ubuntu1~sarnold1) trusty; urgency=low
20
21 [ Jamie Strandboge ]
22
23@@ -20,8 +20,8 @@
24 for the aa_query_label() function
25 - Raise exceptions in Python bindings when something fails
26 * ship new Python replacements for previous Perl-based tools
27- - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and add
28- usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof
29+ - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and
30+ add usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof
31 - debian/control:
32 + remove various Perl dependencies
33 + add python-apparmor and python3-apparmor
34@@ -35,7 +35,8 @@
35 and xdg-user-dirs tunables and xdg-user-dirs.d directory
36 * debian/apparmor.dirs:
37 - install /etc/apparmor.d/tunables/xdg-user-dirs.d
38- * debian/apparmor.postinst: create xdg-user-dirs.d
39+ * debian/rules: delete upstream-provided xdg-user-dirs.d/site.local
40+ * debian/apparmor.postinst: create xdg-user-dirs.d/site.local
41 * debian/apparmor.postrm: remove xdg-user-dirs.d
42 * Remaining patches:
43 - 0001-add-chromium-browser.patch
44@@ -82,7 +83,7 @@
45 - debian/apparmor.install: tunables/dovecot, tunables/kernelvars,
46 tunables/xdg-user-dirs, tunables/xdg-user-dirs.d
47
48- -- Seth Arnold <seth.arnold@canonical.com> Tue, 11 Mar 2014 16:39:06 -0700
49+ -- Seth Arnold <seth.arnold@canonical.com> Thu, 13 Mar 2014 12:30:09 -0700
50
51 apparmor (2.8.94-0ubuntu1.4) trusty; urgency=low
52
53
54=== removed file 'debian/patches/0007-sanitized_helper_dbus_access.patch'
55--- debian/patches/0007-sanitized_helper_dbus_access.patch 2014-03-12 02:05:16 +0000
56+++ debian/patches/0007-sanitized_helper_dbus_access.patch 1970-01-01 00:00:00 +0000
57@@ -1,21 +0,0 @@
58-Author: Jamie Strandboge <jamie@canonical.com>
59-Description: Allow applications run under sanitized_helper to connect to DBus
60-
61----
62- profiles/apparmor.d/abstractions/ubuntu-helpers | 3 +++
63- 1 file changed, 3 insertions(+)
64-
65-Index: b/profiles/apparmor.d/abstractions/ubuntu-helpers
66-===================================================================
67---- a/profiles/apparmor.d/abstractions/ubuntu-helpers
68-+++ b/profiles/apparmor.d/abstractions/ubuntu-helpers
69-@@ -41,6 +41,9 @@
70- # Allow all DBus communications
71- dbus,
72-
73-+ # Allow all DBus communications
74-+ dbus,
75-+
76- # Allow exec of anything, but under this profile. Allow transition
77- # to other profiles if they exist.
78- /bin/* Pixr,
79
80=== removed file 'debian/patches/0008-libapparmor-adjust_symbol_map-more_invasive_version.patch'
81--- debian/patches/0008-libapparmor-adjust_symbol_map-more_invasive_version.patch 2014-03-12 02:05:16 +0000
82+++ debian/patches/0008-libapparmor-adjust_symbol_map-more_invasive_version.patch 1970-01-01 00:00:00 +0000
83@@ -1,55 +0,0 @@
84-Signed-off-by: Steve Beattie <steve@nxnw.org>
85----
86- libraries/libapparmor/src/kernel_interface.c | 10 ++++++++--
87- libraries/libapparmor/src/libapparmor.map | 9 ++++++++-
88- 2 files changed, 16 insertions(+), 3 deletions(-)
89-
90-Index: b/libraries/libapparmor/src/libapparmor.map
91-===================================================================
92---- a/libraries/libapparmor/src/libapparmor.map
93-+++ b/libraries/libapparmor/src/libapparmor.map
94-@@ -1,4 +1,8 @@
95--#If you update this file please update the library version in Makefile.am
96-+# Please add new symbols in a section that corresponds to the upcoming
97-+# release version, adding a new section if necessary
98-+#
99-+# If you update this file please follow the instructions on library
100-+# versioning in Makefile.am
101-
102- IMMUNIX_1.0 {
103- global:
104-@@ -33,6 +37,9 @@ APPARMOR_1.1 {
105- free_record;
106- aa_getprocattr_raw;
107- aa_getprocattr;
108-+ aa_query_label;
109-+
110-+ # no more symbols here, please
111-
112- local:
113- *;
114-Index: b/libraries/libapparmor/src/kernel_interface.c
115-===================================================================
116---- a/libraries/libapparmor/src/kernel_interface.c
117-+++ b/libraries/libapparmor/src/kernel_interface.c
118-@@ -702,8 +702,8 @@ static void aafs_access_init_once(void)
119- * ENOENT, the subject label in the query string is unknown to the
120- * kernel.
