Last commit made on 2018-03-10
Get this branch:
git clone -b debian/stretch https://git.launchpad.net/ubuntu/+source/apparmor
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

d311e5e... by intrigeri on 2018-02-27

Import patches-unapplied version 2.11.0-3+deb9u2 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: 75908290953622a01b0ca853537e7dbc5824a913

New changelog entries:
  * Move the features file to /usr/share/apparmor-features;
    accordingly remove the old (now obsolete) '/etc/apparmor/features'
    conffile (Closes: #883682).
  * Configure gbp for DEP-14 and avoid gbp-pq prefixing patches
    with numbers.
  * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585).
    This ensures Stretch systems, even when running a newer kernel (e.g.
    from backports), have their AppArmor feature set pinned to the one
    supported by the AppArmor policy shipped in Stretch. Otherwise they
    would experience breakage due to new AppArmor mediation features
    introduced in recent kernels.

7590829... by intrigeri on 2017-03-28

Import patches-unapplied version 2.11.0-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9d7f473d4aafa86349cc62d693f82ca95f77a282

New changelog entries:
  * Fix CVE-2017-6507: don't unload unknown profiles during package
    configuration or when restarting the apparmor init script, upstart job, or
    systemd unit as this could leave processes unconfined (Closes: #858768).
    Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
    - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
      Remove calls to unload_obsolete_profiles()
    - debian/patches/utils-add-aa-remove-unknown.patch,
      debian/apparmor.install debian/apparmor.manpages: Include a new utility,
      aa-remove-unknown, which can be used to unload unknown profiles. Based
      on an upstream patch but adjusted to source the /lib/apparmor/functions
      shipped in Debian/Ubuntu.

9d7f473... by intrigeri on 2017-01-21

Import patches-unapplied version 2.11.0-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 36509e7355f2ff94abddb14cfacb05e5f61a949a

New changelog entries:
  * Drop the apparmor-docs package (Closes: #851118).

36509e7... by intrigeri on 2017-01-09

Import patches-unapplied version 2.11.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f64afa47d92864db88d18ff9d742738612399510

New changelog entries:
  * Import upstream 2.11.0 release (Closes: #809649).
  * Don't try to install non-existing file
    to /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser.
  * Drop all backported patches, that are now obsolete.
  * Drop aa-utils_are_bilingual.patch, that is obsolete since upstream
    switched to Python 3.
  * Refresh all remaining quilt patches.
  * debian/apparmor.manpages: follow upstream wrt. moving the manpages
    for aa-enabled and aa-exec to section 1.
  * Reintroduce building parser/techdoc.pdf from source while building
    the binary package.
  * Build PDFs from documentation/*, and include them in the apparmor-docs
    package. Accordingly add build-dependency on libreoffice-writer and unoconv.
  * README.source: document how to import a new upstream release from
    the tarball.

f64afa4... by intrigeri on 2016-12-17

Import patches-unapplied version 2.10.95-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ea1528f738623b7618f6af8ecbc95eaf0617097e

New changelog entries:
  * Stop applying add-chromium-browser.patch: it's been broken for years
    on Debian, and nobody ever bothered to upstream this profile in a way
    that makes it work cross-distro (Closes: #742829).
  * r3441-sshd-blacklist.patch: new patch, cherry-picked from upstream
    (Closes: #821881).
  * r3497-add-ld.so.preload-to-abstractions-base.patch: new patch,
    cherry-picked from upstream.
  * r3600-usrmerge.patch: new patch, cherry-picked from upstream
    (resolves the parts of #843461 that can be handled in this package).

ea1528f... by intrigeri on 2016-12-02

Import patches-unapplied version 2.10.95-7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e24caa3e428f8a02260b6280be884ff5a98a3967

New changelog entries:
  * r3582-build-with-recent-swig.patch: new patch, cherry-picked
    from upstream (Closes: #844929).
  * r3588-update-gnome-abstraction-with-versioned-gtk-paths.patch:
    new patch, cherry-picked from upstream (Closes: #845005).
  * r3590-add-more-wayland-paths.patch: new patch, cherry-picked from upstream.
  * r3591-yet-another-location-for-Xauthority.patch: new patch, cherry-picked
    from upstream (Closes: #845250).
  * Merge from Ubuntu citrain up to revision 1604.
  * Disable profiles-grant-access-to-systemd-resolved.patch: it's dangerous
    without fine-grained AppArmor mediation of D-Bus traffic.

e24caa3... by intrigeri on 2016-11-08

Import patches-unapplied version 2.10.95-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 44622fffe01fb8dba6fb5a45193c2a44fd1e8e27

New changelog entries:
  * New patches, cherry-picked from upstream:
    - debian/patches/r3577-gnome-abstraction-gtk3-config.patch:
      gnome abstraction: grant read access to ~/.config/gtk-3.0/*.
    - debian/patches/r3578-dnsmasq-libvirt_leaseshelper.patch:
      dnsmasq: allow libvirt_leaseshelper "m" permission on itself.

44622ff... by intrigeri on 2016-10-15

Import patches-unapplied version 2.10.95-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ce972848be249fbd0cf8c3ebf063ccf7ad355188

New changelog entries:
  * Merge from ubuntu-citrain up to revision 1600. Remaining Debian changes:
    - debian/apparmor.init: don't call handle_system_policy_package_updates.
  * r3566-wayland.patch: new patch, to support Wayland in at least Evince
    (Closes: #827335).
  * r3487-add-firefox-esr-to-ubuntu-browsers.patch: new patch, to support
    firefox-esr in abstractions/ubuntu-browsers (Closes: #821945).
  * Drop "Replaces: apparmor-parser": that package has never been part of
    Debian, and if has ever been included in Ubuntu, that must have been
    ages ago.
  * Drop Breaks: lxc (<< 1.1.0~alpha1-0ubuntu5~).
    - Wrt. Ubuntu: Xenial ships a newer lxc.
    - Wrt. Debian: this Breaks was added in Ubuntu in order to "restrict
      signal, ptrace and unix mediation to the container" (LP: #1373555).
      These features require third-party Linux kernel patches, that we
      haven't in Debian, so even though Jessie has lxc 1.0, we don't need
      this Breaks relationship.
  * Drop Breaks: lightdm (<< 1.11.8-0ubuntu2~).
    - Wrt. Debian: it was added in Ubuntu because lightdm 1.11.8-0ubuntu2
      brings "updates for unix socket mediation". But Unix socket mediation
      requires third-party Linux kernel patches, that we haven't in Debian.
    - Wrt. Ubuntu: even Vivid includes a newer lightdm.
  * Drop Breaks+Replaces on a version of debhelper older than the one included
    in Precise and Wheezy.
  * Drop Breaks+Replaces on versions of our own binary packages that are older
    than the ones included in Jessie and Xenial.
  * Drop Breaks: rsyslog (<< 7.4.4-1ubuntu9~). Bot Jessie and Xenial ship
    a newer one.
  * Drop Breaks: apparmor-easyprof-ubuntu (<< 1.2.22). Xenial ships
    a newer one.
  * Drop Breaks: libvirt-bin (<< 1.2.6-0ubuntu6~). Jessie and Xenial
    have a newer one.
  * Drop Breaks+Replaces: apparmor-utils << 2.8.0: Jessie and Trusty ship
    a newer one.
  * Drop Breaks+Replaces: libapache2-mod-apparmor (<< 2.5.1-0ubuntu3):
    Precise and Wheezy shipped with something newer.
  * Version dependency on lsb-base to >= 3.0-6, as advised by Lintian's
    init.d-script-needs-depends-on-lsb-base tag.
  * debian/lib/apparmor/functions, debian/apparmor.init,
    debian/apparmor.service, debian/apparmor.upstart,
    debian/lib/apparmor/profile-load: Adjust the checks that previously kept
    AppArmor policy from being loaded while booting a container. Now we
    attempt to load policy if we're in a LXD or LXC managed container that is
    using profile stacking inside of a policy namespace. (LP: #1628285)
  * Fix regression tests so that the kernel SRU process is not interrupted by
    failing tests
    - debian/patches/r3505-tests-fix-stacking-mode-checks.patch: Fix the
      stackonexec.sh and stackprofile.sh tests (LP: #1628295)
    - debian/patches/r3509-tests-fix-exec_stack-errors.patch: Fix the
      exec_stack.sh test (LP: #1628745)
  * debian/patches/allow-access-to-ibus-socket.patch: Adjust the ibus
    abstraction to allow access to the abstract UNIX domain socket location
    used in Ubuntu. (LP: #1580463)
  * debian/lib/apparmor/functions: Quiet the "Files ... and ... differ"
    output, during the update process, which was printed by diff. This message
    left users concerned since it mentioned md5sums files without being clear
    about what was happening. (LP: #1614215)
  * r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an
    aa-logprof crash by ignoring file events that contains send *and* receive
    in the request mask. This is an improvement to the previous fix that only
    addressed events that contained send *or* receive.
    (LP: #1577051, LP: #1582374)
    - debian/rules: Create a new empty file, needed for the test added by this
      patch, since quilt is unable to do so.
  * Drop the following change now that click-apparmor has been updated:
    - Continue installing aa-exec into /usr/sbin/ for now since
      click-apparmor's aa-exec-click autopkgtest expects it to be there
  * debian/patches/allow-stacking-tests-to-use-system.patch,
    debian/patches/r3430-allow-stacking-tests-to-use-system.patch: Replace
    patch with the final version that landed upstream and annotate the patch
    headers accordingly
  * debian/patches/r3460-ignore-file-events-with-send-or-receive-request.patch:
    Prevent an aa-logprof crash by ignoring file events that contains
    send or receive in the request mask. (LP: #1577051, LP: #1582374)
  * debian/patches/r3463-r3475-change-profile-exec-modes.patch: Allow policy
    authors to specify if the environment should scrubbed during exec
    transitions allowed by a change_profile rule. (LP: #1584069)
  * debian/patches/r3478-make-overlapping-safe-and-unsafe-rules-conflict.patch:
    Make sure that multiple change_profile rules with overlapping safe and
    unsafe exec modes conflict when they share the same exec conditional
    (LP: #1588069)
  * debian/patches/r3479-create-fcitx-abstractions.patch: Include fcitx and
    fcitx-strict abstractions that fcitx client profiles can reuse.
  * debian/control: Do a conffile move of /etc/apparmor.d/abstractions/fcitx
    from the fcitx-data to apparmor by setting up the correct Breaks and
  * debian/patches/r3480-create-mozc-abstraction.patch: Include a mozc
    abstraction that mozc client profiles can reuse.
  * debian/patches/r3488-r3489-fix-racy-onexec-test.patch: Fix racy regression
    test so that the kernel SRU process is not interrupted by the onexec.sh
    periodically failing
  * debian/patches/r3490-utils-handle-change-profile-exec-modes.patch: Update
    the Python utilities to handle the new exec mode keywords in
    change_profile rules. (LP: #1584069)
  * debian/patches/r3492-allow-dbus-user-session-path.patch: Allow read/write
    access to the dbus-user-session socket file. (LP: #1604872)
  * Merge with Debian unstable. Remaining Ubuntu changes:
   - debian/apparmor.init: Call handle_system_policy_package_updates as we
     need it for Click, snappy, and system-images. Note that this prevents
     using a remote /var.

ce97284... by intrigeri on 2016-07-01

Import patches-unapplied version 2.10.95-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f4b63426eac2cf52469326236857c77830b82ccf

New changelog entries:
  * debhelper/postinst-apparmor: re-add the "aa-status --enabled" -based code
    as a fallback, that is used when aa-enabled is not present. This
    facilitates upgrades from Jessie to Stretch, as well as partial
    testing/sid upgrades. (Closes: #829030)

f4b6342... by intrigeri on 2016-06-29

Import patches-unapplied version 2.10.95-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 010dda794d25d4ae1c776c7194f9adeca578ec03

New changelog entries:
  * debhelper/postinst-apparmor: re-add 2>/dev/null to aa-enabled invocation,
    to avoid misleading users into thinking the package is missing a dependency
    on apparmor. Thanks to Simon McVittie for the analysis! (Closes: #828795)