lp:~xfactor973/apparmor/bug-1564625

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

3491. By Chris Holcombe on 2016-07-22

sys.exit(1) when unable to find the apparmor profile

3490. By Tyler Hicks on 2016-07-20

utils: Handle the safe/unsafe change_profile exec modes

https://launchpad.net/bugs/1584069

This patch adds support for the safe and unsafe exec modes for
change_profile rules. The logic is pretty simple at this point because
the kernel's default for exec modes changed in newer versions.
Therefore, this patch simply retains any specified exec mode in parsed
rules. If an exec mode is not specified in a rule, there is no attempt
to force the usage of "safe" because older kernels do not support it.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>
Acked-by: Christian Boltz <email address hidden>

3489. By Tyler Hicks on 2016-06-25

tests: Fix onexec.sh races by using the transition test program

The onexec.sh test has periodically exhibited unexplicable failures that
are possibly due to race conditions when onexec.sh is verifying the
/proc/PID/attr/{current,exec} values of the process under test. This
patch attempts to solve the flaky test failures by removing the need for
IPC to coordinate between the test script and the test program.

The old onexec test program is removed and the transition test program
is used instead. This allows for the test script to tell the transition
test program what its current and exec procattr labels should be via
command line options.

Since IPC is no longer needed, the signal:ALL allow rule can be dropped
from the test profile. A new allow rule is needed to grant reading of
/proc/*/attr/{current,exec} since transition must verify the contents of
these files.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3488. By Tyler Hicks on 2016-06-25

tests: Add transition test options to verify exec procattr

Add optional command line parameters to the transition test program that
can be used to verify a certain label and/or mode that should be found
in /proc/self/attr/exec.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3487. By Steve Beattie on 2016-06-24

profiles: ubuntu-browsers abstraction: support Debian's firefox-esr

Merged from <email address hidden>; thanks!

3486. By Seth Arnold on 2016-06-24

<email address hidden> 2016-06-24 mod_apparmor manpage: fix "documenation" typo.

3485. By Seth Arnold on 2016-06-22

From: Simon McVittie <email address hidden>
Date: Tue, 21 Jun 2016 18:18:45 +0100
Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf

Follow the same logic we already did for NetworkManager,
resolvconf and systemd-resolved. The wonderful thing about
standards is that there are so many to choose from.

Signed-off-by: Simon McVittie <email address hidden>

3484. By Christian Boltz on 2016-06-17

Drop unused escape() function from aa.py

Besides being unused, this function contains a broken regex.

References: https://bugs.launchpad.net/bugs/1593324

Acked-by: Steve Beattie <email address hidden>

3483. By Kshitij Gupta on 2016-06-09

Re-order imports in aa-mergeprof and rule/capability.py

Acked-by: Christian Boltz <email address hidden>

3482. By Christian Boltz on 2016-06-05

Add a note about still enforcing deny rules to aa-complain manpage

This behaviour makes sense (for example to force the confined program to
use a fallback path), but is probably surprising for users, so we should
document it.

References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218#37

Acked-by: John Johansen <email address hidden> for trunk, 2.10 and 2.9