121- */
122--int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
123-- int *audited)
124-+int query_label(uint32_t mask, char *query, size_t size, int *allowed,
125-+ int *audited)
126- {
127- char buf[QUERY_LABEL_REPLY_LEN];
128- uint32_t allow, deny, audit, quiet;
129-@@ -770,3 +770,9 @@ int aa_query_label(uint32_t mask, char *
130-
131- return 0;
132- }
133-+
134-+/* export multiple aa_query_label symbols to compensate for downstream
135-+ * releases with differing symbol versions. */
136-+extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
137-+symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
138-+default_symbol_version(query_label, aa_query_label, APPARMOR_3.0);
139
140=== modified file 'debian/patches/0008-remove-ptrace.patch'
141--- debian/patches/0008-remove-ptrace.patch 2014-03-12 02:05:16 +0000
142+++ debian/patches/0008-remove-ptrace.patch 2014-03-13 20:23:16 +0000
143@@ -1,3 +1,8 @@
144+Author: John Johansen <john.johansen@canonical.com>
145+Forwarded: Yes
146+Subject: Remove old, never-used, ptrace infrastructure from the parser
147+---
148+
149 It was never used, never supported, and we are doing it differently now.
150
151 Signed-off-by: John Johansen <john.johansen@canonical.com>
152
153=== modified file 'debian/patches/0009-convert-to-rules.patch'
154--- debian/patches/0009-convert-to-rules.patch 2014-03-12 02:05:16 +0000
155+++ debian/patches/0009-convert-to-rules.patch 2014-03-13 20:23:16 +0000
156@@ -1,3 +1,8 @@
157+Author: John Johansen <john.johansen@canonical.com>
158+Forwarded: Yes
159+Subject: Convert mount and dbus to be subclasses of a generic rule class
160+---
161+
162 This will simplify add new features as most of the code can reside in
163 its own class. There are still things to improve but its a start.
164
165
166=== removed file 'debian/patches/0009-libapparmor2.patch'
167--- debian/patches/0009-libapparmor2.patch 2014-03-12 02:05:16 +0000
168+++ debian/patches/0009-libapparmor2.patch 1970-01-01 00:00:00 +0000
169@@ -1,26 +0,0 @@
170-Subject: libapparmor1 -> libapparmor2 in autoconf
171-Author: Seth Arnold <seth.arnold@canonical.com>
172-
173-The library version has changed to 2:
174-
175-AA_LIB_CURRENT = 2
176-AA_LIB_REVISION = 0
177-AA_LIB_AGE = 0
178-
179----
180- libraries/libapparmor/configure.ac | 2 +-
181- 1 file changed, 1 insertion(+), 1 deletion(-)
182-
183-Index: b/libraries/libapparmor/configure.ac
184-===================================================================
185---- a/libraries/libapparmor/configure.ac
186-+++ b/libraries/libapparmor/configure.ac
187-@@ -5,7 +5,7 @@
188-
189- AC_INIT(configure.ac)
190-
191--AM_INIT_AUTOMAKE(libapparmor1, apparmor_version)
192-+AM_INIT_AUTOMAKE(libapparmor2, apparmor_version)
193-
194- AM_PROG_LEX
195- AC_PROG_YACC
196
197=== removed file 'debian/patches/0009-uservars-inc-use-system-support.patch'
198--- debian/patches/0009-uservars-inc-use-system-support.patch 2014-03-12 02:05:16 +0000
199+++ debian/patches/0009-uservars-inc-use-system-support.patch 1970-01-01 00:00:00 +0000
200@@ -1,95 +0,0 @@
201-Description: Modify regression tests to use USE_SYSTEM to also select parser
202-Author: Seth Arnold <seth.arnold@canonical.com>
203-
204----
205- tests/regression/apparmor/Makefile | 11 +++++++++--
206- tests/regression/apparmor/uservars.inc | 14 --------------
207- tests/regression/apparmor/uservars.inc.source | 14 ++++++++++++++
208- tests/regression/apparmor/uservars.inc.system | 14 ++++++++++++++
