~sbeattie/apparmor/+git/apparmor:apparmor-2.9

Last commit made on 2017-10-28
Get this branch:
git clone -b apparmor-2.9 https://git.launchpad.net/~sbeattie/apparmor/+git/apparmor
Only Steve Beattie can upload to this branch. If you are Steve Beattie please log in for upload directions.

Branch merges

Branch information

Name:
apparmor-2.9
Repository:
lp:~sbeattie/apparmor/+git/apparmor

Recent commits

c498117... by Steve Beattie on 2017-10-28

git conversion: move .bzrignore to .gitignore

Signed-off-by: Steve Beattie <email address hidden>

23868e3... by intrigeri on 2017-10-26

profiles: allow OpenAL HRTF support in audio abstraction

Merge from trunk commit 3726

The files are "head-related transfer function" data sets, used by
OpenAL for better spatialization of sounds when headphones are detected.

Acked-by: Steve Beattie <email address hidden>

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665

9b70d50... by Christian Boltz on 2017-10-20

Allow reading /etc/netconfig in abstractions/nameservice

/etc/netconfig is required by the tirpc library which nscd and several
other programs use.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244

Acked-by: Seth Arnold <email address hidden> for 2.9, 2.10, 2.11 and trunk

da132a7... by John Johansen on 2017-10-19

Bump release version to 2.9.5

Signed-off-by: John Johansen <email address hidden>

3aea591... by John Johansen on 2017-10-18

Fix af_unix downgrade of network rules

with unix rules we output a downgraded rule compatible with network rules
so that policy will work on kernels that support network socket controls
but not the extended af_unix rules

however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support
the extended af_unix rules.

cherry-pick: lp:apparmor r3700
Signed-off-by: John Johansen <email address hidden>
Acked-by: timeout

6080d9b... by Christian Boltz on 2017-09-28

Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles

Acked-by: Seth Arnold <email address hidden> for trunk, 2.11, 2.10 and 2.9.

d62aaf0... by Christian Boltz on 2017-09-12

Merge updated traceroute profile into 2.10 and 2.9 branch

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1057900

------------------------------------------------------------
revno: 3690 [merge]
committer: Steve Beattie <email address hidden>
branch nick: apparmor
timestamp: Wed 2017-08-09 08:57:36 -0700
message:
  traceroute profile: support TCP SYN for probes, quite net_admin request

  Merge from Vincas Dargis, approved by intrigeri.
  fix traceroute denies in tcp mode

  Acked-by: Steve Beattie <email address hidden>
------------------------------------------------------------

Backport to 2.10 and 2.9 branch

Acked-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden>

051f68a... by Christian Boltz on 2017-09-10

abstractions/freedesktop.org: support /usr/local/applications; support subdirs of applications folder

Merge request by Cameron Norman 2015-06-07
https://code.launchpad.net/~cameronnemo/apparmor/abstraction-fdo-applications-fixups/+merge/261336

Acked-by: Christian Boltz <email address hidden> for trunk, 2.11, 2.10 and 2.9

85881a8... by Christian Boltz on 2017-08-29

Samba profile updates for ActiveDirectory / Kerberos

The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.

As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.

Acked-by: Seth Arnold <email address hidden> for 2.9, 2.10, 2.11 and trunk.

05de7e6... by Christian Boltz on 2017-08-22

update some Postfix profiles

- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
  profiles - it's included via abstractions/nameservice

Acked-by: Seth Arnold <email address hidden> for 2.9, 2.10, 2.11 and trunk