Last commit made on 2017-10-28
Get this branch:
git clone -b apparmor-2.9 https://git.launchpad.net/~sbeattie/apparmor/+git/apparmor
Only Steve Beattie can upload to this branch. If you are Steve Beattie please log in for upload directions.

Branch merges

Branch information


Recent commits

c498117... by Steve Beattie on 2017-10-28

git conversion: move .bzrignore to .gitignore

Signed-off-by: Steve Beattie <email address hidden>

23868e3... by intrigeri on 2017-10-26

profiles: allow OpenAL HRTF support in audio abstraction

Merge from trunk commit 3726

The files are "head-related transfer function" data sets, used by
OpenAL for better spatialization of sounds when headphones are detected.

Acked-by: Steve Beattie <email address hidden>

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665

9b70d50... by Christian Boltz on 2017-10-20

Allow reading /etc/netconfig in abstractions/nameservice

/etc/netconfig is required by the tirpc library which nscd and several
other programs use.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244

Acked-by: Seth Arnold <email address hidden> for 2.9, 2.10, 2.11 and trunk

da132a7... by John Johansen on 2017-10-19

Bump release version to 2.9.5

Signed-off-by: John Johansen <email address hidden>

3aea591... by John Johansen on 2017-10-18

Fix af_unix downgrade of network rules

with unix rules we output a downgraded rule compatible with network rules
so that policy will work on kernels that support network socket controls
but not the extended af_unix rules

however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support
the extended af_unix rules.

cherry-pick: lp:apparmor r3700
Signed-off-by: John Johansen <email address hidden>
Acked-by: timeout

6080d9b... by Christian Boltz on 2017-09-28

Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles

Acked-by: Seth Arnold <email address hidden> for trunk, 2.11, 2.10 and 2.9.

d62aaf0... by Christian Boltz on 2017-09-12

Merge updated traceroute profile into 2.10 and 2.9 branch

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1057900

revno: 3690 [merge]
committer: Steve Beattie <email address hidden>
branch nick: apparmor
timestamp: Wed 2017-08-09 08:57:36 -0700
  traceroute profile: support TCP SYN for probes, quite net_admin request

  Merge from Vincas Dargis, approved by intrigeri.
  fix traceroute denies in tcp mode

  Acked-by: Steve Beattie <email address hidden>

Backport to 2.10 and 2.9 branch

Acked-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden>

051f68a... by Christian Boltz on 2017-09-10

abstractions/freedesktop.org: support /usr/local/applications; support subdirs of applications folder

Merge request by Cameron Norman 2015-06-07

Acked-by: Christian Boltz <email address hidden> for trunk, 2.11, 2.10 and 2.9

85881a8... by Christian Boltz on 2017-08-29

Samba profile updates for ActiveDirectory / Kerberos

The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.

As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.

Acked-by: Seth Arnold <email address hidden> for 2.9, 2.10, 2.11 and trunk.

05de7e6... by Christian Boltz on 2017-08-22

update some Postfix profiles

- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
  profiles - it's included via abstractions/nameservice

Acked-by: Seth Arnold <email address hidden> for 2.9, 2.10, 2.11 and trunk