lp:~tyhicks/apparmor/abstract-sockets
- Get this branch:
- bzr branch lp:~tyhicks/apparmor/abstract-sockets
Branch merges
Related bugs
Bug #1341152: Chromium browser profile should allow kdialog | Undecided | Invalid | |
Bug #1350673: System policy cache may become stale after a system image update | Critical | Fix Released |
Related blueprints
Branch information
Recent revisions
- 1509. By Tyler Hicks
-
* parser-
include- usr-share- apparmor. patch, debian/ apparmor. install: Adjust
the default parser.conf file, to add /usr/share/apparmor as an additional
search path when resolving include directives in profiles, and install the
file in /etc/apparmor. Ubuntu places hardware specific access rules in
/usr/share/apparmor/ hardware. This change allows these files to be
included without using an absolute path (e.g.,
'#include <hardware/graphics. d>'). - 1508. By Tyler Hicks
-
* debian/
lib/apparmor/ functions, debian/ apparmor. init,
debian/apparmor. upstart: Ensure system policy cache cannot become stale
after image based upgrades that update the system profiles (LP: #1350673) - 1507. By Tyler Hicks
-
* utils-add-
cap-audit- read-to- severity. db: Make severity.db aware of the
new, as of kernel 3.16, CAP_AUDIT_READ capability - 1506. By Tyler Hicks
-
* update-
chromium- browser- for-kde. patch: Allow chromium-browser to execute
KDialog. Thanks to user "Esokrates". (LP: #1341152) - 1504. By Jamie Strandboge
-
update-
nameservice- abstraction- for-extrausers. patch: update nameservice
abstraction to allow passwd and group when using libnss-extrausers - 1502. By Marc Deslauriers
-
* Updated to r2541 snapshot of 2.8.96:
- removed upstreamed patches: convert-to-rules. patch, list-fns.patch,
parse-mode.patch, add-decimal- interp. patch, policy_ mediates. patch,
fix-failpath. patch, feature_file.patch, fix-network.patch,
aare-to-class. patch, add-mediation- unix.patch, parser_ version. patch,
caching.patch, label-class.patch, fix-lexer-debug.patch,
use-diff-encode. patch, fix-serialize. patch,
fix-ppc-endian- ftbfs.patch, opt_arg.patch, tests-cond- dbus.patch,
initialize-mount-flags. patch, fix-typo- in-dbus_ write.patch,
limited-mount-rule- support. patch, bare-capability -rule-support. patch,
check-config- for-sysctl. patch, increase- swap-size. patch,
test-v6-policy. patch, test-mount- mediation. patch,
mediate-signals. patch, change- signal- syntax. patch,
mediate-ptrace. patch, change- ptrace- syntax. patch,
test-signal- rules.patch, test-ptrace- rules.patch,
update-tests-for- new-semantics. patch,
fix-garbage- in-preprocessor -output. patch,
fix-double- comma-in- preprocessor- output. patch,
symtab-tests-and- seenlist- bug.patch, add-profile- name-variable. patch,
fix-names-treated- as-condlistid. patch, manpage- signal- ptrace. patch,
python-utils-file- support. patch, python- utils-signal- support. patch,
python-utils-ptrace- support. patch,
python-utils-pivot_ root-support. patch.
* Added upstart job (LP: #1305108)
- debian/apparmor. upstart: new upstart job.
- debian/apparmor. init: added click handling, move some code to
unload_obsolete_ profiles( ).
- debian/lib/apparmor/ functions: add unload_ obsolete_ profiles( ).
- debian/apparmor. postinst, debian/ apparmor- profiles. postinst: reload
profiles directly since invoke-rc.d won't allow to do this easily
with upstart and systemd jobs.
- debian/rules: pass --no-start to dh_installinit since we're handling
reloading profiles manually in the postinst scripts.
- debian/control: add a versioned apparmor Depends to the
apparmor-profiles package to make sure the required tools are
installed for the postinst script. - 1501. By Jamie Strandboge
-
* debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
lightdm and apparmor-easyprof- ubuntu
[ John Johansen, Steve Beattie ]
* Add userspace support for AppArmor signals and ptrace mediation
(LP: #1298611)
+ debian/patches/ mediate- signals. patch,
debian/patches/ change- signal- syntax. patch: Parse signal rules with
apparmor_parser. See the apparmor.d(5) man page for syntax details.
