Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564)
- d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the
definition for the "@{run}" variable.
- d/p/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch:
Add trailing slash to the "@{run}" variable.
- d/p/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch:
Add a missing rule to allow systemd to access
@{PROC}/sys/kernel/random/boot_id and @{run}/systemd/userdb.
- d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'.
New changelog entries:
* snapd 2.44.3+20.04 introduced an apparmor unit of its own to load snap
policy in /var/lib/snapd/apparmor/profiles. As such, don't load snapd
policy twice by not loading it in the apparmor unit (LP: 1871148)
- ubuntu/stop-loading-snapd-profiles.patch: stop loading snapd profiles
- debian/control: add Breaks on snapd < 2.44.3+20.04~ since prior snapd
versions assume that apparmor will load the snapd policy on boot
- debian/apparmor.service: remove the now unneeded RequiresMountsFor on
/var/lib/snapd/apparmor/profiles
* drop ubuntu/parser-conf-no-expr-simplify.patch: Optimize=no-expr-simplify
was added to parser.conf to mitigate slow snap policy compiles on 32bit
ARM. These days, snapd calls apparmor_parser with "-O no-expr-simplify"
and loads its snap policy, so drop this delta with upstream and Debian.
New changelog entries:
* debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to
RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it
(LP: #1871148)
* libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets
and DBus APIs. Patch partially based on work by Simon Deziel.
(LP: #1796911, LP: #1869024)
* upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient:
allow reading /etc/krb5.conf.d/
* upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading
per-user themes from $XDG_DATA_HOME (Closes: #930031)
* upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access
to top-level ecryptfs directories (LP: #1848919)
* upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access
to /run/uuidd/request
* upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the
kernel supports the i915 perf interface. Patch from Debian
New changelog entries:
* Merge from Debian. Remaining changes:
- Ubuntu-specific patches:
+ ubuntu/add-chromium-browser.patch
+ ubuntu/communitheme-snap-support.patch
+ ubuntu/mimeinfo-snap-support.patch
+ ubuntu/parser-conf-no-expr-simplify.patch
+ ubuntu/profiles-grant-access-to-systemd-resolved.patch
+ upstream-dont-allow-fontconfig-cache-write.patch
+ upstream-tests-mult-mount-bump-size-of-created-disk.patch
- debian/apparmor.{install,maintscript}: feature pinning is not used in
Ubuntu
- debian/apparmor.preinst: remove cache files on upgrade to 2.13
- debian/apparmor-profiles.install: install Ubuntu chromium-browser
profile and abstraction
- debian/apparmor-profiles.lintian-overrides: update for chromium-browser
profile having read access to dpkg database for lsb-release
- debian/apparmor-profiles.postinst: ubuntu-browsers.d/chromium-browser
abstraction if it doesn't exist
- debian/control: adjust the Vcs-{Browser,Git} control fields to reflect
the branch where the Ubuntu packaging is maintained.
- debian/gbp.conf: use ubuntu/master as the debian-branch
- debian/patches/series: comment out debian-only patches
- debian/tests/control and debian/tests/compile-policy: don't test
thunderbird since the Ubuntu packaging doesn't ship a profile
* Drop the following patches, no longer needed:
- python3.8-ac.diff
* debian/control: drop Breaks on media-hub, mediascanner2.0, messaging-app,
and webbrowser-app which was needed for upgrades to bionic (LP: #1797242)
* upstream-adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus
1.5.22
* upstream-adjust-gnome-for-mimeapps.patch: abstractions/gnome: also allow
/etc/xdg/mimeapps.list (LP: #1792027)