ubuntu/+source/apparmor:ubuntu/xenial-security

Last commit made on 2019-06-05
Get this branch:
git clone -b ubuntu/xenial-security https://git.launchpad.net/ubuntu/+source/apparmor
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/xenial-security
Repository:
lp:ubuntu/+source/apparmor

Recent commits

69641c1... by Tyler Hicks on 2019-05-28

Import patches-unapplied version 2.10.95-0ubuntu2.11 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: afda89aab7a9a9fc867ee5fc5932b8d71a52955f

New changelog entries:
  * Make dnsmasq profile and Python utility changes necessary to continue
    working correctly after the Linux kernel change to address CVE-2019-11190.
    Without these changes, some profile transitions may be unintentionally
    denied. (LP: #1830802)
    - 0001-dnsmasq-allow-libvirt_leaseshelper-m-permission-on-i.patch
    - 0001-handle_children-automatically-add-m-permissions-on-i.patch

afda89a... by Jamie Strandboge on 2018-09-27

Import patches-unapplied version 2.10.95-0ubuntu2.10 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 2591c629771d688d36594c44f30fa4573451c05d

New changelog entries:
  * lp1788929+1794848.patch:
    - disallow writes to thumbnailer dir (LP: #1788929)
    - disallow access to the dirs of private files (LP: #1794848)

2591c62... by Christian Ehrhardt  on 2018-02-20

Import patches-unapplied version 2.10.95-0ubuntu2.9 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: a983c53cb5b63b027147378e177ed365223615ea

New changelog entries:
  * debian/patches/base-journald-updates.patch: update base abstraction
    for additional journald sockets (LP: #1670408)
    Backport from 2.11.0-2ubuntu5 by Jamie Strandboge <email address hidden>

a983c53... by Seyeong Kim on 2018-01-08

Import patches-unapplied version 2.10.95-0ubuntu2.8 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: b586c9e64ffc1430daa1be88c470a77c5b93dea1

New changelog entries:
  * d/p/0001-Allow-seven-digit-pid.patch:
    On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
    (2^22), which results in seven digit pids. Adjust the @{PID} variable in
    tunables/global to accept this. (LP: #1717714)

b586c9e... by Steve Langasek on 2017-08-25

Import patches-unapplied version 2.10.95-0ubuntu2.7 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 59a6b1b97aae6717a8dae17038075aa9679b98fd

New changelog entries:
  * Remove initramfs-tools from the dependencies; this isn't used and the
    dependency has been dropped in later releases. LP: #1713169.

59a6b1b... by Tyler Hicks on 2017-03-15

Import patches-unapplied version 2.10.95-0ubuntu2.6 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: a684737ee189a0da0382ec8f63eee6c99766d2f9

New changelog entries:
  * SECURITY UPDATE: Don't unload unknown profiles during package
    configuration or when restarting the apparmor init script or upstart job
    as this could leave processes unconfined (LP: #1668892)
    - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
      Remove calls to unload_obsolete_profiles()
    - debian/patches/utils-add-aa-remove-unknown.patch,
      debian/apparmor.install debian/apparmor.manpages: Include a new utility,
      aa-remove-unknown, which can be used to unload unknown profiles
    - CVE-2017-6507

a684737... by Tyler Hicks on 2016-10-07

Import patches-unapplied version 2.10.95-0ubuntu2.5 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 2a90832d880fe81ae63db1a5ab231862572cdcbc

New changelog entries:
  * debian/lib/apparmor/functions, debian/apparmor.init,
    debian/apparmor.service, debian/apparmor.upstart,
    debian/lib/apparmor/profile-load: Adjust the checks that previously kept
    AppArmor policy from being loaded while booting a container. Now we
    attempt to load policy if we're in a LXD or LXC managed container that is
    using profile stacking inside of a policy namespace. (LP: #1628285)
  * Fix regression tests for stacking so that the kernel SRU process is not
    interrupted by failing tests whenever the AppArmor stacking features are
    backported from the 16.10 kernel or when the 16.04 LTS Enablement Stack
    receives a 4.8 or newer kernel
    - debian/patches/r3509-tests-fix-exec_stack-errors-1.patch: Fix the
      exec_stack.sh test when running on 4.8 or newer kernels (LP: #1628745)
    - debian/patches/r3558-tests-fix-exec_stack-errors-2.patch: Adjust the
      exec_stack.sh fix mentioned above to more accurately test kernels older
      than 4.8 (LP: #1630069)
    - debian/patches/allow-stacking-tests-to-use-system.patch: Apply this
      patch earlier in the series, as to match when it was committed upstream,
      so that the above two patches can be cherry-picked from lp:apparmor

2a90832... by Tyler Hicks on 2016-09-28

Import patches-unapplied version 2.10.95-0ubuntu2.4 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 034e81484eb19f8f11378d1cc9ecdb3f4b4a4f86

New changelog entries:
  * debian/patches/r3505-tests-fix-stacking-mode-checks.patch: Fix failing
    regression tests so that the kernel SRU process is not interrupted by
    failing stackonexec.sh and stackprofile.sh tests (LP: #1628295)

034e814... by Tyler Hicks on 2016-08-26

Import patches-unapplied version 2.10.95-0ubuntu2.3 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: c0cebdf5c3ec0dabe6c9f3891c879540b9c2735d

New changelog entries:
  * debian/patches/allow-access-to-ibus-socket.patch: Adjust the ibus
    abstraction to allow access to the abstract UNIX domain socket location
    used in Ubuntu. (LP: #1580463)
  * debian/lib/apparmor/functions: Quiet the "Files ... and ... differ"
    output, during the update process, which was printed by diff. This message
    left users concerned since it mentioned md5sums files without being clear
    about what was happening. (LP: #1614215)

c0cebdf... by Tyler Hicks on 2016-08-01

Import patches-unapplied version 2.10.95-0ubuntu2.2 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 1069880e5cb078096a93437fbd50282de9c80e03

New changelog entries:
  * r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an
    aa-logprof crash by ignoring file events that contains send *and* receive
    in the request mask. This is an improvement to the previous fix that only
    addressed events that contained send *or* receive.
    (LP: #1577051, LP: #1582374)
    - debian/rules: Create a new empty file, needed for the test added by this
      patch, since quilt is unable to do so.