lp:ubuntu/saucy/apparmor

Created by James Westby on 2013-04-26 and last modified on 2013-10-11
Get this branch:
bzr branch lp:ubuntu/saucy/apparmor
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Status:
Development

Recent revisions

60. By Jamie Strandboge on 2013-10-11

0077_aa-status-is-bilingual.patch: aa-status was written to work with
python 2 or 3. Upstream is still using 2, so adjust ours to use
/usr/bin/python3 to avoid pulling python 2 back to the desktop images

59. By Tyler Hicks on 2013-10-04

[ Tyler Hicks ]
* debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an
  abstraction for the accessibility bus. It is currently very permissive,
  like the dbus and dbus-session abstractions, and grants all permissions on
  the accessibility bus. (LP: #1226141)
* debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount
  rules. Both rule classes suffered from unexpected auditing behavior when
  using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier
  resulting in accesses being audited and the 'audit deny' modifier
  resulting in accesses not being audited. (LP: #1226356)
* debian/patches/0072-lp1229393.patch: Fix cache location for .features
  file, which was not being written to the proper location if the parameter
  --cache-loc= is passed to apparmor_parser. This bug resulted in using the
  .features file from /etc/apparmor.d/cache or always recompiling policy.
  Patch thanks to John Johansen. (LP: #1229393)
* debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX
  domain sockets to include read and write permissions. Both permissions are
  required when a process connects to a UNIX domain socket. Also include new
  tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for
  helping with the policy updates and testing. (LP: #1208988)
* debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only
  grant access to specific pulseaudio files in the pulse runtime directory
  to remove access to potentially dangerous files (LP: #1211380)

[ Jamie Strandboge ]
* debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia
  (LP: #1228882)
* 0076_sanitized_helper_dbus_access.patch: allow applications run under
  sanitized_helper to connect to DBus

58. By Martin Pitt on 2013-10-01

Add 0070-etc-writable.patch: Allow reading time configuration from
/etc/writable, as we have it on the phone. (LP: #1227520)

57. By Jamie Strandboge on 2013-09-10

[ Tyler Hicks ]
* Move the aa-exec man page out of apparmor-utils into apparmor, since
  aa-exec is now in apparmor
  - debian/control: adjust Breaks/Replaces to use apparmor-utils
    (<< 2.8.0-0ubuntu28)
  - debian/apparmor.manpages: install the aa-exec man page
  - debian/apparmor-utils.manpages: don't install the aa-exec man page
* debian/patches/0065-lp1220861.patch: Always NUL-terminate confinement
  context strings returned from libapparmor (LP: #1220861)
* debian/patches/0066-lp1196880.patch: Don't assign mode pointer in
  aa_getprocattr() if caller passed in NULL (LP: #1196880)
* debian/patches/0067-libapparmor-mode-strings-are-not-to-be-freed.patch:
  Update man page and code comments to make it clear that freeing the *con
  string returned from libapparmor's getcon functions also frees the *mode
  string
* debian/patches/0068-libapparmor-mention-dbus-method-in-getcon-man.patch:
  Document the D-Bus method, in the aa_getcon man page, that returns the
  AppArmor task confinement string of a D-Bus connection

[ Jamie Strandboge ]
* debian/patches/0069-p11kit-abstraction.patch: p11-kit needs access to
  /usr/share/p11-kit/modules

56. By Jamie Strandboge on 2013-09-03

debian/apport/source_apparmor.py: AppArmor logs DBus messages to syslog,
adjust apport hook to also search there for denials

55. By Jamie Strandboge on 2013-08-29

debian/patches/0064-lp1218099.patch: add support for variable expansion in
dbus rules (LP: #1218099)

54. By Tyler Hicks on 2013-08-26

[ Tyler Hicks ]
* Add support for mediation of D-Bus messages and services. AppArmor D-Bus
  rules are described in the apparmor.d(5) man page. dbus-daemon will use
  libapparmor to perform queries against the AppArmor policies to determine
  if a connection should be able to send messages to another connection, if
  a connection should be able to receive messages from another connection,
  and if a connection should be able to bind to a well-known name.
  - 0042-Fix-mount-rule-preprocessor-output.patch,
    0043-libapparmor-Safeguard-aa_getpeercon-buffer-reallocat.patch,
    0044-libapparmor-fix-return-value-of-aa_getpeercon_raw.patch,
    0045-libapparmor-Move-mode-parsing-into-separate-function.patch,
    0046-libapparmor-Parse-mode-from-confinement-string-in-ge.patch,
    0047-libapparmor-Make-aa_getpeercon_raw-similar-to-aa_get.patch,
    0048-libapparmor-Update-aa_getcon-man-page-to-reflect-get.patch:
    Backport parser and libapparmor pre-requisites for D-Bus mediation
  - 0049-parser-Update-man-page-for-DBus-rules.patch: Update apparmor.d man
    page
  - 0050-parser-Add-support-for-DBus-rules.patch,
    0051-parser-Regression-tests-for-DBus-rules.patch,
    0052-parser-Binary-profile-equality-tests-for-DBus-rules.patch: Add
    apparmor_parser support for D-Bus mediation rules
  - 0053-libapparmor-Export-a-label-based-query-interface.patch,
    debian/libapparmor1.symbols: Provide the libapparmor interface necessary
    for trusted helpers to make security decisions based upon AppArmor
    policy
  - 0054-libaalogparse-Parse-dbus-daemon-audit-messages.patch,
    0055-libaalogparse-Regression-tests-for-dbus-daemon-audit.patch: Allow
    applications to parse denials, generated by dbus-daemon, using
    libaalogparse and add a set of regression tests
  - 0056-tests-Add-an-optional-final-check-to-checktestfg.patch,
    0057-tests-Add-required-features-check.patch,
    0058-tests-Add-regression-tests-for-dbus.patch: Add regression tests
    which start their own dbus-daemon, load profiles containing D-Bus rules,
    and confine simple D-Bus service and client applications
  - 0059-dbus-rules-for-dbus-abstractions.patch: Add bus-specific, but
    otherwise permissive, D-Bus rules to the dbus and dbus-session
    abstractions. Confined applications that use D-Bus should already be
    including these abstractions in their profiles so this should be a
    seamless transition for those profiles.
* 0060-utils-make_clean_fixup.patch: Clean up the Python cache in the
  AppArmor tests directory
* 0061-profiles-dnsmasq-needs-dbus-abstraction.patch: Dnsmasq uses the
  system D-Bus when it is started with --enable-dbus, so its AppArmor
  profile needs to include the system bus abstraction
* 0062-fix-clone-test-on-arm.patch: Fix compiler error when building
  regression tests on ARM
* 0063-utils-ignore-unsupported-rules.patch: Utilities that use the
  Immunix::AppArmor perl module, such as aa-logprof and aa-genprof, error
  out when they encounter rules unsupported by the perl module. This patch
  ignores unsupported rules.

[ Jamie Strandboge ]
* debian/control: don't have easyprof Depends on apparmor-easyprof-ubuntu

53. By Tyler Hicks on 2013-08-15

* 0040-libapparmor-support-pkg-config.patch: Make it easier for other
  sources to build against libapparmor with pkg-config
  - debian/control: Add pkg-config as a Build-Depends
  - debian/libapparmor-dev.install: Install libapparmor pkg-config file
* 0041-parser-fix-flags.patch: Minimal fix for cache failures when the
  feature file is larger than the feature buffer used for cache version
  comparison

52. By Jamie Strandboge on 2013-07-23

* debian/patches/0038-lp1200392.patch: allow mmap of fglrx dri libraries
  (LP: #1200392)
* debian/patches/0039-fix-parser-cache-loc.patch: fix apparmor cache
  tempfile location to use passed arg
* debian/lib/apparmor/functions: update to also load from
  /var/lib/apparmor/profiles and write cache to /var/cache/apparmor
* debian/apparmor.dirs: create /var/cache/apparmor and
  /var/lib/apparmor/profiles

51. By Jamie Strandboge on 2013-07-07

* Refresh easyprof
  - drop 0034-easyprof-dont-add-vendor-dir.patch
  - drop 0035-easyprof-update-manpage-for-sdk-base.patch
* debian/patches/0037-easyprof-sdk-pt2.patch: update easyprof for the
  following:
  - don't add vendor directory to self.templates and self.policy_groups
  - utils/aa-easyprof: adjust error message for manifest read failure
  - utils/aa-easyprof: adjust to use EnvironmentError on failed read of the
    manifest
  - utils/apparmor/easyprof.py: clean up set_template()
  - utils/apparmor/easyprof.py: read_paths should use 'rk'
  - utils/test/test-aa-easyprof.py: adjust tests for above
  - utils/apparmor/easyprof.py
    + valid_path should verify os.path.normpath(path) == (path)
    + adjust valid_profile_name() to start with alpha-numeric and allow
      Debian source package names and version, plus '_'
    + adjust tests for above
  - update valid_variable() to check for valid_path if '/' is in the value
  - adjust valid_path() to have a relative_ok flag (default to False)
  - adjust valid_path() to verify path is same as normalized path
  - add some valid_path() test cases
  - adjust to always quote template vars in policy output
  - add a couple tests that have spaces in the binary and template var
  - update manifest JSON structure to use
    m['security']['profiles']['profile_name'] instead of
    m['security']['profile_name']

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.

Subscribers