+ debian/patches/ change- ptrace- syntax. patch,
debian/patches/ mediate- ptrace. patch: Parse ptrace rules with
apparmor_parser. See the apparmor.d(5) man page for syntax details.
+ debian/patches/ test-signal- rules.patch,
debian/patches/ test-ptrace- rules.patch,
debian/patches/ update- tests-for- new-semantics. patch: Update existing
tests and add new tests for signal and ptrace mediation
+ debian/patches/ fix-garbage- in-preprocessor -output. patch: Fix bug causing
apparmor_parser preprocessor output to contain garbage after include
statements
+ debian/patches/ fix-double- comma-in- preprocessor- output. patch: Fix bug
causing apparmor_parser preprocessor output to contain double commas
after some rules
+ debian/patches/ symtab- tests-and- seenlist- bug.patch,
debian/patches/ add-profile- name-variable. patch: Add ${profile_name}
variable for use in profiles when rules need to specify the current
profile's name. This is useful for signal and ptrace rules that specify
+ debian/patches/ fix-names- treated- as-condlistid. patch: Fix
apparmor_parser bug that caused mount and dbus rules to fail for sets of
values
[ Jamie Strandboge ]
* debian/patches/ update- base-abstractio n-for-signals- and-ptrace. patch:
Adjust the base abstraction for signals and ptrace mediation. Profiles
that use the base abstraction can deny any of the granted permissions to
achieve tighter confinement.
* debian/patches/ manpage- signal- ptrace. patch: Update the apparmor.d man
page to document signal rules, ptrace rules, and variables for use in
AppArmor profiles
* debian/patches/ dnsmasq- libvirtd- signal- ptrace. patch: Update the dnsmasq
profile to allow libvirtd to send signals to and ptrace read the dnsmasq
process
* debian/patches/ update- chromium- browser. patch: Adjust the chromium-browser
profile for permissions needed in newer chromium-browser versions and add
the rules needed for AppArmor ptrace mediation
[ Tyler Hicks ]
* Add new rule type support to aa.py to fix tracebacks when using the Python
utilities in apparmor-utils on systems with AppArmor profiles containing
previously unsupported rule types
- debian/patches/ python- utils-file- support. patch: Support path rules
containing the "file" prefix (LP: #1295346)
- debian/patches/ python- utils-signal- support. patch: Parse and write signal
rules (LP: #1300316)
- debian/patches/ python- utils-ptrace- support. patch: Parse and write ptrace
rules (LP: #1300317)
- debian/patches/ python- utils-pivot_ root-support. patch: Parse and write
pivot_root rules (LP: #1298678) - 1500. By Jamie Strandboge
-
[ Tyler Hicks ]
* debian/patches/ initialize- mount-flags. patch: Initialize the variables
containing mount rule flags to zero. Otherwise, the parser may set
unexpected bits in the mount flags field for rules that do not specify
mount flags. The uninitialized mount flag variables may have caused
unexpected AppArmor denials during mount mediation. (LP: #1296459)
* debian/patches/ fix-typo- in-dbus_ write.patch: Fix a bug in the
apparmor/aa.py module that caused the utilities in the apparmor-utils
package to write out network rules instead of dbus rules
* debian/patches/ limited- mount-rule- support. patch: Fix a bug in the
apparmor/aa.py module that caused the utilities in the apparmor-utils
package to traceback when encountering a mount rule (LP: #1294825)
* debian/patches/ bare-capability -rule-support. patch: Fix a bug in the
apparmor/aa.py module that caused the utilities in the apparmor-utils
package to traceback when encountering a bare capability rule
(LP: #1294819)
* debian/patches/ check-config- for-sysctl. patch,
debian/patches/ increase- swap-size. patch: Fix bugs in the regression test
suite that caused errors when running on ppc64el
* debian/patches/ test-v6- policy. patch,
debian/patches/ test-mount- mediation. patch: Improve the regression tests
by increasing the mount rule test coverage
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:apparmor/2.12