209- 4 files changed, 37 insertions(+), 16 deletions(-)
210-
211-Index: b/tests/regression/apparmor/Makefile
212-===================================================================
213---- a/tests/regression/apparmor/Makefile
214-+++ b/tests/regression/apparmor/Makefile
215-@@ -180,7 +180,14 @@
216- return 1 ; \
217- fi
218-
219--all: libapparmor_check $(EXEC) changehat.h
220-+all: libapparmor_check $(EXEC) changehat.h uservars.inc
221-+
222-+uservars.inc: uservars.inc.source uservars.inc.system
223-+ifdef USE_SYSTEM
224-+ mv uservars.inc.system uservars.inc
225-+else # !USE_SYSTEM
226-+ mv uservars.inc.source uservars.inc
227-+endif # USE_SYSTEM
228-
229- changehat_pthread: changehat_pthread.c changehat.h
230- ${CC} ${CFLAGS} ${LDFLAGS} $< -o $@ ${LDLIBS} -pthread
231-@@ -236,6 +243,6 @@
232- fi
233-
234- clean:
235-- rm -f $(EXEC) dbus_common.o
236-+ rm -f $(EXEC) dbus_common.o uservars.inc
237-
238- regex.sh: open exec
239-Index: b/tests/regression/apparmor/uservars.inc.source
240-===================================================================
241---- /dev/null
242-+++ b/tests/regression/apparmor/uservars.inc.source
243-@@ -0,0 +1,14 @@
244-+# 1. Path to apparmor parser
245-+subdomain=${PWD}/../../../parser/apparmor_parser
246-+#subdomain=/sbin/apparmor_parser
247-+
248-+# 2. additional arguments to the apparmor parser
249-+parser_args="-q -K"
250-+
251-+# 3. directory to be used for temp files
252-+# Need to be able to access this directory by the root and nobody users.
253-+tmpdir=/tmp/sdtest.$$-$RANDOM
254-+
255-+
256-+# 4. Location of load system profiles for verification
257-+sys_profiles=/sys/kernel/security/apparmor/profiles
258-Index: b/tests/regression/apparmor/uservars.inc.system
259-===================================================================
260---- /dev/null
261-+++ b/tests/regression/apparmor/uservars.inc.system
262-@@ -0,0 +1,14 @@
263-+# 1. Path to apparmor parser
264-+#subdomain=${PWD}/../../../parser/apparmor_parser
265-+subdomain=/sbin/apparmor_parser
266-+
267-+# 2. additional arguments to the apparmor parser
268-+parser_args="-q -K"
269-+
270-+# 3. directory to be used for temp files
271-+# Need to be able to access this directory by the root and nobody users.
272-+tmpdir=/tmp/sdtest.$$-$RANDOM
273-+
274-+
275-+# 4. Location of load system profiles for verification
276-+sys_profiles=/sys/kernel/security/apparmor/profiles
277-Index: b/tests/regression/apparmor/uservars.inc
278-===================================================================
279---- a/tests/regression/apparmor/uservars.inc
280-+++ /dev/null
281-@@ -1,14 +0,0 @@
282--# 1. Path to apparmor parser
283--subdomain=${PWD}/../../../parser/apparmor_parser
284--#subdomain=/sbin/apparmor_parser
285--
286--# 2. additional arguments to the apparmor parser
287--parser_args="-q -K"
288--
289--# 3. directory to be used for temp files
290--# Need to be able to access this directory by the root and nobody users.
291--tmpdir=/tmp/sdtest.$$-$RANDOM
292--
293--
294--# 4. Location of load system profiles for verification
295--sys_profiles=/sys/kernel/security/apparmor/profiles
296
297=== modified file 'debian/patches/0010-list-fns.patch'
298--- debian/patches/0010-list-fns.patch 2014-03-12 02:05:16 +0000
299+++ debian/patches/0010-list-fns.patch 2014-03-13 20:23:16 +0000
300@@ -1,3 +1,9 @@
301+Author: John Johansen <john.johansen@canonical.com>
302+Forwarded: Yes
303+Subject: cleanup the list fns and use a little bit.
