Last commit made on 2019-03-30
Get this branch:
git clone -b debian/buster https://git.launchpad.net/ubuntu/+source/apparmor
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

3f7774a... by intrigeri on 2019-03-30

Import patches-unapplied version 2.13.2-10 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d0c45f18ae693c81f66d7538868da270bd77c650

New changelog entries:
  * Don't load AppArmor policy when running in a Debian Live environment
    that uses overlayfs (Closes: #922378).
    Rationale: the storage stack set up by live-boot with overlayfs
    is not supported by our AppArmor policy at the moment, resulting
    in breakage of confined software such as Evince and LibreOffice.
  * Ship nvidia_modprobe in enforce mode (Closes: #923273).
    - Rationale: as explained by Seth Arnold <email address hidden>
      on #923273#32, profiles in complain mode can chew up essentially
      unlimited amounts of non-swappable kernel memory and huge amounts
      of IO bandwidth logging ALLOWED messages, which can in turn
      use large amounts of storage. This is why Ubuntu has applied this change
      already for their upcoming release.
    - Scope of this change: in Buster, this profile is used in one single place
      — the usr.lib.libreoffice.program.soffice.bin profile — for which it was
      developed and tested in the first place. So the risk and potential
      problematic impact of this change seems pretty low.
  * Cherry-pick the most important and non-invasive fixes
    from the upstream apparmor-2.13 maintenance branch:
    - base abstraction: allow mr on *.so* in common library paths,
      i.e. don't assume all common libraries' name starts with "lib".
      At the very least, this fixes Qt5 applications under some
      VirtualBox graphics configuration, where otherwise they would
      not start at all (Closes: Tails#16414).
      Upstream commits: 8dff7dc, 08f9d16
    - Fix 2 segfaults spotted upstream while writing automated tests
      for the multicache support (upstream MR!348):
       · in overlaydirat_for_each, segfault caused by repeatedly freeing
         the same memory area;
       · when loading policy cache files, due to incorrect size passed
         to qsort().
      Upstream commits: 5704fba, 01aec04

d0c45f1... by intrigeri on 2019-02-25

Import patches-unapplied version 2.13.2-9 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 09992540ccf73efa3e46f813e9fd38c36d518aa3

New changelog entries:
  * Revert "Add autopkgtest that checks if apparmor.service starts
    on package installation". It passes with the schroot and qemu
    backends locally but fails on ci.debian.net.

0999254... by intrigeri on 2019-02-24

Import patches-unapplied version 2.13.2-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f03b65d1704d4a0ce05c79c4220425644883c55a

New changelog entries:
  * Cherry-pick 5 more commits from upstream apparmor-2.13 branch
    (Closes: #921866).
  * Cherry-pick upstream MR!344 (Closes: #920833, #921888).
  * Install the nvidia_modprobe named profile (Closes: #921875)
    and add it to the list of profiles whose syntax is checked
    via autopkgtests.
  * Patch usr.sbin.smdb to include snippet generated at runtime
    (part of the fix for #896080).
  * New autopkgtest: ensure apparmor.service starts on
    package installation.
  * Update salsa CI pipeline.

f03b65d... by intrigeri on 2019-01-31

Import patches-unapplied version 2.13.2-7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4571cfd829b3aa78d4a33b290bfa21dfcd72d7a9

New changelog entries:
  * Stop shipping /var/cache/apparmor/CACHEDIR.TAG (Closes: #920682)
  * New patches, cherry-picked from upstream !320, so the "audio"
    abstraction grants read access to Alsa and libao config files
    (Closes: #920669, #920670).

4571cfd... by intrigeri on 2019-01-28

Import patches-unapplied version 2.13.2-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b46606c5f0de4c6c622f09c1b4b8c7f81eddf124

New changelog entries:
  * initscript: implement missing aa_log_action_begin and
    aa_log_action_end functions (Closes: #917962).

b46606c... by intrigeri on 2019-01-28

Import patches-unapplied version 2.13.2-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 133f2369ff0d257d0548ff69bcfef684c59e5bd7

New changelog entries:
  * Really move libapparmor.so unversioned symlink to /lib/<triplet>
    (Closes: #919705).
  * Add Lintian override for dev-pkg-without-shlib-symlink: arguably
    a false positive (see #843932).
  * Add Lintian override for uses-dpkg-database-directly: false positive.
  * Declare compliance with Standards-Version 4.3.0.
  * autopkgtests:
    - Test compiling many more profiles:
      - all profiles that apparmor-profiles-extra ships in enforce mode
      - the profiles shipped by bind9, cups-browsed, haveged,
        libreoffice-common, man-db, ntp, onioncircuits, tcpdump, thunderbird,
        and tor
      - another profile shipped by libvirt-daemon-system
    - Declare that the compile-policy test is not superficial anymore.
    - Make the parser verbose in the compile-policy test.

133f236... by intrigeri on 2019-01-27

Import patches-unapplied version 2.13.2-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a10e840c0ed81d5b215c71ca07e50a327870e7c6

New changelog entries:
  * Move libapparmor.so unversioned symlink to /lib/<triplet> (Closes: #919705).
  * New patches, cherry-picked from upstream:
    - Make tunables/share play well with aliases.
    - Fix access to /usr/share/drirc.d.conf (Closes: #919775).
    - Fix access to the default paths used by dehydrated in Debian.
    - Support new font configuration paths.
    - Support libvirt named profile.
    - Fix access to /etc/alsa/conf.d/.
  * autopkgtests: test compiling more profiles shipped by other packages.
  * Patch the dnsmasq profile to fix ptrace and signal communication
    with libvirtd.

a10e840... by intrigeri on 2019-01-01

Import patches-unapplied version 2.13.2-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 0cc9e2bd5a81437ded21ef28933d54866a8b99ac

New changelog entries:
  * Update upstream MR!252 backport to fix initscript (Closes: #917874)

0cc9e2b... by intrigeri on 2018-12-29

Import patches-unapplied version 2.13.2-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a133dfeeca7e53e1c61741a6bf358a7b9708678a

New changelog entries:
  * Patch rc.apparmor.functions to suit Debian/Ubuntu's needs.
  * Port initscript, systemd service, postinst and profile-load
    to use the upstream rc.apparmor.functions shell library.
    This way, the systemd service does not require the SysV initscript
    anymore (Closes: #870697).
  * Drop obsolete /etc/apparmor/subdomain.conf conffile.

a133dfe... by intrigeri on 2018-12-22

Import patches-unapplied version 2.13.2-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9e6ccce6cfbbcc83dd12eebd40b91dee65e50f4b

New changelog entries:
  * Import new upstream release, drop backported patches that are now obsolete,
    refresh remaining patches.
  * autopkgtest: add dummy test so that changes to linux-image-amd64
    trigger our other tests on ci.debian.net
  * Replace home-made GitLab CI with the standard Salsa pipeline
    (Closes: #912722).
  * Drop extra signatures from public upstream signing key.