ubuntu/+source/apparmor:ubuntu/yakkety-security

Last commit made on 2017-03-28
Get this branch:
git clone -b ubuntu/yakkety-security https://git.launchpad.net/ubuntu/+source/apparmor
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/yakkety-security
Repository:
lp:ubuntu/+source/apparmor

Recent commits

bc492c9... by Tyler Hicks on 2017-03-28

Import patches-unapplied version 2.10.95-4ubuntu5.3 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 7bad1a53082a1a7b8ad1ec2367f50990d82aa0ee

New changelog entries:
  * SECURITY UPDATE: Don't unload unknown profiles during package
    configuration or when restarting the apparmor init script, upstart job, or
    systemd unit as this could leave processes unconfined (LP: #1668892)
    - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
      Remove calls to unload_obsolete_profiles()
    - debian/patches/utils-add-aa-remove-unknown.patch,
      debian/apparmor.install debian/apparmor.manpages: Include a new utility,
      aa-remove-unknown, which can be used to unload unknown profiles
    - CVE-2017-6507

7bad1a5... by Tyler Hicks on 2016-10-12

Import patches-unapplied version 2.10.95-4ubuntu5.1 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 150669b3ef4740898f9425732af284f10f259685

New changelog entries:
  * debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
    profiles that make use of the nameservice abstraction should be allowed to
    communicate with systemd-resolved over D-Bus. Ubuntu 16.10 systems are
    configured to use nss-resolve which then communicates with
    systemd-resolved's D-Bus API. (LP: #1598759)

150669b... by Tyler Hicks on 2016-09-29

Import patches-unapplied version 2.10.95-4ubuntu5 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 70b12ec17bd5bf8e1e436f66c93fa75a71c0060d

New changelog entries:
  * debian/lib/apparmor/functions, debian/apparmor.init,
    debian/apparmor.service, debian/apparmor.upstart,
    debian/lib/apparmor/profile-load: Adjust the checks that previously kept
    AppArmor policy from being loaded while booting a container. Now we
    attempt to load policy if we're in a LXD or LXC managed container that is
    using profile stacking inside of a policy namespace. (LP: #1628285)
  * Fix regression tests so that the kernel SRU process is not interrupted by
    failing tests
    - debian/patches/r3505-tests-fix-stacking-mode-checks.patch: Fix the
      stackonexec.sh and stackprofile.sh tests (LP: #1628295)
    - debian/patches/r3509-tests-fix-exec_stack-errors.patch: Fix the
      exec_stack.sh test (LP: #1628745)

70b12ec... by Tyler Hicks on 2016-08-26

Import patches-unapplied version 2.10.95-4ubuntu4 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 8a02a383f172e3d9775800a95bc5f02a958c091f

New changelog entries:
  * debian/patches/allow-access-to-ibus-socket.patch: Adjust the ibus
    abstraction to allow access to the abstract UNIX domain socket location
    used in Ubuntu. (LP: #1580463)
  * debian/lib/apparmor/functions: Quiet the "Files ... and ... differ"
    output, during the update process, which was printed by diff. This message
    left users concerned since it mentioned md5sums files without being clear
    about what was happening. (LP: #1614215)

8a02a38... by Tyler Hicks on 2016-08-01

Import patches-unapplied version 2.10.95-4ubuntu3 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 4fee4bd3b0540829421a9527426339cce3411c38

New changelog entries:
  * r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an
    aa-logprof crash by ignoring file events that contains send *and* receive
    in the request mask. This is an improvement to the previous fix that only
    addressed events that contained send *or* receive.
    (LP: #1577051, LP: #1582374)
    - debian/rules: Create a new empty file, needed for the test added by this
      patch, since quilt is unable to do so.

4fee4bd... by Tyler Hicks on 2016-07-27

Import patches-unapplied version 2.10.95-4ubuntu2 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 62549a7be396089285d89ae7d92d5db2b843f252

New changelog entries:
  * Drop the following change now that click-apparmor has been updated:
    - Continue installing aa-exec into /usr/sbin/ for now since
      click-apparmor's aa-exec-click autopkgtest expects it to be there
  * debian/patches/allow-stacking-tests-to-use-system.patch,
    debian/patches/r3430-allow-stacking-tests-to-use-system.patch: Replace
    patch with the final version that landed upstream and annotate the patch
    headers accordingly
  * debian/patches/r3460-ignore-file-events-with-send-or-receive-request.patch:
    Prevent an aa-logprof crash by ignoring file events that contains
    send or receive in the request mask. (LP: #1577051, LP: #1582374)
  * debian/patches/r3463-r3475-change-profile-exec-modes.patch: Allow policy
    authors to specify if the environment should scrubbed during exec
    transitions allowed by a change_profile rule. (LP: #1584069)
  * debian/patches/r3478-make-overlapping-safe-and-unsafe-rules-conflict.patch:
    Make sure that multiple change_profile rules with overlapping safe and
    unsafe exec modes conflict when they share the same exec conditional
    (LP: #1588069)
  * debian/patches/r3479-create-fcitx-abstractions.patch: Include fcitx and
    fcitx-strict abstractions that fcitx client profiles can reuse.
  * debian/control: Do a conffile move of /etc/apparmor.d/abstractions/fcitx
    from the fcitx-data to apparmor by setting up the correct Breaks and
    Replaces.
  * debian/patches/r3480-create-mozc-abstraction.patch: Include a mozc
    abstraction that mozc client profiles can reuse.
  * debian/patches/r3488-r3489-fix-racy-onexec-test.patch: Fix racy regression
    test so that the kernel SRU process is not interrupted by the onexec.sh
    periodically failing
  * debian/patches/r3490-utils-handle-change-profile-exec-modes.patch: Update
    the Python utilities to handle the new exec mode keywords in
    change_profile rules. (LP: #1584069)
  * debian/patches/r3492-allow-dbus-user-session-path.patch: Allow read/write
    access to the dbus-user-session socket file. (LP: #1604872)

62549a7... by Martin Pitt on 2016-07-26

Import patches-unapplied version 2.10.95-4ubuntu1 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: ce972848be249fbd0cf8c3ebf063ccf7ad355188

New changelog entries:
  * Merge with Debian unstable. Remaining Ubuntu changes:
   - debian/apparmor.init: Call handle_system_policy_package_updates as we
     need it for Click, snappy, and system-images. Note that this prevents
     using a remote /var.

ce97284... by intrigeri on 2016-07-01

Import patches-unapplied version 2.10.95-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f4b63426eac2cf52469326236857c77830b82ccf

New changelog entries:
  * debhelper/postinst-apparmor: re-add the "aa-status --enabled" -based code
    as a fallback, that is used when aa-enabled is not present. This
    facilitates upgrades from Jessie to Stretch, as well as partial
    testing/sid upgrades. (Closes: #829030)

f4b6342... by intrigeri on 2016-06-29

Import patches-unapplied version 2.10.95-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 010dda794d25d4ae1c776c7194f9adeca578ec03

New changelog entries:
  * debhelper/postinst-apparmor: re-add 2>/dev/null to aa-enabled invocation,
    to avoid misleading users into thinking the package is missing a dependency
    on apparmor. Thanks to Simon McVittie for the analysis! (Closes: #828795)

010dda7... by intrigeri on 2016-06-24

Import patches-unapplied version 2.10.95-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e68240617af17fda1a563e7ea5e327a5e05d82cf

New changelog entries:
  * dh-apparmor: use aa-enabled instead of aa-status --enabled.
    (Closes: #822475)
  * Ship fake aa-enabled and aa-exec for non-Linux builds to fix FTBFS there
    (same "solution" as the one we've had for apparmor_parser for a while).