304+
305+---
306+
307 Yes its seems pointless because these will eventually get replaced by
308 stl. But until then
309
310
311=== modified file 'debian/patches/0011-parse-mode.patch'
312--- debian/patches/0011-parse-mode.patch 2014-03-12 02:05:16 +0000
313+++ debian/patches/0011-parse-mode.patch 2014-03-13 20:23:16 +0000
314@@ -1,3 +1,9 @@
315+Author: John Johansen <john.johansen@canonical.com>
316+Forwarded: Yes
317+Subject: make the parse_sub_mode code more generic
318+
319+---
320+
321 Make it more generic so that it can be shared with signals.
322
323 Signed-off-by: John Johansen <john.johansen@canonical.com>
324
325=== modified file 'debian/patches/0012-add-decimal-interp.patch'
326--- debian/patches/0012-add-decimal-interp.patch 2014-03-12 02:05:16 +0000
327+++ debian/patches/0012-add-decimal-interp.patch 2014-03-13 20:23:16 +0000
328@@ -1,3 +1,9 @@
329+Author: John Johansen <john.johansen@canonical.com>
330+Forwarded: Yes
331+Subject: cleanup/fix escape sequences in the backend and add support for \d
332+
333+---
334+
335 the octal escape sequence was broken, so that short escapes \0, \00 \xa,
336 didn't work and actually resulted in some encoding bugs.
337
338
339=== modified file 'debian/patches/0013-policy_mediates.patch'
340--- debian/patches/0013-policy_mediates.patch 2014-03-12 02:05:16 +0000
341+++ debian/patches/0013-policy_mediates.patch 2014-03-13 20:23:16 +0000
342@@ -1,3 +1,9 @@
343+Author: John Johansen <john.johansen@canonical.com>
344+Forwarded: Yes
345+Subject: Add stub rules to indicate compilation support for given features.
346+
347+---
348+
349 Policy enforcement needs to be able to support older userspaces and
350 compilers that don't know about new features. The absence of a feature
351 in the policydb indicates that feature mediation is not present for
352
353=== modified file 'debian/patches/0014-fix-failpath.patch'
354--- debian/patches/0014-fix-failpath.patch 2014-03-12 02:05:16 +0000
355+++ debian/patches/0014-fix-failpath.patch 2014-03-13 20:23:16 +0000
356@@ -1,3 +1,9 @@
357+Author: John Johansen <john.johansen@canonical.com>
358+Forwarded: Yes
359+Subject: fix failure paths around policy that can result in a crash
360+
361+---
362+
363 Signed-off-by: John Johansen <john.johansen@canonical.com>
364
365 ---
366
367=== modified file 'debian/patches/0015-feature_file.patch'
368--- debian/patches/0015-feature_file.patch 2014-03-12 02:05:16 +0000
369+++ debian/patches/0015-feature_file.patch 2014-03-13 20:23:16 +0000
370@@ -1,3 +1,9 @@
371+Author: John Johansen <john.johansen@canonical.com>
372+Forwarded: Yes
373+Subject: Hack rework of the feature/match file support
374+
375+---
376+
377 This is not the cleanup this code needs, but a quick hack to add the
378 -M flag so we can specify a feature file (or directory) to use for
379 the compile.
380
381=== modified file 'debian/patches/0016-fix-network.patch'
382--- debian/patches/0016-fix-network.patch 2014-03-12 02:05:16 +0000
383+++ debian/patches/0016-fix-network.patch 2014-03-13 20:23:16 +0000
384@@ -1,3 +1,9 @@
385+Author: John Johansen <john.johansen@canonical.com>
386+Forwarded: Yes
387+Subject: fix: network detection
388+
389+---
390+
391 The features file patch broke detection of network support.
392
393 Signed-off-by: John Johansen <john.johansen@canonical.com>
394
395=== modified file 'debian/patches/0017-aare-to-class.patch'
396--- debian/patches/0017-aare-to-class.patch 2014-03-12 02:05:16 +0000
397+++ debian/patches/0017-aare-to-class.patch 2014-03-13 20:23:16 +0000
398@@ -1,3 +1,9 @@
399+Author: John Johansen <john.johansen@canonical.com>
400+Forwarded: Yes
401+Subject: Convert aare_rules into a class
402+
403+---
404+
405 This cleans things up a bit and fixes a bug where not all rules are
406 getting properly counted so that the addition of policy_mediation
407 rules fails to generate the policy dfa in some cases.
408
409=== modified file 'debian/patches/0018-add-mediation-unix.patch'
410--- debian/patches/0018-add-mediation-unix.patch 2014-03-12 02:05:16 +0000
411+++ debian/patches/0018-add-mediation-unix.patch 2014-03-13 20:23:16 +0000
412@@ -1,3 +1,9 @@
413+Author: John Johansen <john.johansen@canonical.com>
414+Forwarded: Yes
415+Subject: Add tag indicating file policy is mediated.
416+
417+---
418+
419 Tag start of entries in the policydb as being mediated. This makes
420 the start state for any class being mediated be none 0. The kernel
421 can detect this to determine whether the parser expected mediation
422
423=== modified file 'debian/patches/0019-parser_version.patch'
424--- debian/patches/0019-parser_version.patch 2014-03-12 02:05:16 +0000
425+++ debian/patches/0019-parser_version.patch 2014-03-13 20:23:16 +0000
426@@ -1,3 +1,9 @@
427+Author: John Johansen <john.johansen@canonical.com>
428+Forwarded: Yes
429+Subject: Add the ability to separate policy_version from kernel and parser abi
430+
431+---
432+
433 This will allow for the parser to invalidate its caches separate of whether
434 the kernel policy version has changed. This can be desirable if a parser
435 bug is discovered, a new version the parser is shipped and we need to
436
437=== modified file 'debian/patches/0020-caching.patch'
438--- debian/patches/0020-caching.patch 2014-03-12 02:05:16 +0000
439+++ debian/patches/0020-caching.patch 2014-03-13 20:23:16 +0000
440@@ -1,3 +1,9 @@
441+Author: John Johansen <john.johansen@canonical.com>
442+Forwarded: Yes
443+Subject: Dont use the parser time stamp to determine if policy is newer.
444+
445+---
446+
447 Using the parser timestamp was a work around to force recompilation of
448 policy that was built with a buggy parser. There are better ways to
449 handle this so remove checking of the parser timestamp.
450
451=== modified file 'debian/patches/0021-label-class.patch'
452--- debian/patches/0021-label-class.patch 2014-03-12 02:05:16 +0000
453+++ debian/patches/0021-label-class.patch 2014-03-13 20:23:16 +0000
454@@ -1,3 +1,9 @@
455+Author: John Johansen <john.johansen@canonical.com>
456+Forwarded: Yes
457+Subject: add label class to the policydb
458+
459+---
460+
461 The label class is used to lookup object permissions based off of label
462 alone when the labeling is not path dependent.
463
464
465=== modified file 'debian/patches/0022-signal.patch'
466--- debian/patches/0022-signal.patch 2014-03-12 02:05:16 +0000
467+++ debian/patches/0022-signal.patch 2014-03-13 20:23:16 +0000
468@@ -1,3 +1,9 @@
469+Author: John Johansen <john.johansen@canonical.com>
470+Forwarded: Yes
471+Subject: Add the ability to mediate signals.
472+
473+---
474+
475 Add signal rules and make sure the parser encodes support for them
476 if the supported feature set reports supporting them.
