AppArmor

Merge lp:~apparmor-dev/apparmor/aa-2.8.95 into lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain

  1. aa-2.8.95
  2. Merge into apparmor-ubuntu-citrain
Proposed by Seth Arnold
Status: Superseded
Proposed branch: lp:~apparmor-dev/apparmor/aa-2.8.95
Merge into: lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain
Diff against target: 587 lines (+141/-203)
29 files modified
debian/apparmor.postinst (+1/-1)
debian/changelog (+6/-5)
debian/patches/0007-sanitized_helper_dbus_access.patch (+0/-21)
debian/patches/0008-libapparmor-adjust_symbol_map-more_invasive_version.patch (+0/-55)
debian/patches/0008-remove-ptrace.patch (+5/-0)
debian/patches/0009-convert-to-rules.patch (+5/-0)
debian/patches/0009-libapparmor2.patch (+0/-26)
debian/patches/0009-uservars-inc-use-system-support.patch (+0/-95)
debian/patches/0010-list-fns.patch (+6/-0)
debian/patches/0011-parse-mode.patch (+6/-0)
debian/patches/0012-add-decimal-interp.patch (+6/-0)
debian/patches/0013-policy_mediates.patch (+6/-0)
debian/patches/0014-fix-failpath.patch (+6/-0)
debian/patches/0015-feature_file.patch (+6/-0)
debian/patches/0016-fix-network.patch (+6/-0)
debian/patches/0017-aare-to-class.patch (+6/-0)
debian/patches/0018-add-mediation-unix.patch (+6/-0)
debian/patches/0019-parser_version.patch (+6/-0)
debian/patches/0020-caching.patch (+6/-0)
debian/patches/0021-label-class.patch (+6/-0)
debian/patches/0022-signal.patch (+6/-0)
debian/patches/0023-fix-lexer-debug.patch (+6/-0)
debian/patches/0024-ptrace.patch (+6/-0)
debian/patches/0025-use-diff-encode.patch (+6/-0)
debian/patches/0026-fix-serialize.patch (+6/-0)
debian/patches/0027-fix-af.patch (+5/-0)
debian/patches/0028-opt_arg.patch (+5/-0)
debian/patches/0029-tests-cond-dbus.patch (+6/-0)
debian/patches/0030-tests.diff (+6/-0)
To merge this branch: bzr merge lp:~apparmor-dev/apparmor/aa-2.8.95
Reviewer Review Type Date Requested Status
Jamie Strandboge Needs Fixing
Review via email: mp+210896@code.launchpad.net

This proposal has been superseded by a proposal from 2014-03-13.

Description of the change

This AppArmor merge is based on the "trunk" of AppArmor upstream repository; because downstream consumers include a variety of package management systems where we have had trouble with -rc releases in the past, this is labeled 2.8.95 to be strictly less than 2.9 when that is eventually released. It is more in common with the forth-coming 2.9 than with the older 2.8.

This merge dropped many distro-patches which were upstreamed and adds several patches from upstream that are not yet in the repository, for functionalities highly desired for Ubuntu trusty.

> [TBD] Is your branch in sync with latest trunk (e.g. bzr pull lp:trunk -> no changes)

Yes, this pull was current as of 2014-03-11. Some upstream commiters are not Ubuntu members nor Canonical employees, but all commits require sign-off from other upstream commiters.

> Did you build your software in a clean sbuild/pbuilder chroot or ppa?

Yes, sbuild with schroot.

> Did you build your software in a clean sbuild/pbuilder chroot or ppa on armhf? (needed for TestPlan)

A build is currently queued in the security-private PPA.

> Has your component TestPlan been executed successfully on emulator/armhf Touch build (eg, one of N4, N10, N7 (either), Galaxy Nexus) and clean Ubuntu Desktop VM?

No; jdstrand has offered to test until other team members have a suitable environment configured.

> Has a 5 minute exploratory testing run been executed on an armhf Touch build (eg, one of N4, N10, N7 (either), Galaxy Nexus)?

No; jdstrand has offered to test until other team members have a suitable environment configured.

> If you changed the packaging (debian/), did you subscribe a core-dev to this MP?

jdstrand, a core-dev, will handle the merge proposal.

> What components might get impacted by your changes?

AppArmor confinement provides the basis for touch application confinement, LXC confinement, libvirt-managed kvm confinement, in addition to confining specific daemons, services, and programs. Nearly everything may be impacted by AppArmor.

> Have you requested review by the teams of these owning components?

No, it is not expected that others should be capable of reviewing these changes; both server team and touch teams are expecting the new features to be provided by this package.

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the MP! Review based on this revision:

The mv -n is good at not clobbering, but it leaves the tempfile on disk. I think we want to do:
if [ ! -e /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local ]; then
    tmp=`mktemp`
    ...
    mv -f "$tmp" /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
    chmod 644 /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
fi
;;

Version (2.8.95~2427-0ubuntu1~sarnold1) is not correct for trusty, but it is ok for now since we are going to build in a PPA. We can fix that later

Missing the powerpc fix.

I don't see anything in debian/rules about no longer installing odt files

review: Needs Fixing
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Oh, one more thing, the distribution name in debian/changelog should be UNRELEASED.

review: Needs Fixing
lp:~apparmor-dev/apparmor/aa-2.8.95 updated
1498. By Seth Arnold

Modified patches to remove numbers, they complicated quilt handling too
much.

  - add-chromium-browser.patch
  - add-debian-integration-to-lighttpd.patch
  - ubuntu-manpage-updates.patch
  - libapparmor-layout-deb.patch
  - libapparmor-mention-dbus-method-in-getcon-man.patch
  - etc-writable.patch
  - aa-utils_are_bilingual.patch
  - convert-to-rules.patch
  - list-fns.patch
  - parse-mode.patch
  - add-decimal-interp.patch
  - policy_mediates.patch
  - fix-failpath.patch
  - feature_file.patch
  - fix-network.patch
  - aare-to-class.patch
  - add-mediation-unix.patch
  - parser_version.patch
  - caching.patch
  - label-class.patch
  - fix-lexer-debug.patch
  - use-diff-encode.patch
  - fix-serialize.patch
  - fix-ppc-endian-ftbfs.patch
  - opt_arg.patch
  - tests-cond-dbus.patch

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/apparmor.postinst'
--- debian/apparmor.postinst 2014-03-12 02:05:16 +0000
+++ debian/apparmor.postinst 2014-03-13 20:23:16 +0000
@@ -84,7 +84,7 @@
84EOM84EOM
8585
86 mkdir -p /etc/apparmor.d/tunables/xdg-user-dirs.d 2>/dev/null || true86 mkdir -p /etc/apparmor.d/tunables/xdg-user-dirs.d 2>/dev/null || true
87 mv -f "$tmp" /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local87 mv -n "$tmp" /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
88 chmod 644 /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local88 chmod 644 /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
89 ;;89 ;;
9090
9191
=== modified file 'debian/changelog'
--- debian/changelog 2014-03-12 02:05:16 +0000
+++ debian/changelog 2014-03-13 20:23:16 +0000
@@ -1,4 +1,4 @@
1apparmor (2.8.95~2427-0ubuntu1) trusty; urgency=low1apparmor (2.8.95~2427-0ubuntu1~sarnold1) trusty; urgency=low
22
3 [ Jamie Strandboge ]3 [ Jamie Strandboge ]
44
@@ -20,8 +20,8 @@
20 for the aa_query_label() function20 for the aa_query_label() function
21 - Raise exceptions in Python bindings when something fails21 - Raise exceptions in Python bindings when something fails
22 * ship new Python replacements for previous Perl-based tools22 * ship new Python replacements for previous Perl-based tools
23 - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and add23 - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and
24 usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof24 add usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof
25 - debian/control:25 - debian/control:
26 + remove various Perl dependencies26 + remove various Perl dependencies
27 + add python-apparmor and python3-apparmor27 + add python-apparmor and python3-apparmor
@@ -35,7 +35,8 @@
35 and xdg-user-dirs tunables and xdg-user-dirs.d directory35 and xdg-user-dirs tunables and xdg-user-dirs.d directory
36 * debian/apparmor.dirs:36 * debian/apparmor.dirs:
37 - install /etc/apparmor.d/tunables/xdg-user-dirs.d37 - install /etc/apparmor.d/tunables/xdg-user-dirs.d
38 * debian/apparmor.postinst: create xdg-user-dirs.d38 * debian/rules: delete upstream-provided xdg-user-dirs.d/site.local
39 * debian/apparmor.postinst: create xdg-user-dirs.d/site.local
39 * debian/apparmor.postrm: remove xdg-user-dirs.d40 * debian/apparmor.postrm: remove xdg-user-dirs.d
40 * Remaining patches:41 * Remaining patches:
41 - 0001-add-chromium-browser.patch42 - 0001-add-chromium-browser.patch
@@ -82,7 +83,7 @@
82 - debian/apparmor.install: tunables/dovecot, tunables/kernelvars,83 - debian/apparmor.install: tunables/dovecot, tunables/kernelvars,
83 tunables/xdg-user-dirs, tunables/xdg-user-dirs.d84 tunables/xdg-user-dirs, tunables/xdg-user-dirs.d
8485
85 -- Seth Arnold <seth.arnold@canonical.com> Tue, 11 Mar 2014 16:39:06 -070086 -- Seth Arnold <seth.arnold@canonical.com> Thu, 13 Mar 2014 12:30:09 -0700
8687
87apparmor (2.8.94-0ubuntu1.4) trusty; urgency=low88apparmor (2.8.94-0ubuntu1.4) trusty; urgency=low
8889
8990
=== removed file 'debian/patches/0007-sanitized_helper_dbus_access.patch'
--- debian/patches/0007-sanitized_helper_dbus_access.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0007-sanitized_helper_dbus_access.patch 1970-01-01 00:00:00 +0000
@@ -1,21 +0,0 @@
1Author: Jamie Strandboge <jamie@canonical.com>
2Description: Allow applications run under sanitized_helper to connect to DBus
3
4---
5 profiles/apparmor.d/abstractions/ubuntu-helpers | 3 +++
6 1 file changed, 3 insertions(+)
7
8Index: b/profiles/apparmor.d/abstractions/ubuntu-helpers
9===================================================================
10--- a/profiles/apparmor.d/abstractions/ubuntu-helpers
11+++ b/profiles/apparmor.d/abstractions/ubuntu-helpers
12@@ -41,6 +41,9 @@
13 # Allow all DBus communications
14 dbus,
15
16+ # Allow all DBus communications
17+ dbus,
18+
19 # Allow exec of anything, but under this profile. Allow transition
20 # to other profiles if they exist.
21 /bin/* Pixr,
220
=== removed file 'debian/patches/0008-libapparmor-adjust_symbol_map-more_invasive_version.patch'
--- debian/patches/0008-libapparmor-adjust_symbol_map-more_invasive_version.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0008-libapparmor-adjust_symbol_map-more_invasive_version.patch 1970-01-01 00:00:00 +0000
@@ -1,55 +0,0 @@
1Signed-off-by: Steve Beattie <steve@nxnw.org>
2---
3 libraries/libapparmor/src/kernel_interface.c | 10 ++++++++--
4 libraries/libapparmor/src/libapparmor.map | 9 ++++++++-
5 2 files changed, 16 insertions(+), 3 deletions(-)
6
7Index: b/libraries/libapparmor/src/libapparmor.map
8===================================================================
9--- a/libraries/libapparmor/src/libapparmor.map
10+++ b/libraries/libapparmor/src/libapparmor.map
11@@ -1,4 +1,8 @@
12-#If you update this file please update the library version in Makefile.am
13+# Please add new symbols in a section that corresponds to the upcoming
14+# release version, adding a new section if necessary
15+#
16+# If you update this file please follow the instructions on library
17+# versioning in Makefile.am
18
19 IMMUNIX_1.0 {
20 global:
21@@ -33,6 +37,9 @@ APPARMOR_1.1 {
22 free_record;
23 aa_getprocattr_raw;
24 aa_getprocattr;
25+ aa_query_label;
26+
27+ # no more symbols here, please
28
29 local:
30 *;
31Index: b/libraries/libapparmor/src/kernel_interface.c
32===================================================================
33--- a/libraries/libapparmor/src/kernel_interface.c
34+++ b/libraries/libapparmor/src/kernel_interface.c
35@@ -702,8 +702,8 @@ static void aafs_access_init_once(void)
36 * ENOENT, the subject label in the query string is unknown to the
37 * kernel.
38 */
39-int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
40- int *audited)
41+int query_label(uint32_t mask, char *query, size_t size, int *allowed,
42+ int *audited)
43 {
44 char buf[QUERY_LABEL_REPLY_LEN];
45 uint32_t allow, deny, audit, quiet;
46@@ -770,3 +770,9 @@ int aa_query_label(uint32_t mask, char *
47
48 return 0;
49 }
50+
51+/* export multiple aa_query_label symbols to compensate for downstream
52+ * releases with differing symbol versions. */
53+extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
54+symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
55+default_symbol_version(query_label, aa_query_label, APPARMOR_3.0);
560
=== modified file 'debian/patches/0008-remove-ptrace.patch'
--- debian/patches/0008-remove-ptrace.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0008-remove-ptrace.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,8 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Remove old, never-used, ptrace infrastructure from the parser
4---
5
1It was never used, never supported, and we are doing it differently now.6It was never used, never supported, and we are doing it differently now.
27
3Signed-off-by: John Johansen <john.johansen@canonical.com>8Signed-off-by: John Johansen <john.johansen@canonical.com>
49
=== modified file 'debian/patches/0009-convert-to-rules.patch'
--- debian/patches/0009-convert-to-rules.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0009-convert-to-rules.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,8 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Convert mount and dbus to be subclasses of a generic rule class
4---
5
1This will simplify add new features as most of the code can reside in6This will simplify add new features as most of the code can reside in
2its own class. There are still things to improve but its a start.7its own class. There are still things to improve but its a start.
38
49
=== removed file 'debian/patches/0009-libapparmor2.patch'
--- debian/patches/0009-libapparmor2.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0009-libapparmor2.patch 1970-01-01 00:00:00 +0000
@@ -1,26 +0,0 @@
1Subject: libapparmor1 -> libapparmor2 in autoconf
2Author: Seth Arnold <seth.arnold@canonical.com>
3
4The library version has changed to 2:
5
6AA_LIB_CURRENT = 2
7AA_LIB_REVISION = 0
8AA_LIB_AGE = 0
9
10---
11 libraries/libapparmor/configure.ac | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14Index: b/libraries/libapparmor/configure.ac
15===================================================================
16--- a/libraries/libapparmor/configure.ac
17+++ b/libraries/libapparmor/configure.ac
18@@ -5,7 +5,7 @@
19
20 AC_INIT(configure.ac)
21
22-AM_INIT_AUTOMAKE(libapparmor1, apparmor_version)
23+AM_INIT_AUTOMAKE(libapparmor2, apparmor_version)
24
25 AM_PROG_LEX
26 AC_PROG_YACC
270
=== removed file 'debian/patches/0009-uservars-inc-use-system-support.patch'
--- debian/patches/0009-uservars-inc-use-system-support.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0009-uservars-inc-use-system-support.patch 1970-01-01 00:00:00 +0000
@@ -1,95 +0,0 @@
1Description: Modify regression tests to use USE_SYSTEM to also select parser
2Author: Seth Arnold <seth.arnold@canonical.com>
3
4---
5 tests/regression/apparmor/Makefile | 11 +++++++++--
6 tests/regression/apparmor/uservars.inc | 14 --------------
7 tests/regression/apparmor/uservars.inc.source | 14 ++++++++++++++
8 tests/regression/apparmor/uservars.inc.system | 14 ++++++++++++++
9 4 files changed, 37 insertions(+), 16 deletions(-)
10
11Index: b/tests/regression/apparmor/Makefile
12===================================================================
13--- a/tests/regression/apparmor/Makefile
14+++ b/tests/regression/apparmor/Makefile
15@@ -180,7 +180,14 @@
16 return 1 ; \
17 fi
18
19-all: libapparmor_check $(EXEC) changehat.h
20+all: libapparmor_check $(EXEC) changehat.h uservars.inc
21+
22+uservars.inc: uservars.inc.source uservars.inc.system
23+ifdef USE_SYSTEM
24+ mv uservars.inc.system uservars.inc
25+else # !USE_SYSTEM
26+ mv uservars.inc.source uservars.inc
27+endif # USE_SYSTEM
28
29 changehat_pthread: changehat_pthread.c changehat.h
30 ${CC} ${CFLAGS} ${LDFLAGS} $< -o $@ ${LDLIBS} -pthread
31@@ -236,6 +243,6 @@
32 fi
33
34 clean:
35- rm -f $(EXEC) dbus_common.o
36+ rm -f $(EXEC) dbus_common.o uservars.inc
37
38 regex.sh: open exec
39Index: b/tests/regression/apparmor/uservars.inc.source
40===================================================================
41--- /dev/null
42+++ b/tests/regression/apparmor/uservars.inc.source
43@@ -0,0 +1,14 @@
44+# 1. Path to apparmor parser
45+subdomain=${PWD}/../../../parser/apparmor_parser
46+#subdomain=/sbin/apparmor_parser
47+
48+# 2. additional arguments to the apparmor parser
49+parser_args="-q -K"
50+
51+# 3. directory to be used for temp files
52+# Need to be able to access this directory by the root and nobody users.
53+tmpdir=/tmp/sdtest.$$-$RANDOM
54+
55+
56+# 4. Location of load system profiles for verification
57+sys_profiles=/sys/kernel/security/apparmor/profiles
58Index: b/tests/regression/apparmor/uservars.inc.system
59===================================================================
60--- /dev/null
61+++ b/tests/regression/apparmor/uservars.inc.system
62@@ -0,0 +1,14 @@
63+# 1. Path to apparmor parser
64+#subdomain=${PWD}/../../../parser/apparmor_parser
65+subdomain=/sbin/apparmor_parser
66+
67+# 2. additional arguments to the apparmor parser
68+parser_args="-q -K"
69+
70+# 3. directory to be used for temp files
71+# Need to be able to access this directory by the root and nobody users.
72+tmpdir=/tmp/sdtest.$$-$RANDOM
73+
74+
75+# 4. Location of load system profiles for verification
76+sys_profiles=/sys/kernel/security/apparmor/profiles
77Index: b/tests/regression/apparmor/uservars.inc
78===================================================================
79--- a/tests/regression/apparmor/uservars.inc
80+++ /dev/null
81@@ -1,14 +0,0 @@
82-# 1. Path to apparmor parser
83-subdomain=${PWD}/../../../parser/apparmor_parser
84-#subdomain=/sbin/apparmor_parser
85-
86-# 2. additional arguments to the apparmor parser
87-parser_args="-q -K"
88-
89-# 3. directory to be used for temp files
90-# Need to be able to access this directory by the root and nobody users.
91-tmpdir=/tmp/sdtest.$$-$RANDOM
92-
93-
94-# 4. Location of load system profiles for verification
95-sys_profiles=/sys/kernel/security/apparmor/profiles
960
=== modified file 'debian/patches/0010-list-fns.patch'
--- debian/patches/0010-list-fns.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0010-list-fns.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: cleanup the list fns and use a little bit.
4
5---
6
1Yes its seems pointless because these will eventually get replaced by7Yes its seems pointless because these will eventually get replaced by
2stl. But until then8stl. But until then
39
410
=== modified file 'debian/patches/0011-parse-mode.patch'
--- debian/patches/0011-parse-mode.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0011-parse-mode.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: make the parse_sub_mode code more generic
4
5---
6
1Make it more generic so that it can be shared with signals.7Make it more generic so that it can be shared with signals.
28
3Signed-off-by: John Johansen <john.johansen@canonical.com>9Signed-off-by: John Johansen <john.johansen@canonical.com>
410
=== modified file 'debian/patches/0012-add-decimal-interp.patch'
--- debian/patches/0012-add-decimal-interp.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0012-add-decimal-interp.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: cleanup/fix escape sequences in the backend and add support for \d
4
5---
6
1the octal escape sequence was broken, so that short escapes \0, \00 \xa,7the octal escape sequence was broken, so that short escapes \0, \00 \xa,
2didn't work and actually resulted in some encoding bugs.8didn't work and actually resulted in some encoding bugs.
39
410
=== modified file 'debian/patches/0013-policy_mediates.patch'
--- debian/patches/0013-policy_mediates.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0013-policy_mediates.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Add stub rules to indicate compilation support for given features.
4
5---
6
1Policy enforcement needs to be able to support older userspaces and7Policy enforcement needs to be able to support older userspaces and
2compilers that don't know about new features. The absence of a feature8compilers that don't know about new features. The absence of a feature
3in the policydb indicates that feature mediation is not present for9in the policydb indicates that feature mediation is not present for
410
=== modified file 'debian/patches/0014-fix-failpath.patch'
--- debian/patches/0014-fix-failpath.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0014-fix-failpath.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: fix failure paths around policy that can result in a crash
4
5---
6
1Signed-off-by: John Johansen <john.johansen@canonical.com>7Signed-off-by: John Johansen <john.johansen@canonical.com>
28
3---9---
410
=== modified file 'debian/patches/0015-feature_file.patch'
--- debian/patches/0015-feature_file.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0015-feature_file.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Hack rework of the feature/match file support
4
5---
6
1This is not the cleanup this code needs, but a quick hack to add the7This is not the cleanup this code needs, but a quick hack to add the
2-M flag so we can specify a feature file (or directory) to use for8-M flag so we can specify a feature file (or directory) to use for
3the compile.9the compile.
410
=== modified file 'debian/patches/0016-fix-network.patch'
--- debian/patches/0016-fix-network.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0016-fix-network.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: fix: network detection
4
5---
6
1The features file patch broke detection of network support.7The features file patch broke detection of network support.
28
3Signed-off-by: John Johansen <john.johansen@canonical.com>9Signed-off-by: John Johansen <john.johansen@canonical.com>
410
=== modified file 'debian/patches/0017-aare-to-class.patch'
--- debian/patches/0017-aare-to-class.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0017-aare-to-class.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Convert aare_rules into a class
4
5---
6
1This cleans things up a bit and fixes a bug where not all rules are7This cleans things up a bit and fixes a bug where not all rules are
2getting properly counted so that the addition of policy_mediation8getting properly counted so that the addition of policy_mediation
3rules fails to generate the policy dfa in some cases.9rules fails to generate the policy dfa in some cases.
410
=== modified file 'debian/patches/0018-add-mediation-unix.patch'
--- debian/patches/0018-add-mediation-unix.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0018-add-mediation-unix.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Add tag indicating file policy is mediated.
4
5---
6
1Tag start of entries in the policydb as being mediated. This makes7Tag start of entries in the policydb as being mediated. This makes
2the start state for any class being mediated be none 0. The kernel8the start state for any class being mediated be none 0. The kernel
3can detect this to determine whether the parser expected mediation9can detect this to determine whether the parser expected mediation
410
=== modified file 'debian/patches/0019-parser_version.patch'
--- debian/patches/0019-parser_version.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0019-parser_version.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Add the ability to separate policy_version from kernel and parser abi
4
5---
6
1This will allow for the parser to invalidate its caches separate of whether7This will allow for the parser to invalidate its caches separate of whether
2the kernel policy version has changed. This can be desirable if a parser8the kernel policy version has changed. This can be desirable if a parser
3bug is discovered, a new version the parser is shipped and we need to9bug is discovered, a new version the parser is shipped and we need to
410
=== modified file 'debian/patches/0020-caching.patch'
--- debian/patches/0020-caching.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0020-caching.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Dont use the parser time stamp to determine if policy is newer.
4
5---
6
1Using the parser timestamp was a work around to force recompilation of7Using the parser timestamp was a work around to force recompilation of
2policy that was built with a buggy parser. There are better ways to8policy that was built with a buggy parser. There are better ways to
3handle this so remove checking of the parser timestamp.9handle this so remove checking of the parser timestamp.
410
=== modified file 'debian/patches/0021-label-class.patch'
--- debian/patches/0021-label-class.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0021-label-class.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: add label class to the policydb
4
5---
6
1The label class is used to lookup object permissions based off of label7The label class is used to lookup object permissions based off of label
2alone when the labeling is not path dependent.8alone when the labeling is not path dependent.
39
410
=== modified file 'debian/patches/0022-signal.patch'
--- debian/patches/0022-signal.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0022-signal.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Add the ability to mediate signals.
4
5---
6
1Add signal rules and make sure the parser encodes support for them7Add signal rules and make sure the parser encodes support for them
2if the supported feature set reports supporting them.8if the supported feature set reports supporting them.
39
410
=== modified file 'debian/patches/0023-fix-lexer-debug.patch'
--- debian/patches/0023-fix-lexer-debug.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0023-fix-lexer-debug.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: A few fixes/improvements to the lexer debug output
4
5---
6
1Signed-off-by: John Johansen <john.johansen@canonical.com>7Signed-off-by: John Johansen <john.johansen@canonical.com>
2---8---
3 parser/parser_lex.l | 19 +++++++++----------9 parser/parser_lex.l | 19 +++++++++----------
410
=== modified file 'debian/patches/0024-ptrace.patch'
--- debian/patches/0024-ptrace.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0024-ptrace.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Add the ability to specify ptrace rules
4
5---
6
1ptrace rules currently take the form of7ptrace rules currently take the form of
28
3 ptrace [<ptrace_perms>] [<peer_profile_name>],9 ptrace [<ptrace_perms>] [<peer_profile_name>],
410
=== modified file 'debian/patches/0025-use-diff-encode.patch'
--- debian/patches/0025-use-diff-encode.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0025-use-diff-encode.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Turn on diff-encoding if the kernel supports it
4
5---
6
1Signed-off-by: John Johansen <john.johansen@canonical.com>7Signed-off-by: John Johansen <john.johansen@canonical.com>
2---8---
3 parser/parser.h | 1 +9 parser/parser.h | 1 +
410
=== modified file 'debian/patches/0026-fix-serialize.patch'
--- debian/patches/0026-fix-serialize.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0026-fix-serialize.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Move buffer management for the interface to C++ ostringstream class
4
5---
6
1Signed-off-by: John Johansen <john.johansen@canonical.com>7Signed-off-by: John Johansen <john.johansen@canonical.com>
2---8---
3 parser/parser.h | 5 9 parser/parser.h | 5
410
=== modified file 'debian/patches/0027-fix-af.patch'
--- debian/patches/0027-fix-af.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0027-fix-af.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,8 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Don't mediate AF_UNSPEC address family
4---
5
1---6---
2 common/Make.rules | 2 +-7 common/Make.rules | 2 +-
3 1 file changed, 1 insertion(+), 1 deletion(-)8 1 file changed, 1 insertion(+), 1 deletion(-)
49
=== modified file 'debian/patches/0028-opt_arg.patch'
--- debian/patches/0028-opt_arg.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0028-opt_arg.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,8 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Split flag handling into a separate file
4---
5
1Signed-off-by: John Johansen <john.johansen@canonical.com>6Signed-off-by: John Johansen <john.johansen@canonical.com>
27
3----8----
49
=== modified file 'debian/patches/0029-tests-cond-dbus.patch'
--- debian/patches/0029-tests-cond-dbus.patch 2014-03-12 02:05:16 +0000
+++ debian/patches/0029-tests-cond-dbus.patch 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Make dbus tests be conditionally run based on pkg-config
4
5---
6
1The addition of the dbus tests requires dbus dev libraries be installed7The addition of the dbus tests requires dbus dev libraries be installed
2to run the test suite. This is not always desirable or even possible.8to run the test suite. This is not always desirable or even possible.
39
410
=== modified file 'debian/patches/0030-tests.diff'
--- debian/patches/0030-tests.diff 2014-03-12 02:05:16 +0000
+++ debian/patches/0030-tests.diff 2014-03-13 20:23:16 +0000
@@ -1,3 +1,9 @@
1Author: John Johansen <john.johansen@canonical.com>
2Forwarded: Yes
3Subject: Update the regression tests for v6 policy
4
5---
6
1Sorry this mashes several things together that should be separate7Sorry this mashes several things together that should be separate
2patches, but I am not going to spend the time to pull them apart8patches, but I am not going to spend the time to pull them apart
3atm.9atm.

Subscribers

People subscribed via source and target branches

to all changes: