Created by Chris Holcombe and last modified
Get this branch:
bzr branch lp:~xfactor973/apparmor/bug-1564625
Only Chris Holcombe can upload to this branch. If you are Chris Holcombe please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Chris Holcombe

Recent revisions

3491. By Chris Holcombe

sys.exit(1) when unable to find the apparmor profile

3490. By Tyler Hicks

utils: Handle the safe/unsafe change_profile exec modes


This patch adds support for the safe and unsafe exec modes for
change_profile rules. The logic is pretty simple at this point because
the kernel's default for exec modes changed in newer versions.
Therefore, this patch simply retains any specified exec mode in parsed
rules. If an exec mode is not specified in a rule, there is no attempt
to force the usage of "safe" because older kernels do not support it.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>
Acked-by: Christian Boltz <email address hidden>

3489. By Tyler Hicks

tests: Fix onexec.sh races by using the transition test program

The onexec.sh test has periodically exhibited unexplicable failures that
are possibly due to race conditions when onexec.sh is verifying the
/proc/PID/attr/{current,exec} values of the process under test. This
patch attempts to solve the flaky test failures by removing the need for
IPC to coordinate between the test script and the test program.

The old onexec test program is removed and the transition test program
is used instead. This allows for the test script to tell the transition
test program what its current and exec procattr labels should be via
command line options.

Since IPC is no longer needed, the signal:ALL allow rule can be dropped
from the test profile. A new allow rule is needed to grant reading of
/proc/*/attr/{current,exec} since transition must verify the contents of
these files.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3488. By Tyler Hicks

tests: Add transition test options to verify exec procattr

Add optional command line parameters to the transition test program that
can be used to verify a certain label and/or mode that should be found
in /proc/self/attr/exec.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3487. By Steve Beattie

profiles: ubuntu-browsers abstraction: support Debian's firefox-esr

Merged from <email address hidden>; thanks!

3486. By Seth Arnold

<email address hidden> 2016-06-24 mod_apparmor manpage: fix "documenation" typo.

3485. By Seth Arnold

From: Simon McVittie <email address hidden>
Date: Tue, 21 Jun 2016 18:18:45 +0100
Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf

Follow the same logic we already did for NetworkManager,
resolvconf and systemd-resolved. The wonderful thing about
standards is that there are so many to choose from.

Signed-off-by: Simon McVittie <email address hidden>

3484. By Christian Boltz

Drop unused escape() function from aa.py

Besides being unused, this function contains a broken regex.

References: https://bugs.launchpad.net/bugs/1593324

Acked-by: Steve Beattie <email address hidden>

3483. By Kshitij Gupta

Re-order imports in aa-mergeprof and rule/capability.py

Acked-by: Christian Boltz <email address hidden>

3482. By Christian Boltz

Add a note about still enforcing deny rules to aa-complain manpage

This behaviour makes sense (for example to force the confined program to
use a fallback path), but is probably surprising for users, so we should
document it.

References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218#37

Acked-by: John Johansen <email address hidden> for trunk, 2.10 and 2.9

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.