477
478
479=== modified file 'debian/patches/0023-fix-lexer-debug.patch'
480--- debian/patches/0023-fix-lexer-debug.patch 2014-03-12 02:05:16 +0000
481+++ debian/patches/0023-fix-lexer-debug.patch 2014-03-13 20:23:16 +0000
482@@ -1,3 +1,9 @@
483+Author: John Johansen <john.johansen@canonical.com>
484+Forwarded: Yes
485+Subject: A few fixes/improvements to the lexer debug output
486+
487+---
488+
489 Signed-off-by: John Johansen <john.johansen@canonical.com>
490 ---
491 parser/parser_lex.l | 19 +++++++++----------
492
493=== modified file 'debian/patches/0024-ptrace.patch'
494--- debian/patches/0024-ptrace.patch 2014-03-12 02:05:16 +0000
495+++ debian/patches/0024-ptrace.patch 2014-03-13 20:23:16 +0000
496@@ -1,3 +1,9 @@
497+Author: John Johansen <john.johansen@canonical.com>
498+Forwarded: Yes
499+Subject: Add the ability to specify ptrace rules
500+
501+---
502+
503 ptrace rules currently take the form of
504
505 ptrace [<ptrace_perms>] [<peer_profile_name>],
506
507=== modified file 'debian/patches/0025-use-diff-encode.patch'
508--- debian/patches/0025-use-diff-encode.patch 2014-03-12 02:05:16 +0000
509+++ debian/patches/0025-use-diff-encode.patch 2014-03-13 20:23:16 +0000
510@@ -1,3 +1,9 @@
511+Author: John Johansen <john.johansen@canonical.com>
512+Forwarded: Yes
513+Subject: Turn on diff-encoding if the kernel supports it
514+
515+---
516+
517 Signed-off-by: John Johansen <john.johansen@canonical.com>
518 ---
519 parser/parser.h | 1 +
520
521=== modified file 'debian/patches/0026-fix-serialize.patch'
522--- debian/patches/0026-fix-serialize.patch 2014-03-12 02:05:16 +0000
523+++ debian/patches/0026-fix-serialize.patch 2014-03-13 20:23:16 +0000
524@@ -1,3 +1,9 @@
525+Author: John Johansen <john.johansen@canonical.com>
526+Forwarded: Yes
527+Subject: Move buffer management for the interface to C++ ostringstream class
528+
529+---
530+
531 Signed-off-by: John Johansen <john.johansen@canonical.com>
532 ---
533 parser/parser.h | 5
534
535=== modified file 'debian/patches/0027-fix-af.patch'
536--- debian/patches/0027-fix-af.patch 2014-03-12 02:05:16 +0000
537+++ debian/patches/0027-fix-af.patch 2014-03-13 20:23:16 +0000
538@@ -1,3 +1,8 @@
539+Author: John Johansen <john.johansen@canonical.com>
540+Forwarded: Yes
541+Subject: Don't mediate AF_UNSPEC address family
542+---
543+
544 ---
545 common/Make.rules | 2 +-
546 1 file changed, 1 insertion(+), 1 deletion(-)
547
548=== modified file 'debian/patches/0028-opt_arg.patch'
549--- debian/patches/0028-opt_arg.patch 2014-03-12 02:05:16 +0000
550+++ debian/patches/0028-opt_arg.patch 2014-03-13 20:23:16 +0000
551@@ -1,3 +1,8 @@
552+Author: John Johansen <john.johansen@canonical.com>
553+Forwarded: Yes
554+Subject: Split flag handling into a separate file
555+---
556+
557 Signed-off-by: John Johansen <john.johansen@canonical.com>
558
559 ----
560
561=== modified file 'debian/patches/0029-tests-cond-dbus.patch'
562--- debian/patches/0029-tests-cond-dbus.patch 2014-03-12 02:05:16 +0000
563+++ debian/patches/0029-tests-cond-dbus.patch 2014-03-13 20:23:16 +0000
564@@ -1,3 +1,9 @@
565+Author: John Johansen <john.johansen@canonical.com>
566+Forwarded: Yes
567+Subject: Make dbus tests be conditionally run based on pkg-config
568+
569+---
570+
571 The addition of the dbus tests requires dbus dev libraries be installed
572 to run the test suite. This is not always desirable or even possible.
573
574
575=== modified file 'debian/patches/0030-tests.diff'
576--- debian/patches/0030-tests.diff 2014-03-12 02:05:16 +0000
577+++ debian/patches/0030-tests.diff 2014-03-13 20:23:16 +0000
578@@ -1,3 +1,9 @@
579+Author: John Johansen <john.johansen@canonical.com>
580+Forwarded: Yes
581+Subject: Update the regression tests for v6 policy
582+
583+---
584+
585 Sorry this mashes several things together that should be separate
586 patches, but I am not going to spend the time to pull them apart
587 atm.

Subscribers

People subscribed via source and target branches

to all changes: