Download project files

Bug fix release for apparmor 2.10

=== Policy Compiler (a.ka. apaprmor_parser) ===

* Caching
** Fix caching timestamp mtime issues ({{lp|1484178}})
** bump abi to force policy recompiles for bad caches
** Fix uninitialized variable and reference leak

* allow "unspec" (AF_UNSPEC) family in network rules ({{lp|1546455}})
* properly parse named transition targets ({{lp|1540666}})
* allow profile keyword to be used with namespaces ({{lp|1544387}})
* Fix segfault when processing profile directories ({{lp|1534405}})
* Fix regression: Honor the --namespace-string commandline option ({{lp|1526085}})
* Fix remount with bind ({{lp|1272028}})
* Fix a missing comma in when dumping capability names for debugging
* Fix incorrect output of child profile names (-N) which could cause policy reload to remove children profiles that should not have been. ({{lp|1551950}})

=== Library ===

* Fix logparser.py crash on change_hat events ({{lp|1523297}})
* fix log parsing memory leaks

=== Utils ===

* aa-status
** make aa-status work without python3-apparmor ({{lp|1480492}})
* aa-easyprof
** Use apparmor.fail for AppArmorException handling in aa-easyprof
* aa-logprof, aa-genprof, aa-mergeprof
** Fix wrong usage of write_prof_data in serialize_profile_from_old_profile() ({{lp|1528139}})
** Fix aa-mergeprof crash with files containing multiple profiles
** Add simple_tests/profile/profile_ns_bad8.sd to utils test exception list
** Remove pname to bin_name mapping in autodep()
** logparser.py: do sanity check for all file events ({{lp|1540562}})
** handle versioned ruby interpreters
** print test filenames in 'make check' and 'make coverage'
** Better error message on unknown profile lines
** AARE: escape reserved exclamation mark symbol
** More useful logparser failure reports
** Fix handling of link events in aa-logprof
** Write unix rules when saving a profile ({{lp|1522938}}, {{954104}})
** Adjust test-aa.py for python2
** Adjust type(x) == str checks in the rule classes for py2 ({{lp|1513880}})
** Let the apparmor.fail error handler print to stderr ({{lp|1521400}})
** ignore log event if request_mask == '' ({{lp|1525119}})
** Fix logparser.py crash on change_hat events ({{lp|1523297}})
** Several fixes for variable handling
** Change abstract methods in BaseRule to use NotImplementedError
** Map c (create) log events to w instead of a
** Also add python 3.5 to logprof.conf
** Add debug info to profile_storage()
** Fix parsing/storing bare file rules
** update PYMODULES in tools/Makefile
** Add python to the "no Px rule" list in logprof.conf
** let logparser.py ignore file_inherit events without request_mask ({{lp|1466812}})
** Let 'make check' work without logprof.conf ({{lp|1393979}})
** Fix handling of interpreters with parameters ({{lp|1505775}})
** merge script handling into get_interpreter_and_abstraction()
** Add tests for create_new_profile()
** Change utils/test/Makefile to use the in-tree libapparmor
** Parse all parser simple_tests with the utils code
** Get rid of global variable 'logger'
** make 'ldd' variable non-global
** Fix missing profile init in create_new_profile()
** Store filename for includes and hats
** Add AARE tests for [chars] and [^chars] style globbing to test-aare.py.
** load_include(): use include_dir_filelist()
** remove unused code from load_include()
** load_include(): avoid loading directory includes multiple times
** Reset aa and original_aa in read_profiles()
** move tests for convert_regexp() to (new) test-aare.py
** Accept more log formats in logparser.py
** Test libapparmor test_multi tests against logparser.py
** utils/aa-logprof.pod: fix typo in manpage ({{lp|1485855}})
** Add network mpls and ib to rule/network.py and the apparmor.d manpage
** map socket_create events to 'net' events
** Check for duplicate profiles
** Fix name_to_prof_filename() error behaviour
** Change RE_PROFILE_START to accept variables
** Split logparser.py add_event_to_tree() into multiple functions
** drop shebang from apparmor/rule/*.py

=== Policy ===

* Change /bin/ paths in profiles to also match on /usr/bin/

Updates to the following profiles:
* sbin.dhclient: allow executing nm-dhcp-helper and access to some files in /var/lib/dhcp6/ and /var/lib/NetworkManager/
* sbin.syslog-ng: add several permissions (abstractions/openssl, reading the journal etc.) which are needed by the latest syslog-ng ({{boo|948584}}, {{boo|948753}})
* usr.bin.skype: allow reading @{PROC}/@{pid}/net/dev ({{boo|939568}})
* usr.lib.dovecot.auth: allow writing to /var/run/dovecot/user-stats (needed by dovecot >= 2.2.22)
* usr.lib.dovecot.lmtp: add openssl and ssl_keys abstractions
* usr.lib.dovecot.imap: allow reading /run/dovecot/mounts
* usr.lib.dovecot.dovecot-lda:
** allow to write tempfiles ({{boo|954959}})
** allow to execute sendmail ({{boo|954958}})
* usr.sbin.avahi-daemon: allow write access to /run/systemd/notify (needed on systems with systemd)

* usr.sbin.dnsmasq:
** allow /bin/sh and /bin/dash in addition to /bin/bash ({{boo|940749}}, non-public)
** allow /dev/tty rw which is needed by the --dhcp-script's shell ({{boo|940749}}, non-public)
** add attach_disconnected flag ({{lp|1569316}})

* usr.sbin.nscd: allow reading /proc/self/cmdline, needed for paranoia mode ({{boo|971790}})
* usr.sbin.ntpd:
** add attach_disconnected flag (needed for using nscd)
** allow reading the directory listing of $PATH ({{boo|945592}})
* usr.sbin.smbd: allow capability sys_admin which is needed because smbd stores ACLs in the security.NTACL namespace ({{boo|964971}}, [http://samba-technical.samba.narkive.com/eHtOW8DE/nt-acls-using-the-security-namespace-for-ntacl-considered-improper Discussion on the Samba mailinglist])
* usr.sbin.winbindd:
** update for Samba 4.2 ({{boo|921098}}, {{boo|923201}})
** allow k for /etc/samba/smbd.tmp/msg/* ({{boo|921098#c15}})

Updates to the following abstractions:
* base: allow reading /usr/share/locale-bundle/ (contains translations in openSUSE)
* nameservice: allow reading /run/systemd/resolve/resolv.conf ({{LP|1529074}})
* python: update for python3
* samba: update for Samba 4.2 ({{boo|921098}})
* ssl_certs, ssl_keys: allow reading acmetool-generated certificates in /var/lib/acme/
* X: allow unix connections to @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird
* allow dconf abstraction to read /etc/dconf/**

=== Documentation ===

* Correct meaning of EPERM in aa_change_profile man page
* document open fds may be revalidated after aa_change_profile()
* document exec deny rules don't allow tranisition quanifier ix, Px, Ux etc. - only 'deny /foo x,' is allowed.
* Add realtime signals to SIGNALS list in apparmor.d manpage
* Add realtime signal example to the apparmor.d manpage
* Add missing variables @{pids} and @{apparmorfs} to the apparmor.d manpage
* fix typo "sinlge" in apparmor_parser manpage ({{lp|1485530}})
* Remove incorrect statement in aa_change_profile man page

=== Init Scripts ===

commit 78c5ed675ef0bcda0be971c9d72d5645efacab1d
* Fix aa_log_end_msg() in rc.apparmor.suse ({{boo|862170}))

=== Regression and Unit Tests ===

* fix ptrace tests for arm64 and s390 ({{lp|1470985}}, {{lp|1531325}})
* Add parser tests for various rules outside of a profile body
* make caching tests not fail w/python <= 3.2
* Don't skip parser unit test cleanup when the test was skipped
* Run caching tests even when apparmorfs is not mounted
* Verify cache file mtime in caching tests
* make sysctl(2) regression test a bit more resiliant
* fix memory leaks in libapparmor's aalogmisc unit tests.
* Add a new test that was posted on IRC to the test_multi set