--- apparmor-2.5.1~pre1393.orig/debian/README.Debian +++ apparmor-2.5.1~pre1393/debian/README.Debian @@ -0,0 +1,27 @@ +apparmor for Debian +------------------- + +The Debian apparmor source package provides several packages, + + 1) apparmor-modules-source, which provides the source for the kernel modules + 2) apparmor, which provides the user-space to kernel profile parser + 3) apparmor-profiles, which includes a basic default set of profiles + 4) apparmor-utils, which provides additional apparmor utilities + 5) apparmor-docs, which provides additional apparmor documentation + +The apparmor-modules-source package can be used in several ways, + + - Using the module-assistant(8) command, via "m-a a-i apparmor-modules" + + - Using the make-kpkg(1) command provided by the kernel-package Debian + package. This will produce a corresponding apparmor-modules-modules package + for the Debian kernel-image package that you are using. This is "the Debian + way". See the "modules_image" section of the make-kpkg(1) man page. + + - Changing to the /usr/src/modules/apparmor-modules/ directory and building as + the README file instructs using "make; make install". This will build + and install a module specific to the system you are building on and is + not under control of the packaging system. + +For details on using and running AppArmor, please see: + http://developer.novell.com/wiki/index.php/Apparmor_FAQ --- apparmor-2.5.1~pre1393.orig/debian/changelog +++ apparmor-2.5.1~pre1393/debian/changelog @@ -0,0 +1,1212 @@ +apparmor (2.5.1~pre1393-0ubuntu6) maverick; urgency=low + + * debian/profiles/chromium-browser: updated to have the proper path to + local/ + * debian/patches/0011-lp514356+573344+593413.patch: browser abstraction + updates for /net, kmozillahelper and gnome-appearance-properties + (LP: #593413, LP: #514356, LP: #573344) + * debian/patches/0012-lp625041.patch: add sensible-browser (LP: #625041) + * debian/patches/0013-lp623586.patch: allow access to ghostscript fonts when + not using defoma (LP: #623586) + + -- Jamie Strandboge Fri, 03 Sep 2010 07:39:31 -0500 + +apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low + + * debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs + abstraction (LP: #605835) + * debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm + (LP: #601583) + * debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction + and have ubuntu-browsers.d/multimedia use it (LP: #565753) + * debian/apparmor.config: don't try to read in the existing value from + /etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is + in debconf. (LP: #561694) + * add aa-update-browser for giving a programmatic way to update browser + profiles to use browser abstractions + - add debian/aa-update-browser + - add debian/aa-update-browser.8 + - debian/rules: install aa-update-browser* + * debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java + child profile names + * debian/patches/0010-fix-release.patch: update common/Make.rules to use + Canonical Ltd in generated documentation + + -- Jamie Strandboge Wed, 11 Aug 2010 09:24:23 -0500 + +apparmor (2.5.1~pre1393-0ubuntu4) maverick; urgency=low + + * debian/patches/0001-local-includes.patch: updated to adjust local/README + to have upstream clarifications + * debian/patches/0003-ubuntu-browsers-d.patch: add ubuntu-browsers.d/* + abstractions + * debian/patches/0004-ubuntu-pux.patch: use 'PUx' instead of 'Ux' in + abstractions/ubuntu-* + * add chromium-browser profile. All this can be removed once + chromium-browser ships its own profile: + - debian/patches/0005-add-chromium-browser.patch: add preliminary + profiles/apparmor.d/usr.bin.chromium-browser + - debian/profiles/chromium-browser: added for use with ubuntu-browsers.d + - debian/rules: ship debian/profiles/chromium-browser in apparmor-profiles + * don't make /etc/apparmor.d/local/* from apparmor-profiles conffiles + - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 + - debian/rules: use dh_apparmor instead of shipping the files as conffiles + - debian/apparmor-profiles.postinst: move DEBHELPER before initscript + reload + - debian/apparmor-profiles.postrm: added to remove chromium-browser config + file + * debian/patches/0006-kde4-config-pux.patch: remove kde4-config from kde + abstraction and add it to kde ubuntu-browsers abstraction + + -- Jamie Strandboge Tue, 10 Aug 2010 14:31:32 -0500 + +apparmor (2.5.1~pre1393-0ubuntu3) maverick; urgency=low + + * debian/patches/0002-lp615177.patch: 'owner' match in commit 1406 too + strict for /tmp/ and /var/tmp/ (LP: #615177) + + -- Jamie Strandboge Mon, 09 Aug 2010 10:17:05 -0500 + +apparmor (2.5.1~pre1393-0ubuntu2) maverick; urgency=low + + * debian/rules: move local/usr.lib.apache2.mpm-prefork.apache2 to + libapache2-mod-apparmor + + -- Jamie Strandboge Fri, 06 Aug 2010 13:38:59 -0500 + +apparmor (2.5.1~pre1393-0ubuntu1) maverick; urgency=low + + * Update to upstream bzr revision 1393 from lp:apparmor/2.5. + * add dbus-session abstraction (LP: #566207) + * require owner in user-tmp abstraction (LP: #578922) + * don't use uninitialized $opt_s (LP: #582075) + * allow thunderbird 3 in abstractions/ubuntu-email (LP: #590462) + * allow gmplayer in abstractions/ubuntu-media-players (LP: #591421) + * debian/control: updated branches. + * debian/patches/0001-local-includes.patch: backported patch from trunk to + allow local administrators to customize their profiles without modifying + a shipped profile + * debian/rules: + - don't pass RELEASE to libapparmor's 'make install' as it breaks the + build and isn't used by the Makfile anyway + - install apparmor.d/local/README in apparmor, not apparmor-profiles + - don't install apparmor.d/local/usr.sbin.ntpd + * Drop the following patches already included upstream: + - 0001-lp538561.patch + - 0002-aalogprof-warnings.patch + - 0003-fix-memleaks.patch + - 0004-lp549557.patch + - 0005-lp538661.patch + - 0006-lp611248.patch + + -- Jamie Strandboge Thu, 05 Aug 2010 16:10:46 -0500 + +apparmor (2.5-0ubuntu4) maverick; urgency=low + + * debian/patches/0006-lp611248.patch: allow access to gdk-pixbuf loaders + LP: #611248 + + -- Jamie Strandboge Tue, 03 Aug 2010 09:32:10 -0500 + +apparmor (2.5-0ubuntu3) lucid; urgency=low + + [ Jamie Strandboge ] + * debian/patches/lp-549557.patch: have apparmor_notify deal with log file + rotation. (LP: #549557) + * debian/notify/notify.conf: set show_notifications="yes" + * debian/patches/0005-lp538661.patch: adjust php5 abstraction for cgi config + file path and extensions (LP: #538661) + + [ Kees Cook ] + * debian/apparmor.functions: do not load in parallel, this is causing + weird side-effects. + + -- Jamie Strandboge Tue, 30 Mar 2010 11:31:49 -0500 + +apparmor (2.5-0ubuntu2) lucid; urgency=low + + [ Jamie Strandboge ] + * debian/patches/0001-lp538561.patch: add 'k' to /var/lib/samba/**.tdb in + the samba abstraction (LP: #538561) + + [ Marc Deslauriers ] + * debian/patches/0002-aalogprof-warnings.patch: get rid of warnings when + aa-logprof is run. + * debian/{rules,control}: move apache2 abstractions into the base package + so we can put apache2 profiles into the -profiles package without + aa-logprof bailing out. (LP: #539441) + * debian/patches/0003-fix-memleaks.patch: include a couple of leak + patches from upstream. + + -- Marc Deslauriers Fri, 26 Mar 2010 11:39:18 -0400 + +apparmor (2.5-0ubuntu1) lucid; urgency=low + + * New upstream release. + * debian/control: updated branches. + * debian/copyright: updated download locations. + * debian/rules: drop unneeded build variables. + * common/Make.rules: set distributor. + + -- Kees Cook Thu, 11 Mar 2010 00:08:08 -0800 + +apparmor (2.5~pre+bzr1367-0ubuntu1) lucid; urgency=low + + * Update to upstream bzr revision 1367 + * debian/notify/90apparmor-notify: sleep for 60 seconds for boot speed and + to make sure that X is all the way up so the notifications look pretty + + -- Jamie Strandboge Mon, 08 Mar 2010 13:53:50 -0600 + +apparmor (2.5~pre+bzr1364-0ubuntu1) lucid; urgency=low + + * Update to upstream bzr revision 1364. + * debian/apparmor.functions: ignore .dpkg-bak files when loading too. + + -- Kees Cook Wed, 17 Feb 2010 13:36:21 -0800 + +apparmor (2.5~pre+bzr1362-0ubuntu2) lucid; urgency=low + + * debian/apparmor.postinst: on upgrades, prepopulate apparmor/homedirs + if it is not preseeded. Will check /etc/passwd for UIDs >= 1000 and + < 30000 for unique dirnames of home directories that are not /home. Fully + resolves (LP: #447292) + + -- Jamie Strandboge Wed, 17 Feb 2010 09:42:55 -0600 + +apparmor (2.5~pre+bzr1362-0ubuntu1) lucid; urgency=low + + [ Kees Cook ] + * Update to upstream bzr revision 1362. + - This release includes DFA minimization, transition table compression, + and improved partitioning performance (LP: #503869). + - drop 0001-tunable-alias.patch, now upstream. + * debian/apparmor.postinst: update home.d template to note the trailing + slash, even if the debconf template mentions it too. + * debian/apparmor.functions: go fully parallel with parsing to use all + CPUs in the case of needing to regenerate caches. + * debian/rules: enable library testsuite during build. + * debian/control: add dejagnu for library testsuite. + * debian/{rules,control}: use chrpath to drop rpath in libapparmor-perl. + + [ Jamie Strandboge ] + * debian/control: add apparmor-notify + * add debian/notify/notify.conf + * add debian/notify/90apparmor-notify + * add debian/apparmor-notify.install: install notify.conf to /etc/apparmor + and 90apparmor-notify to /etc/X11/Xsession.d + * debian/rules: + - remove upstream notify.conf since we will install our own via debhelper + - move apparmor_notify script and man pages to apparmor-notify + + -- Kees Cook Sat, 13 Feb 2010 12:19:30 -0800 + +apparmor (2.3.1+bzr1312-0ubuntu4) lucid; urgency=low + + * 0001-tunable-alias.patch: backport r1330 to make it easier for people + to use AppArmor's alias rules (LP: #160002) + + -- Jamie Strandboge Mon, 11 Jan 2010 14:31:06 -0600 + +apparmor (2.3.1+bzr1312-0ubuntu3) lucid; urgency=low + + * debian/apparmor.{init,functions}: + - add "recache" argument to init script for liveCD cache generation. + - skip start/stop/reload when running on liveCD. + + -- Kees Cook Fri, 08 Jan 2010 08:39:14 -0800 + +apparmor (2.3.1+bzr1312-0ubuntu2) lucid; urgency=low + + * debian/rules: disable profiling support for released version. + + -- Kees Cook Wed, 06 Jan 2010 16:57:58 -0800 + +apparmor (2.3.1+bzr1312-0ubuntu1) lucid; urgency=low + + [ Kees Cook ] + * Update to upstream bzr revision 1312. + * debian/apparmor.postrm: fix comment typo. + * debain/rules: switch to bzr for upstream versioning. + * debian/rules: install apache2-* abstractions into apache2-mod package. + * drop debian/patches/0001-likewise-home-tunables.patch: this is causing + too much time in the parser (see LP 503869). The default install is + suffering, so move this configuration to likewise-open (see LP 274350). + + [ Jamie Strandboge ] + * debian/rules: + - don't ship tunables/home.d/site.local + - correct path for moving apache2 abstraction + * add debconf question for adjusting HOMEDIRS (LP: #447292) + - add debian/apparmor.config + - debian/apparmor.postinst: query debconf and adjust + tunables/home.d/ubuntu + - debian/apparmor.postrm: on purge, remove tunables/home.d/ubuntu and run + db_purge + - debian/control: Build-Depends on po-debconf and have apparmor Depends on + debconf + - add debian/po/* + - debian/rules: use dh_installdebconf -papparmor + - added debian/templates + + -- Kees Cook Wed, 06 Jan 2010 15:51:33 -0800 + +apparmor (2.3.1+1403-0ubuntu31) lucid; urgency=low + + * Remove initramfs hooks, as early profile loading is handled + on a service-by-service basis with Upstart jobs now. + + -- Kees Cook Fri, 04 Dec 2009 13:22:04 -0800 + +apparmor (2.3.1+1403-0ubuntu30) lucid; urgency=low + + [ Jamie Strandboge ] + * convert to using quilt + - debian/control: Build-Depends on quilt + - add debian/README.source + - debian/rules: include /usr/share/quilt/quilt.make and adjust + targets for patching + * debian/patches/0001-likewise-home-tunables.patch: tunables/home: add + /home/likewise-open/*/ to HOMEDIRS (LP: #274350) + * Merge to upstream bzr rev 1308. + - really add chromium-browser (LP: #488559) + - add official google-chrome (LP: #481661) + + [ Kees Cook ] + * parser/parser_main.c: use nanosec ctime resolution when checking + cache file times. + * parser/tst/caching.sh: add tests for cache use based on timestamps. + + -- Jamie Strandboge Fri, 04 Dec 2009 11:11:01 -0600 + +apparmor (2.3.1+1403-0ubuntu29) lucid; urgency=low + + * parser/Makefile: generate af_names.h based on bits/socket.h since + linux/socket.h no longer has what we need (LP: #474751) + * usr.sbin.dnsmasq: fully address LP: #445818 + - more pidfile refinements + - allow access to /var/run/dnsmasq + - allow access to /etc/dnsmasq.d + - allow dac_override so it can write its pidfile + * abstractions/ubuntu-browsers: add chromium-browser + + -- Jamie Strandboge Wed, 04 Nov 2009 17:07:23 -0600 + +apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low + + [ Jamie Strandboge ] + * update skype profile in extras. Based on work by Андрей Калинин. + (LP: #226624) + * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778) + * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and + epiphany-webkit were already present, but the recent changes in + epiphany packaging require /usr/bin/epiphany) (LP: #472952) + * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818) + * abstractions/gnome: allow access to ~/.themes (LP: #460125) + * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config + (LP: #447006) + + [ Marc Deslauriers ] + * utils/Subdomain.pm: don't skip reading profiles that are also in the + cache directory (LP: #446449) + * utils/Subdomain.pm: correctly parse PUxr modes + * utils/Subdomain.pm: support include directories + + -- Jamie Strandboge Wed, 04 Nov 2009 11:02:27 -0600 + +apparmor (2.3.1+1403-0ubuntu27) karmic; urgency=low + + * utils/SubDomain.pm: handle new format "null" log entries (LP: #446524) + + -- Marc Deslauriers Fri, 16 Oct 2009 14:40:04 -0400 + +apparmor (2.3.1+1403-0ubuntu26) karmic; urgency=low + + * abstractions/ubuntu-browsers: add Dooble + * abstractions/ubuntu-browsers: add chromium (LP: #448812) + * abstractions/gnome: add read for /etc/orbitrc + * abstractions/audio: add read for /etc/pulse/* for when ~/.pulse/* doesn't + exist and these files are used for fallback + + -- Jamie Strandboge Wed, 14 Oct 2009 07:59:03 -0500 + +apparmor (2.3.1+1403-0ubuntu25) karmic; urgency=low + + * Do not use tools in /usr during initial start-up (LP: #439726). + + -- Kees Cook Fri, 02 Oct 2009 16:52:04 -0700 + +apparmor (2.3.1+1403-0ubuntu24) karmic; urgency=low + + * abstractions/X: allow mouse themes (LP: #438051) + + -- Jamie Strandboge Thu, 01 Oct 2009 16:07:25 -0500 + +apparmor (2.3.1+1403-0ubuntu23) karmic; urgency=low + + [ Kees Cook ] + * Really fix quiet mode in initramfs (LP: #435285). + * Handle older kernel versions when loading profiles (LP: #429872): + - parser/parser_{interface,main}.c: detect kernel version and downgrade. + - debian/apparmor.functions, parser/parser_main.c: keep kernel features + recorded in cache directory. + - parser/parser_{interface,main}.c: add --skip-kernel-load for testing. + - parser/tst/caching.*: add caching tests. + [ Jamie Strandboge ] + * abstractions/audio: add a few more files for pulseaudio + + -- Kees Cook Fri, 25 Sep 2009 09:54:01 -0700 + +apparmor (2.3.1+1403-0ubuntu22) karmic; urgency=low + + * Do not run AppArmor on the LiveCD, again (LP: #131976). + * More aggressively stay quiet when booting in quiet mode (LP: #435285). + + -- Kees Cook Wed, 23 Sep 2009 15:40:22 -0700 + +apparmor (2.3.1+1403-0ubuntu21) karmic; urgency=low + + * debian/apparmor.{init-bottom,functions,initramfs}: perform initial + apparmor rule loading in initramfs. + + -- Kees Cook Mon, 21 Sep 2009 14:16:26 -0700 + +apparmor (2.3.1+1403-0ubuntu20) karmic; urgency=low + + * added disabled apache2 profile (FFE LP: #430812): + - add profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2: new + apache2 profile + - add profiles/apparmor.d/apache2.d/phpsysinfo: example profile for the + phpsysinfo application + - profiles/Makefile: handle the apache2.d directory + - add debian/libapache2-mod-apparmor.postinst: reload apparmor after + installation since we now ship a profile in this package + - add debian/libapache2-mod-apparmor.preinst: disable apache2 profile + if the user does not already have a profile defined + - add debian/libapache2-mod-apparmor.postrm: remove disabled symlink + on purge + - debian/rules: move apache2 profile to the libapache2-mod-apparmor + package and create apache2.d directory + * utils/SubDomain.pm: handle "open" log entries (LP: #427966) + * added ouid parsing support (LP: #431929): + - libraries/libapparmor/testsuite/test_multi.c + - libraries/libapparmor/src/{scanner.l,grammar.y,aalogparse.h, + libaalogparse.c} + + -- Marc Deslauriers Sat, 19 Sep 2009 09:32:02 -0400 + +apparmor (2.3.1+1403-0ubuntu19) karmic; urgency=low + + [ Jamie Strandboge ] + * abstractions/fonts: allow links in @{HOME}/.fontconfig/** + + [ Kees Cook ] + * debian/apparmor.init: expect that the securityfs is mounted, and only + test for the mounted filesystem against the type column when it is not + found. + + -- Kees Cook Wed, 09 Sep 2009 11:42:07 -0700 + +apparmor (2.3.1+1403-0ubuntu18) karmic; urgency=low + + * added the following abstractions: + - ubuntu-browsers: Ux transitions to graphical browsers + - ubuntu-console-browsers: Ux transitions to text-mode browsers + - ubuntu-console-email: Ux transitions to text-mode email clients + - ubuntu-email: Ux transitions to graphical email clients + - ubuntu-gnome-terminal: ix transition for gnome-terminal + - ubuntu-konsole: ix transition for konsole + - ubuntu-xterm: ix transition for xterm + + -- Jamie Strandboge Thu, 03 Sep 2009 11:57:39 -0500 + +apparmor (2.3.1+1403-0ubuntu17) karmic; urgency=low + + * abstractions/base: workaround for ecryptfs and apparmor by allowing + 'owner' match for files in .Private. (LP: #359338) + + -- Jamie Strandboge Mon, 31 Aug 2009 15:38:54 -0500 + +apparmor (2.3.1+1403-0ubuntu16) karmic; urgency=low + + * profiles/apparmor.d/*dovecot*: add first-pass at complain-only + profiles for basic dovecot operation. + + -- Kees Cook Wed, 26 Aug 2009 15:19:46 -0700 + +apparmor (2.3.1+1403-0ubuntu15) karmic; urgency=low + + * utils/SubDomain.pm: don't abort when an include file only contains + hats (LP: #400367) + + -- Marc Deslauriers Wed, 26 Aug 2009 11:35:58 -0400 + +apparmor (2.3.1+1403-0ubuntu14) karmic; urgency=low + + * Pull upstream changes for 64bit capabilities (svn 1427, 1437, 1438). + * Pull upstream changes for pux exec mode (svn 1439). + * debian/apparmor.init: "find" -name is not brace-aware (LP: #418364). + + -- Kees Cook Mon, 24 Aug 2009 18:01:05 -0700 + +apparmor (2.3.1+1403-0ubuntu13) karmic; urgency=low + + [ Kees Cook ] + * parser/parser_main.c: add --skip-read-cache to force reading of + uncached profiles while still allowing for --write-cache to work. + * parser/apparmor_parser.pod: add all missing option documentation. + + [ Jamie Strandboge ] + * abstractions/kde: update for kde4 + + -- Jamie Strandboge Wed, 19 Aug 2009 12:07:06 -0500 + +apparmor (2.3.1+1403-0ubuntu12) karmic; urgency=low + + * abstractions/base: add more locale paths (LP: #413454) + + -- Jamie Strandboge Fri, 14 Aug 2009 07:31:03 -0500 + +apparmor (2.3.1+1403-0ubuntu11) karmic; urgency=low + + * utils/enforce: remove /etc/apparmor.d/disable/ symlink + LP: #413153 + * debian/rules: don't install usr.sbin.ntpd or tunables/ntpd. Can remove + this when we create a new orig.tar.gz + + -- Jamie Strandboge Wed, 12 Aug 2009 10:04:34 -0500 + +apparmor (2.3.1+1403-0ubuntu10) karmic; urgency=low + + * remove apparmor.d/usr.sbin.ntpd and apparmor.d/tunables/ntpd since ntpd + will begin shipping its own profile + + -- Jamie Strandboge Wed, 12 Aug 2009 10:02:53 -0500 + +apparmor (2.3.1+1403-0ubuntu9) karmic; urgency=low + + * Revert 64-bit capabilities (LP: #408773). + + -- Kees Cook Tue, 04 Aug 2009 11:51:27 +0100 + +apparmor (2.3.1+1403-0ubuntu8) karmic; urgency=low + + * Update to upstream subversion r1431. + - change_profile can use regex (LP: #390810, #401931) + * debian/apparmor.init: always clear cache on reload. + + -- Kees Cook Mon, 03 Aug 2009 07:46:33 -0700 + +apparmor (2.3.1+1403-0ubuntu7) karmic; urgency=low + + * profiles/apparmor.d/abstractions/base: add /proc/sys/crypto (LP: #392337). + + -- Kees Cook Sat, 25 Jul 2009 09:04:46 -0700 + +apparmor (2.3.1+1403-0ubuntu6) karmic; urgency=low + + [ Kees Cook ] + * parser/parser_policy.c: return errors instead of exiting. + * debian/apparmor.init: skip more suffixes. + * parser/parser_lex.l: define file suffixes to ignore. + * parser/parser_main.c: disable cache for parsing reports. + * debian/apparmor.init: also remove unparsed profiles. + + [ Jamie Strandboge ] + * update gnome abstraction for /var/run/gdm/auth*/database + * utils/SubDomain.pm: parse profiles in subdirectories, not just include + files (LP: #401935) + + -- Jamie Strandboge Mon, 20 Jul 2009 11:45:24 -0500 + +apparmor (2.3.1+1403-0ubuntu5) karmic; urgency=low + + * Always use --replace when loading profiles so that if profiles + are loaded outside of the init script (e.g. dhcp3), the init + script does not abort (LP: #401109). + * parser/parser_main.c: more carefully create cache files. + + -- Kees Cook Sun, 19 Jul 2009 07:48:11 -0700 + +apparmor (2.3.1+1403-0ubuntu4) karmic; urgency=low + + * utils/SubDomain.pm: exclude new cache directory. + * parser/parser_main.c: + - allow OPTION_REMOVE to work again (LP: #400781). + - warn about using stdin. + - do not cache disabled profiles. + - report cached loading if not quiet. + * debian/apparmor.init: + - do not depend on aa-status. + - only write cache from init script. + + -- Kees Cook Fri, 17 Jul 2009 10:10:05 -0700 + +apparmor (2.3.1+1403-0ubuntu3) karmic; urgency=low + + * debian/apparmor.init: more cleanly handle disabled AppArmor. + + -- Kees Cook Fri, 17 Jul 2009 00:12:19 -0700 + +apparmor (2.3.1+1403-0ubuntu2) karmic; urgency=low + + * improve profile loading speed (LP: #382944): + - parser/parser_lex.l: move include handling into flex parser. + - parser/parser_main.c: + - move disable/complain logic into loader. + - add binary caching. + - debian/apparmor.init: reduce to bare minimum. + + -- Kees Cook Wed, 15 Jul 2009 17:05:49 -0700 + +apparmor (2.3.1+1403-0ubuntu1) karmic; urgency=low + + [ Kees Cook ] + * New upstream bundle (svn1403). + * debian/apparmor.init: add specific Start/Stop dependencies + (LP: #372441). + * debian/control: correctly use lsb-base not sysv for Depends. + + [ Jamie Strandboge ] + * add abstractions/launchpad-integration + * abstractions/audio: add pulseaudio + * add abstractions/private-files* for explicitly denying access to sensitive + files. + + -- Kees Cook Fri, 10 Jul 2009 08:37:54 -0700 + +apparmor (2.3+1289-0ubuntu15) karmic; urgency=low + + * Depend on upstart 0.6.0 which contains upstart-compat-sysv now + + -- Scott James Remnant Fri, 10 Jul 2009 10:28:45 +0100 + +apparmor (2.3+1289-0ubuntu14) jaunty; urgency=low + + * abstractions/smbpass: Add *.ldb used in Samba 3.2 and above (LP: #357581) + + -- Thierry Carrez Wed, 08 Apr 2009 13:42:21 +0200 + +apparmor (2.3+1289-0ubuntu13) jaunty; urgency=low + + [ Kees Cook ] + * abstractions/gnome: allow /proc/$pid/mounts for gvfs. + * abstractions/python: clean up allowed paths (LP: #350820), thanks to + Jonathan Davies. + + [ Jamie Strandboge ] + * abstractions/user-tmp: allow 'k' for files in tmp dirs (LP: #351275) + + -- Jamie Strandboge Tue, 31 Mar 2009 09:57:57 -0500 + +apparmor (2.3+1289-0ubuntu12) jaunty; urgency=low + + * expand allowed library paths to handle unexpected architectures + (LP: #349819). + + -- Kees Cook Fri, 27 Mar 2009 13:48:11 -0700 + +apparmor (2.3+1289-0ubuntu11) jaunty; urgency=low + + * fix path to winbindd_privileged/pipe in winbind abstraction (LP: #348541) + + -- Jamie Strandboge Fri, 27 Mar 2009 08:29:13 -0500 + +apparmor (2.3+1289-0ubuntu10) jaunty; urgency=low + + * utils/SubDomain.pm: + - teach utils about rearranged syslog audit messages (LP: #340183) + from upstream commit + https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1393 + - fix corruption of profiles, from upstream commit + https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1354 + - don't ask about networking events over and over again, from upstream commit + https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1296 + - use apparmor logdir instead of /tmp to write debugging log + + -- Steve Beattie Thu, 19 Mar 2009 03:05:07 -0700 + +apparmor (2.3+1289-0ubuntu9) jaunty; urgency=low + + [ Kees Cook ] + * abstractions/base: allow /proc/$pid/maps (LP: #343287). + * abstractions/*: clean up lib, lib32, lib64 semantics (LP: #342200). + * abstractions/nameservice: fix up paths for nscd (LP: #342198). + * parser/rc.apparmor.functions, debian/apparmor.init: LSB-ify startup + messages (LP: #295200). + + [ Steve Beattie ] + * libapparmor/src/scanner.l: adjust lexer to fix matching updated audit + messages (LP: #340183) from upstream commit + https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1389 + * debian/source_apparmor.py: add a per-package apport hook (LP: #342554). + + -- Kees Cook Wed, 18 Mar 2009 21:18:01 -0700 + +apparmor (2.3+1289-0ubuntu8) jaunty; urgency=low + + * abstractions/ssl_keys: allow read access to all of /etc/ssl (LP: #317109) + * utils/SubDomain.pm: re-add dropped patch to not process disable/ as + include files, and also don't process force-complain/ (LP: #331534) + + -- Jamie Strandboge Thu, 12 Mar 2009 12:53:08 -0500 + +apparmor (2.3+1289-0ubuntu7) jaunty; urgency=low + + * abstractions/dbus: add machine-id + * abstractions/audio: add libcanberra paths + * abstractions/freedesktop.org: add user-dirs.dirs + + -- Jamie Strandboge Thu, 12 Feb 2009 11:28:15 -0600 + +apparmor (2.3+1289-0ubuntu6) jaunty; urgency=low + + [ Kees Cook ] + * abstractions/X: add DRI paths. + * parser/Makefile: blacklist AF_PHONET. + + [ Jamie Strandboge ] + * update usr.sbin.smbd profile to write to /var/lib/samba/** and + read/write to /var/run/dbus/system_bus_socket (LP: #294802) + * abstractions/freedesktop.org: use /usr/share/mime/**, @{HOME}/.icons/, + and @{HOME}/.recently-used.xbel* + * abstractions/gnome: add gvfs remote-volume-monitors paths and printing + files + + -- Kees Cook Mon, 22 Dec 2008 17:20:10 -0800 + +apparmor (2.3+1289-0ubuntu5) jaunty; urgency=low + + * abstractions/nameservice: allow read access to + /etc/resolvconf/run/resolv.conf (LP: #286080) + * adjust src/grammar.y and src/scanner.l to account for the moved type=NNNN + field in 2.6.27 kernels and capture non-matching logfile input instead of + printing it to stdout (LP: #271252). Patch thanks to Jesse Michael and + Steve Beattie. + - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1310 + * add syslog test cases to testsuite. Patch thanks to Steve Beattie. + - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1307 + - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1308 + - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1309 + + -- Jamie Strandboge Tue, 21 Oct 2008 09:09:58 -0500 + +apparmor (2.3+1289-0ubuntu4) intrepid; urgency=low + + * parser/rc.apparmor.functions: fix typo seen when admin changes + the default location of the apparmor.d directory (LP: #280467). + * abstractions/{samba,base}: clean up unneeded "m" permissions. + * abstractions/perl: add missing default perl paths. + + -- Kees Cook Wed, 08 Oct 2008 16:42:10 -0700 + +apparmor (2.3+1289-0ubuntu3) intrepid; urgency=low + + * add locking permission to /var/log/wtmp abstraction, thanks to + Martin Pitt (LP: #253328). + * utils/logprof.conf: repository updated for Intrepid (LP: #258818). + * profiles/apparmor.d/usr.sbin.nscd: added cache directory (LP: #144383). + * parser/rc.apparmor.functions: redirect stderr (LP: #244013). + * parser/Makefile: blacklist "AF_ISDN". + + -- Kees Cook Wed, 30 Jul 2008 09:29:03 -0700 + +apparmor (2.3+1289-0ubuntu2) intrepid; urgency=low + + [ Mathias Gug ] + * debian/control: + - move apparmor-profiles to a suggested package by apparmor. + + [ Kees Cook ] + * debian/control + - move libterm-readline-gnu-perl to "suggests". + - drop apparmor-modules-source since it no longer exists. + + -- Kees Cook Wed, 02 Jul 2008 12:35:12 -0700 + +apparmor (2.3+1289-0ubuntu1) intrepid; urgency=low + + * Updated to upstream subversion v1289. + - new parser requires new AppArmor kernel LSM. + * debian/control: + - add libapparmor-perl, and associated Depends + - bump standards version to 3.7.3.0 (no changes needed) + * debian/rules: + - adjust "clean" rule to be more effective. + + -- Kees Cook Sat, 28 Jun 2008 15:38:12 -0700 + +apparmor (2.1+1075-0ubuntu10) intrepid; urgency=low + + [ Jamie Strandboge ] + * added abstractions/smbpass and #include it in abstractions/authentication + to allow access to /var/lib/samba/*.tdb. LP: #217787 + + [ Mathias Gug ] + * update likewise-open authentication abstraction: allow access to + privileged pipe (LP: #235646). + * Update smbd profile to include access to /var/spool/samba/ (printer + sharing) and utmp update (LP: #237066). + * Update esound location in audio profile (LP: #229127). + Thanks to Adam Mondl. + * Add dnsmasq profile (LP: #148590). Thanks to John Dong. + + -- Mathias Gug Mon, 09 Jun 2008 18:24:09 -0400 + +apparmor (2.1+1075-0ubuntu9) hardy; urgency=low + + * parser/rc.apparmor.functions: do not abort if parser is missing, in + the case of an unpurged "apparmor" init script running under SELinux. + + -- Kees Cook Mon, 07 Apr 2008 13:25:06 -0700 + +apparmor (2.1+1075-0ubuntu8) hardy; urgency=low + + * Sync bugfixes from upstream 8.04 branch, svn 1161. + - documentation updated to reflect AppArmor 2.1 features. + - minor profile updates (nscd, ntpd, opera) + - util/SubDomain.pm: corrected mask merging and type detection. + + -- Kees Cook Wed, 02 Apr 2008 15:48:58 -0700 + +apparmor (2.1+1075-0ubuntu7) hardy; urgency=low + + * profiles/apparmor.d/abstractions/nameservice: (LP: #207912) + - fix ldap path + - add nsswitch "db" backend paths + + -- Kees Cook Thu, 27 Mar 2008 14:19:06 -0700 + +apparmor (2.1+1075-0ubuntu6) hardy; urgency=low + + [ Kees Cook ] + * utils/SubDomain.pm: + - fix up mask parsing to match kernel version (LP: #202920). + - fix up syslog parsing regexp to match broken kernels (LP: #202888). + * profiles/apparmor.d/abstractions/base: add licenses path for reading. + * profiles/apparmor.d/abstractions/freedesktop.org: include /usr/local. + * profiles/apparmor.d/usr.sbin.smbd: include print client abstraction. + * profiles/apparmor.d/abstractions/nameservice: include missing gai.conf + (LP: #202991). + + [ Jamie Strandboge ] + * add Debian Policy compliant way to toggle complain mode (LP: #203137) + - parser/rc.apparmor.functions: add '-C' to PARSER_ARGS if + force-complain/ exists + - utils/enforce: remove symlink in force-complain/ + - debian/rules: create /etc/apparmor.d/force-complain + + -- Kees Cook Mon, 17 Mar 2008 10:28:23 -0700 + +apparmor (2.1+1075-0ubuntu5) hardy; urgency=low + + * profiles/apparmor.d/abstractions/python: update shared python locations. + * debian/control: adjust Depends to allow sysvinit (LP: #199871). + + -- Kees Cook Tue, 11 Mar 2008 15:25:11 -0700 + +apparmor (2.1+1075-0ubuntu4) hardy; urgency=low + + [ Jamie Strandboge ] + * removed usr.sbin.named and usr.sbin.mysqld, as these will be provided + be bind9 and mysql-server-5.0, respectively. + + [ Mathias Gug ] + * profiles/apparmor.d/abstractions/ssl_keys: add ssl_keys abstraction, to + be used by profiles accessing ssl privates keys. + + [ Rick Clark ] + * added abstraction for likewise-open. + + -- Mathias Gug Wed, 13 Feb 2008 19:16:12 -0500 + +apparmor (2.1+1075-0ubuntu3) hardy; urgency=low + + * profiles/apparmor.d/abstractions/fonts: add missing ~/.fonts.conf + * profiles/apparmor.d/sbin.klogd: add newly needed @{PROC}/kallsyms + + -- Kees Cook Wed, 16 Jan 2008 14:16:18 -0800 + +apparmor (2.1+1075-0ubuntu2) hardy; urgency=low + + * utils/apparmor_status: fix module loaded test to handle built-in. + + -- Kees Cook Thu, 03 Jan 2008 17:24:40 -0800 + +apparmor (2.1+1075-0ubuntu1) hardy; urgency=low + + [ Mathias Gug ] + * profiles/apparmor.d/abstractions/nameservice: update nameservice + abstraction to support nscd setup. + + [ Kees Cook ] + * merge with upstream trunk revision 1075. + * debian/{control,apparmor.postrm,apparmor.postinst,apparmor.initramfs}: + dropped module hook since module is loaded in kernel automatically now. + * debian/rules: tweaked get-orig-source to use defined variables. + * debian/copyright: mention "get-orig-source" build rule. + * debian/{rules,control,libpam-apparmor.docs}: add libpam-apparmor now + that PAM is 0.99. + + -- Kees Cook Thu, 03 Jan 2008 13:29:31 -0800 + +apparmor (2.1+993-0ubuntu3) gutsy; urgency=low + + [ Mathias Gug ] + * Add mdns4 resolution to nameservice abstraction. (LP: #148579). + * Update syslog-ng profile. (LP: #148708). + * Add xen tls libraries to base abstraction. (LP: #150282). + * Update cups-client abstraction: add /var/run/cups/cups.sock. (LP: #151269) + + [ Kees Cook ] + * Adjust KDE abstractions for Ubuntu paths (LP: #148309). + + -- Kees Cook Fri, 12 Oct 2007 12:54:36 -0700 + +apparmor (2.1+993-0ubuntu2) gutsy; urgency=low + + [ Mathias Gug ] + * debian/control: Set maintainer to Ubuntu Core Developers. + * utils/SubDomain.pm, utils/logprog.conf: refactor readprofiledir() to not + fail on non-existing profile directory. Fixes LP: #141128. + * debian/rules: don't compress profiles in doc/extras/. + * utils/SubDomain.pm: Fix regex so that aa-logprof can find audit messages + in syslog files. Fixes LP: #140508. + * Update usr.sbin.nscd profile. Fixes LP: #144383. + + [ Kees Cook ] + * abstractions/gnupg: drop bad attempt at general-purpose client rule. + * abstractions/fonts: adjust for new syntax, add more local fonts paths. + * abstractions/nameservice: add mmap permission to some /etc files. + + -- Kees Cook Tue, 25 Sep 2007 10:23:29 -0700 + +apparmor (2.1+993-0ubuntu1) gutsy; urgency=low + + * new merge from upstream: + * fixes to support new audit messages sent by the kernel module. + * bump in minor library version for libapparmor. + * debian/control: Add perl libterm-readkey-perl and librpc-xml-perl + dependencies for apparmor-utils. Fixes LP: #139757, LP: #139091. + * utils/SubDomain.pm: Re-enable RPC client for remote repositories. + * profiles/apparmor.d/sbin.syslogd: update profile. + Fixes LP: #140672, LP: #140274. + + -- Mathias Gug Tue, 18 Sep 2007 11:12:50 -0400 + +apparmor (2.1+961-0ubuntu5) gutsy; urgency=low + + * utils/SubDomain.pm, parser/rc.apparmor.functions: skip .dpkg-dist profiles. + * debian/rules, debian/apparmor.postinst: fix postinst script failure on + upgrades. Fix LP: #139683. + + -- Mathias Gug Fri, 14 Sep 2007 17:20:01 -0400 + +apparmor (2.1+961-0ubuntu4) gutsy; urgency=low + + [ Mathias Gug ] + * debian/rules: Fix libapparmor-dev build. + * apparmor-profiles: remove gnupg.moved. + + [ Kees Cook ] + * abstractions: adjust gnome for new syntax. + * abstractions: adjust aspell to add locking. + + -- Kees Cook Fri, 14 Sep 2007 09:34:15 -0700 + +apparmor (2.1+961-0ubuntu3) gutsy; urgency=low + + [ Mathias Gug ] + * Update avahi-daemon profile: add m permission to /etc/password and + /etc/group. + + [ Kees Cook ] + * Rename libapparmor1-dev back to libapparmor-dev. + + -- Kees Cook Thu, 13 Sep 2007 15:44:30 -0700 + +apparmor (2.1+961-0ubuntu2) gutsy; urgency=low + + [ Mathias Gug ] + * Disable html documentation: Fixes LP: #139091. + * parser/Makefile, debian/rules: disable html documentation building. + * debian/control: remove latex2html dependency. + * profiles/apparmor.d/usr.sbin.avahi-daemon: add sys_chroot capability. + Fixes LP: #139092. + + [ Kees Cook ] + * profiles/apparmor.d/abstractions/user-tmp: adjust directory permissions + for newly unmasked /tmp handling (LP: #138978). + * utils/SubDomain.pm: disable remote repositories until RPC::XML MIR + clears (LP: 139091). + * utils/*.pod: adjust for Ubuntu paths and "aa-" prefixes (LP: #116647). + * Fix upgrades to not unload profiles, which would cause programs to + become unconfined: + - debian/rules: don't stop apparmor on upgrades. + - debian/apparmor.postinst: reload profiles after a configure. + + -- Kees Cook Wed, 12 Sep 2007 13:14:02 -0700 + +apparmor (2.1+961-0ubuntu1) gutsy; urgency=low + + * New upstream version. + * Support resolvconf. Fix LP: #132468. + * Move package maintainance to bzr: + * Apply all patches directly into the tree with dpatch apply-all. + * debian/patches/: remove all patches as they are applied inline now. + * debian/control, debian/control.modules.in: remove dpatch from + Build Depends. + * debian/rules: + * remove dpatch include. + * remove patch and unpatch dependencies + * debian/control: + * Rename libapparmor-dev to libapparmor1-dev. + Add Provides: and Conflict: tags. + * Remove universe component in Section tag. + * Remove apparmor-utils depends on bsdutils. + * Update apparmor-modules Recommends to apparmor-modules-2.1. + * utils/: + * Add audit man page. + * Fix mod_appamor library: remove rpath info. + * debian/rules: remove rpath info. + * debian/control: add chrpath as a build dependency. + * Remove apparmor-modules-source package: + * debian/conrol: remove apparmor-modules-source package. + * debian/apparmor.postinst, debian/apparmor.preinst, + debian/apparmor.prerm: remove error_handler function. + * debian/rules: remove error_handler option from dh_installinit. + * debian/apparmor-modules-_KVERS_.postinst.modules.in, + debian/control.modules.in: remove control and postinst files. + + -- Mathias Gug Tue, 11 Sep 2007 10:44:56 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu25) gutsy; urgency=low + + * debian/rules: move tunables/ and abstractions/ in apparmor package. + Fixes LP: #130114. + + -- Mathias Gug Mon, 06 Aug 2007 14:40:37 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu24) gutsy; urgency=low + + * Cannot Depend on apparmor-modules-* in apparmor due to germinate + issues. Moved to Recommends. + + -- Kees Cook Mon, 23 Jul 2007 11:08:38 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu23) gutsy; urgency=low + + * debian/control: add explicit Depends on l-u-m apparmor kernel modules. + + -- Kees Cook Wed, 18 Jul 2007 21:07:03 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu22) gutsy; urgency=low + + * 13-subdomain.pm-skip-files.dpatch: update isSkippable function in + SubDomain.pm to skip the same files as rc.apparmor.functions (used by the + init script) : .dpkg-old, .dpkg-new and symlinks in disable/ + sub-directory. + + -- Mathias Gug Thu, 12 Jul 2007 06:56:45 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu21) gutsy; urgency=low + + * 07-apparmor-init-script.dpatch, debian/rules: skip profiles that have a + link in /etc/apparmor.d/disable. Update rules file : create + /etc/apparmor.d/disable. + + -- Mathias Gug Mon, 09 Jul 2007 11:07:29 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu20) gutsy; urgency=low + + * debian/control + - fix typo in XS-Vcs. + - adjust apparmor-modules-source to no longer be required and document + the fact that the modules come from the linux-ubuntu-modules package + now. + - add initramfs-tools for loading apparmor modules early. + * debian/apparmor.{initramfs,postinst,prerm}, debian/rules: install + initramfs hook and update-initramfs for adding armor modules for boot. + + -- Kees Cook Fri, 06 Jul 2007 03:41:06 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu19) gutsy; urgency=low + + * Update 11-getprocattr-api.dpatch: pass back the correct string pointer + so as to not corrupt kernel memory (LP: #123081). + * debian/control: add XS-Vcs for bzr branch. + + -- Kees Cook Tue, 03 Jul 2007 09:07:52 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu18) gutsy; urgency=low + + * 02-profile-abstractions-ubuntu.dpatch: add m permission for all libraries + under /usr/lib/**, so that ssl libraries optimized for i686 can be + accessed. + * 09-profile-usr-sbin-mysqld.dpatch: add m permission to /etc/passwd, + /etc/group. + * 12-profile-samba.dpatch: add profile for smbd and nmbd daemons from + samba. + * 99-complain-all-profiles.dpatch: turn complain mode for smbd and nmbd + profiles. + + -- Mathias Gug Fri, 29 Jun 2007 15:19:15 +0200 + +apparmor (2.0.1+510.dfsg-0ubuntu17) gutsy; urgency=low + + * Update 11-getprocattr-api.dpatch: match upstream more closely, check + for errors. + + -- Kees Cook Tue, 26 Jun 2007 16:00:08 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu16) gutsy; urgency=low + + * Added 11-getprocattr-api.dpatch: update kernel module for getprocattr + API change (LP: #122444). + + -- Kees Cook Tue, 26 Jun 2007 15:21:54 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu15) gutsy; urgency=low + + * debian/apparmor.init: do not unload apparmor module on stop, since it + already defaults to capabilities-compatible fall back and we don't want + to lose the started process knowledge of the module for the next load of + the parser. + * Added 10-namespace-header.dpatch: include namespace_sem extern, since + mnt_namespace.h is missing it currently. + * Updated 07-apparmor-init-script.dpatch: ignore .dpkg-old profiles. + + -- Kees Cook Tue, 26 Jun 2007 10:04:54 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu14) gutsy; urgency=low + + * Correct missing libapparmor1 file contents. + + -- Kees Cook Thu, 21 Jun 2007 08:04:42 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu13) gutsy; urgency=low + + * 02-profile-abstractions-ubuntu.dpatch: add /lib/tls/i686/cmov/lib* to base + abstraction to support i686 optimized libraries from libc6-i686 package. + * 09-profile-usr-sbin-mysqld.dpatch: + * add profile usr.sbin.mysqld + * update abstractions/mysql + * debian/rules: remove extras/usr.sbin.mysqld. + * 99-complain-all-profiles.dpatch: + * put mysqld profile in complain mode. + * put named profile in complain mode. + + -- Mathias Gug Wed, 20 Jun 2007 12:12:28 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu12) gutsy; urgency=low + + * Add missing dh_makeshlibs call to rules, fix up libapparmor naming. + + -- Kees Cook Wed, 20 Jun 2007 09:15:48 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu11) gutsy; urgency=low + + * Packaged libapparmor, libapparmor-dev, and libapache2-mod-apparmor. + + -- Kees Cook Mon, 18 Jun 2007 18:27:46 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu10) gutsy; urgency=low + + * 02-profile-abstractions-ubuntu.dpatch, 06-profile-usr-sbin-named.dpatch: + move /dev/random into abstractions/base. + * 06-profile-usr-sbin-named.dpatch: Add sys_chroot capability. + * debian/rules: don't package aa-eventd and Reports.pm as they use perl + modules not maintained in main. + Reports.pm is only used by Yast for now. aa-eventd maintains an + sqlite database of audit messages which is used by Reports.pm. + If configured (not by default), aa-eventd can also send emails when + AppArmor audit messages are emited. + * debian/control: Add universe component to Section: header. Needed to make + it work with PPA. + + -- Mathias Gug Fri, 15 Jun 2007 12:47:05 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu9) gutsy; urgency=low + + * 06-profile-usr-sbin-named.dpatch : Generate a new profile for + /usr/sbin/named to make it work with bind9. + * debian/apparmor.init, 07-apparmor-init-script.dpatch: merge ubuntu + changes with the latest version from upstream. + * 99-complain-all-profiles.dpatch : put all profiles into complain mode by + default. + Add a small script (put-all-profiles-in-complain-mode.sh) in + debian/ that takes care of automatically setting all profiles into + complain mode. This script should be used by the maintainer to set all + profiles in complain mode before packaging them. + + -- Mathias Gug Wed, 6 Jun 2007 13:41:57 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu8) gutsy; urgency=low + + * Start apparmor as early as possible in the boot process : just after + mountall in rcS.d. Add preinst script to remove symlinks previously + installed in rc*.d/. + (LP: #116624). + * Sync 04-apparmor-status.dpatch with upstream apparmor_status. The previous + patch has been merged in upstream. + * Update klogd profile : add /var/run/klogd/klogd.pid and + /var/run/klogd/kmsg to the profile. + + -- Mathias Gug Thu, 31 May 2007 14:26:03 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu7) gutsy; urgency=low + + * 03-profile-usr-sbin-ntpd.dpatch: udpdate profile for ntpd daemon. Add + /var/lib/ntp/ntp.drift and /var/log/ntpstats/peerstats* to the profile. + + * 04-apparmor-status.dpatch: improve apparmor_status script. Report more + detailed information. + + -- Mathias Gug Tue, 29 May 2007 13:05:55 -0400 + +apparmor (2.0.1+510.dfsg-0ubuntu6) gutsy; urgency=low + + * 02-profile-abstractions-ubuntu.dpatch: Update abstractions for changes + specific to Gnome, Debian, and 32bit on 64bit environments. + * debian/control: adjust Recommends to apparmor-modules-source + (LP: #113553). + * debian/apparmor.init: moved rmmod/modprobe into init script, and dropped + alias to avoid confusion and move control of the LSM closer to loading + the profiles and work around capability already being loaded in the + initrd (LP: #113887). + + -- Kees Cook Thu, 17 May 2007 20:34:41 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu5) gutsy; urgency=low + + * 01-logger-path.dpatch: Fix path to logger (LP: #112147). + + -- Kees Cook Thu, 03 May 2007 11:59:34 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu4) feisty; urgency=low + + * debian/control: move apparmor-modules to Recommends to Avoid + uninstallable situation when AppArmor modules haven't yet been + compiled/installed. + + -- Kees Cook Wed, 11 Apr 2007 11:39:39 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu3) feisty; urgency=low + + * debian/rules, debian/apparmor.{postinst,prerm}: ignore init script + failures so that they don't block package installs/upgrades/uninstalls. + + -- Kees Cook Wed, 11 Apr 2007 08:52:37 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu2) feisty; urgency=low + + * debian/control: add missing Depend on 'dpatch' for modules-source. + + -- Kees Cook Sat, 7 Apr 2007 09:35:16 -0700 + +apparmor (2.0.1+510.dfsg-0ubuntu1) feisty; urgency=low + + * Initial release, thanks to Magnus Runesson and Jesse Michael + (LP: #95334). + + -- Kees Cook Fri, 23 Mar 2007 16:42:01 -0700 --- apparmor-2.5.1~pre1393.orig/debian/libapache2-mod-apparmor.postrm +++ apparmor-2.5.1~pre1393/debian/libapache2-mod-apparmor.postrm @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if [ "$1" = "purge" ]; then + APP_PROFILE="usr.lib.apache2.mpm-prefork.apache2" + rm -f /etc/apparmor.d/disable/$APP_PROFILE >/dev/null 2>&1 || true +fi + --- apparmor-2.5.1~pre1393.orig/debian/control +++ apparmor-2.5.1~pre1393/debian/control @@ -0,0 +1,88 @@ +Source: apparmor +Section: admin +Priority: extra +Maintainer: Ubuntu Core Developers +Build-Depends: debhelper (>= 7.4.20ubuntu5), flex, bison, bzip2, apache2-prefork-dev, libpam-dev, autotools-dev, libtool, automake, autoconf, chrpath, texlive-latex-base, swig, quilt, po-debconf, dejagnu, chrpath +Build-Depends-Indep: perl (>= 5.8.0) +Standards-Version: 3.8.4 +Homepage: http://apparmor.wiki.kernel.org/ +Vcs-Bzr: https://code.launchpad.net/~ubuntu-core-dev/apparmor/master + +Package: apparmor +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, lsb-base, initramfs-tools, debconf +Replaces: apparmor-parser +Suggests: apparmor-profiles, apparmor-docs +Description: User-space parser utility for AppArmor + AppArmor Parser is a user level programs that is used to load in program + profiles to the AppArmor Security kernel module. + +Package: apparmor-utils +Architecture: any +Depends: apparmor, libterm-readkey-perl, librpc-xml-perl, libapparmor-perl, ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends} +Suggests: apparmor-docs, libterm-readline-gnu-perl +Description: Utilities for controlling AppArmor + This provides some useful programs to help create and manage + AppArmor profiles. + +Package: apparmor-profiles +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Recommends: apparmor +Description: Profiles for AppArmor Security policies + Base AppArmor profiles (aka security policy). AppArmor is a file + mandatory access control mechanism. AppArmor confines processes + to the resources allowed by the systems administrator and can + constrain the scope of potential security vulnerabilities. + +Package: apparmor-docs +Section: doc +Architecture: all +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Documentation for AppArmor + HTML and PDF documentation for AppArmor. + +Package: libapparmor-dev +Section: libdevel +Architecture: any +Depends: libapparmor1 (= ${binary:Version}) +Description: AppArmor development libraries and header files + This package provides the develpment libraries and header files needed to + link against the AppArmor changehat and log parsing functions. + +Package: libapparmor1 +Section: libs +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: changehat AppArmor library + Library for AppArmor changehat function and log parsing. + +Package: libapparmor-perl +Section: perl +Architecture: any +Depends: ${perl:Depends}, ${shlibs:Depends}, ${misc:Depends} +Description: AppArmor library Perl bindings + Perl module providing bindings to libapparmor via swig. + +Package: libapache2-mod-apparmor +Section: libs +Architecture: any +Depends: apache2.2-common, ${shlibs:Depends}, ${misc:Depends} +Description: changehat AppArmor library as an Apache module + Library for allowing AppArmor changehat function in Apache. + +Package: libpam-apparmor +Section: libs +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: changehat AppArmor library as a PAM module + Library for allowing AppArmor changehat function via PAM. + +Package: apparmor-notify +Section: admin +Architecture: all +Depends: libapparmor-perl, libnotify-bin, ${perl:Depends} +Description: AppArmor notification system + This package provides a utility to display AppArmor denial messages via + desktop notifications. The utility can also be used to generate summary + reports. --- apparmor-2.5.1~pre1393.orig/debian/README.source +++ apparmor-2.5.1~pre1393/debian/README.source @@ -0,0 +1,2 @@ +This package uses quilt to manage patches; see: + /usr/share/doc/quilt/README.source --- apparmor-2.5.1~pre1393.orig/debian/apparmor.install +++ apparmor-2.5.1~pre1393/debian/apparmor.install @@ -0,0 +1 @@ +debian/apport/source_apparmor.py /usr/share/apport/package-hooks/ --- apparmor-2.5.1~pre1393.orig/debian/rules +++ apparmor-2.5.1~pre1393/debian/rules @@ -0,0 +1,287 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +include /usr/share/quilt/quilt.make + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# libapparmor uses autotools +export DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +# FOR AUTOCONF 2.52 AND NEWER ONLY +CONFFLAGS = +ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) + CONFFLAGS += --build $(DEB_HOST_GNU_TYPE) +else + CONFFLAGS += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +CFLAGS = -Wall -g +CXXFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 + CXXFLAGS += -O0 +else + CFLAGS += -O2 + CXXFLAGS += -O2 +endif + +configure: patch configure-stamp +configure-stamp: $(QUILT_STAMPFN) + dh_testdir + # Add here commands to configure the package. + # Regenerate all files. This should be done by the maintainer + # before building the source package and not at build time. + cd libraries/libapparmor && \ + sh autogen.sh && \ + sh configure $(CONFFLAGS) --prefix=/usr --with-perl + touch configure-stamp + + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + + # Add here commands to compile the package. + cd libraries/libapparmor && $(MAKE) && $(MAKE) check + cd utils && $(MAKE) + cd parser && $(MAKE) + cd profiles && $(MAKE) + + touch $@ + +clean: clean-patched unpatch +clean-patched: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + cd utils; [ ! -f Makefile ] || $(MAKE) clean; rm -f common + cd parser; [ ! -f Makefile ] || $(MAKE) clean; rm -f common \ + libapparmor_re/regexp.o libapparmor_re/regexp.cc \ + techdoc.aux techdoc.log techdoc.pdf techdoc.toc + cd profiles; [ ! -f Makefile ] || $(MAKE) clean; rm -f common + cd changehat/mod_apparmor && [ ! -f Makefile ] || $(MAKE) clean; rm -f common + cd changehat/pam_apparmor && [ ! -f Makefile ] || $(MAKE) clean; rm -f common + + # Try to clean up from an autogen'd build + cd libraries/libapparmor && [ ! -f Makefile ] || $(MAKE) distclean + if [ -r debian/libapparmor.cleanup ] ; then \ + xargs -t -r rm -f < debian/libapparmor.cleanup ;\ + fi + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Utils + cd utils; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/apparmor-utils \ + PERLDIR=$(CURDIR)/debian/apparmor-utils/usr/share/perl5/Immunix \ + install + + # Notify (Ubuntu's notify.conf is installed via debhelper) + mkdir -p $(CURDIR)/debian/apparmor-notify/etc/apparmor + rm -f $(CURDIR)/debian/apparmor-utils/etc/apparmor/notify.conf + mkdir -p $(CURDIR)/debian/apparmor-notify/usr/bin + mv $(CURDIR)/debian/apparmor-utils/usr/sbin/*notify $(CURDIR)/debian/apparmor-notify/usr/bin + mkdir -p $(CURDIR)/debian/apparmor-notify/usr/share/man/man8 + mv $(CURDIR)/debian/apparmor-utils/usr/share/man/man8/*notify.8* $(CURDIR)/debian/apparmor-notify/usr/share/man/man8 + + # install aa-update-browser and manpage + install -m755 -D $(CURDIR)/debian/aa-update-browser $(CURDIR)/debian/apparmor-utils/usr/sbin/aa-update-browser + cp $(CURDIR)/debian/aa-update-browser.8 $(CURDIR)/debian/apparmor-utils/usr/share/man/man8 + + # Parser + cd parser; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/apparmor \ + install + rm $(CURDIR)/debian/apparmor/lib/apparmor/rc.* + mkdir -p $(CURDIR)/debian/apparmor/etc/apparmor.d/disable + mkdir -p $(CURDIR)/debian/apparmor/etc/apparmor.d/force-complain + mkdir -p $(CURDIR)/debian/apparmor/etc/apparmor.d/cache + rm -rf $(CURDIR)/debian/apparmor/lib + + # general functions + install -m755 -D $(CURDIR)/debian/apparmor.functions $(CURDIR)/debian/apparmor/etc/apparmor/functions + + # Changehat via libapparmor + cd libraries/libapparmor; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/libapparmor1 \ + install + # don't include deprecated library and headers + rm -f $(CURDIR)/debian/libapparmor1/usr/lib/*immunix* + rm -f $(CURDIR)/debian/libapparmor1/usr/include/sys/immunix.h + # libapparmor-dev + mkdir -p $(CURDIR)/debian/libapparmor-dev/usr/lib + mv $(CURDIR)/debian/libapparmor1/usr/lib/libapparmor.a $(CURDIR)/debian/libapparmor-dev/usr/lib/ + mv $(CURDIR)/debian/libapparmor1/usr/lib/libapparmor.la $(CURDIR)/debian/libapparmor-dev/usr/lib/ + cp -P $(CURDIR)/debian/libapparmor1/usr/lib/libapparmor.so $(CURDIR)/debian/libapparmor-dev/usr/lib/ + mv $(CURDIR)/debian/libapparmor1/usr/include $(CURDIR)/debian/libapparmor-dev/usr + # libapparmor-perl + mkdir -p $(CURDIR)/debian/libapparmor-perl/usr/lib + mv $(CURDIR)/debian/libapparmor1/usr/lib/perl5 $(CURDIR)/debian/libapparmor-perl/usr/lib/ + find $(CURDIR)/debian/libapparmor-perl/usr/lib -name '*.so' | xargs chrpath --delete + + # Changehat via mod_apparmor + cd changehat/mod_apparmor; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/libapache2-mod-apparmor \ + LIBAPPARMOR_FLAGS="-I$(CURDIR)/debian/libapparmor-dev/usr/include -L$(CURDIR)/debian/libapparmor1/usr/lib -lapparmor" \ + install + mkdir -p $(CURDIR)/debian/libapache2-mod-apparmor/etc/apache2/mods-available + echo "LoadModule apparmor_module /usr/lib/apache2/modules/mod_apparmor.so" > $(CURDIR)/debian/libapache2-mod-apparmor/etc/apache2/mods-available/apparmor.load + # Fix rpath in mod_apparmor.so + chrpath -d $(CURDIR)/debian/libapache2-mod-apparmor/usr/lib/apache2/modules/mod_apparmor.so + + # Changehat via libpam-apparmor + cd changehat/pam_apparmor; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/libpam-apparmor \ + CFLAGS="$(CFLAGS) -I$(CURDIR)/debian/libapparmor-dev/usr/include" \ + LIBS="-L$(CURDIR)/debian/libapparmor1/usr/lib -lapparmor -lpam" \ + install + + # Fix rpath in pam_apparmor.so + chrpath -d $(CURDIR)/debian/libpam-apparmor/lib/security/pam_apparmor.so + + # Remove libapparmor.so now that mod_apparmor and libpam-apparmor have + # been built. + rm $(CURDIR)/debian/libapparmor1/usr/lib/libapparmor.so + + # Profiles + cd profiles; $(MAKE) \ + DESTDIR=$(CURDIR)/debian/apparmor-profiles \ + EXTRAS_DEST=$(CURDIR)/debian/apparmor-profiles/usr/share/doc/apparmor-profiles/extras \ + install + + # Move local/README to apparmor + mkdir -p $(CURDIR)/debian/apparmor/etc/apparmor.d/local + mv $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/local/README $(CURDIR)/debian/apparmor/etc/apparmor.d/local + + # Delete aa-eventd and Reports.pm + rm -f $(CURDIR)/debian/apparmor-utils/usr/sbin/aa-eventd + rm -f $(CURDIR)/debian/apparmor-utils/usr/share/perl5/Immunix/Reports.pm + + # Delete existing enabled profiles that also appear in extras + rm -f $(CURDIR)/debian/apparmor-profiles/usr/share/doc/apparmor-profiles/extras/usr.sbin.mysqld + + # Move tunable/ and abstractions/ in apparmor + # as long as apparmor-profiles is in universe. + mv $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/tunables/ $(CURDIR)/debian/apparmor/etc/apparmor.d/ + mv $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/abstractions/ $(CURDIR)/debian/apparmor/etc/apparmor.d/ + + # Ship ubuntu-browsers.d/chromium-browser include in apparmor-profiles + mkdir -p $(CURDIR)/debian/apparmor-profiles/usr/share/apparmor-profiles/abstractions/ubuntu-browsers.d + cp $(CURDIR)/debian/profiles/chromium-browser $(CURDIR)/debian/apparmor-profiles/usr/share/apparmor-profiles/abstractions/ubuntu-browsers.d + + # Move apache2 profile to libapache-mod-apparmor and create apache2.d directory + mkdir -p $(CURDIR)/debian/libapache2-mod-apparmor/etc/apparmor.d/apache2.d + mkdir -p $(CURDIR)/debian/libapache2-mod-apparmor/etc/apparmor.d/abstractions + mkdir -p $(CURDIR)/debian/libapache2-mod-apparmor/etc/apparmor.d/local + mv $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 $(CURDIR)/debian/libapache2-mod-apparmor/etc/apparmor.d/ + mv $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/local/usr.lib.apache2.mpm-prefork.apache2 $(CURDIR)/debian/libapache2-mod-apparmor/etc/apparmor.d/local + mv $(CURDIR)/debian/apparmor/etc/apparmor.d/abstractions/apache2-* $(CURDIR)/debian/libapache2-mod-apparmor/etc/apparmor.d/abstractions/ + + # Remove these since the ntp package ships its own profile now + rm -f $(CURDIR)/debian/apparmor/etc/apparmor.d/tunables/ntpd + rm -f $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/usr.sbin.ntpd + rm -f $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/local/usr.sbin.ntpd + + # Don't ship tunables/home.d/site.local in Ubuntu + rm -f $(CURDIR)/debian/apparmor/etc/apparmor.d/tunables/home.d/site.local + + # Don't ship local/ in apparmor-profiles in Ubuntu + rm -f $(CURDIR)/debian/apparmor-profiles/etc/apparmor.d/local/* + + # set all profiles in apparmor-profiles to complain mode + cd $(CURDIR)/debian/apparmor-profiles && sh $(CURDIR)/debian/put-all-profiles-in-complain-mode.sh + + # Apparmor-doc + install -d $(CURDIR)/debian/apparmor-docs/usr/share/doc/apparmor-docs/ + cp parser/techdoc.pdf $(CURDIR)/debian/apparmor-docs/usr/share/doc/apparmor-docs/ + + + dh_install + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installexamples +# dh_install +# dh_installmenu + dh_installdebconf -papparmor +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_python + dh_apparmor --profile-name=bin.ping -papparmor-profiles + dh_apparmor --profile-name=usr.bin.chromium-browser -papparmor-profiles + dh_apparmor --profile-name=usr.lib.dovecot.dovecot-auth -papparmor-profiles + dh_apparmor --profile-name=usr.lib.dovecot.imap-login -papparmor-profiles + dh_apparmor --profile-name=usr.lib.dovecot.deliver -papparmor-profiles + dh_apparmor --profile-name=usr.lib.dovecot.imap -papparmor-profiles + dh_apparmor --profile-name=usr.lib.dovecot.managesieve-login -papparmor-profiles + dh_apparmor --profile-name=usr.lib.dovecot.pop3-login -papparmor-profiles + dh_apparmor --profile-name=usr.lib.dovecot.pop3 -papparmor-profiles + dh_apparmor --profile-name=usr.sbin.avahi-daemon -papparmor-profiles + dh_apparmor --profile-name=usr.sbin.dnsmasq -papparmor-profiles + dh_apparmor --profile-name=usr.sbin.dovecot -papparmor-profiles + dh_apparmor --profile-name=usr.sbin.identd -papparmor-profiles + dh_apparmor --profile-name=usr.sbin.mdnsd -papparmor-profiles + dh_apparmor --profile-name=usr.sbin.nmbd -papparmor-profiles + dh_apparmor --profile-name=usr.sbin.nscd -papparmor-profiles + dh_apparmor --profile-name=usr.sbin.smbd -papparmor-profiles + dh_apparmor --profile-name=usr.sbin.traceroute -papparmor-profiles + dh_apparmor --profile-name=sbin.klogd -papparmor-profiles + dh_apparmor --profile-name=sbin.syslogd -papparmor-profiles + dh_apparmor --profile-name=sbin.syslog-ng -papparmor-profiles + dh_installinit --update-rcd-params='start 37 S .' --no-restart-on-upgrade --error-handler=true +# dh_installcron +# dh_installinfo + dh_installman + dh_link + dh_strip + dh_compress -Xextras + dh_fixperms + dh_perl + dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure patch unpatch + +VERSION=$(shell dpkg-parsechangelog | grep ^Version | cut -d+ -f1 | cut -d\ -f2) +BZR_RELEASE=$(shell dpkg-parsechangelog | grep ^Version | cut -d+ -f2 | cut -d. -f1 | cut -d- -f1 | sed -e 's/bzr//') +ORIG_FILE=$(CURDIR)/../apparmor_$(VERSION)+bzr$(BZR_RELEASE).orig.tar.gz +BZR_CO_DIR=$(CURDIR)/apparmor-$(VERSION)+bzr$(BZR_RELEASE) +get-orig-source: + test ! -e $(ORIG_FILE) + test ! -e $(BZR_CO_DIR) + bzr checkout --lightweight -r $(BZR_RELEASE) lp:~apparmor-dev/apparmor/master $(BZR_CO_DIR) + tar czf $(ORIG_FILE) -C `dirname $(BZR_CO_DIR)` --exclude .bzr `basename $(BZR_CO_DIR)` + rm -rf $(BZR_CO_DIR) --- apparmor-2.5.1~pre1393.orig/debian/libapparmor.cleanup +++ apparmor-2.5.1~pre1393/debian/libapparmor.cleanup @@ -0,0 +1,33 @@ +libraries/libapparmor/config.guess +libraries/libapparmor/config.sub +libraries/libapparmor/ltmain.sh +libraries/libapparmor/Makefile.in +libraries/libapparmor/aclocal.m4 +libraries/libapparmor/compile +libraries/libapparmor/configure +libraries/libapparmor/depcomp +libraries/libapparmor/install-sh +libraries/libapparmor/missing +libraries/libapparmor/py-compile +libraries/libapparmor/ylwrap +libraries/libapparmor/doc/Makefile.in +libraries/libapparmor/doc/aa_change_hat.2 +libraries/libapparmor/src/Makefile.in +libraries/libapparmor/src/af_protos.h +libraries/libapparmor/src/grammar.c +libraries/libapparmor/src/grammar.h +libraries/libapparmor/src/scanner.c +libraries/libapparmor/src/scanner.h +libraries/libapparmor/swig/Makefile.in +libraries/libapparmor/swig/perl/.build-stamp +libraries/libapparmor/swig/perl/LibAppArmor.pm +libraries/libapparmor/swig/perl/Makefile.in +libraries/libapparmor/swig/perl/Makefile.perl +libraries/libapparmor/swig/perl/Makefile.perl.old +libraries/libapparmor/swig/perl/libapparmor_wrap.c +libraries/libapparmor/swig/python/Makefile.in +libraries/libapparmor/swig/ruby/Makefile.in +libraries/libapparmor/testsuite/Makefile.in +libraries/libapparmor/testsuite/config/Makefile.in +libraries/libapparmor/testsuite/lib/Makefile.in +libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in --- apparmor-2.5.1~pre1393.orig/debian/copyright +++ apparmor-2.5.1~pre1393/debian/copyright @@ -0,0 +1,142 @@ +This package was debianized by Kees Cook on +Fri, 23 Mar 2007 13:40:47 -0800, based on packages debianized +by Magnus Runesson on +Sun, 18 Mar 2007 13:40:47 +0100. + +It was downloaded from: + http://kernel.org/pub/linux/security/apparmor/ + +---------------------------------------- +main code base: + +Upstream Author: apparmor@vger.kernel.org + +Copyright: 1998-2007 Novell/SuSE/Immunix + 2007-2010 Canonical Ltd. + +License: + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + +---------------------------------------- +module/apparmor/match/pcre_exec.*, +parser/pcre/*, +module-deprecated/aamatch/pcre_exec.*: + +Upstream Author: Philip Hazel + +Copyright: 1997-2001 University of Cambridge + +License: + +Permission is granted to anyone to use this software for any purpose on any +computer system, and to redistribute it freely, subject to the following +restrictions: + +1. This software is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +2. The origin of this software must not be misrepresented, either by + explicit claim or by omission. + +3. Altered versions must be plainly marked as such, and must not be + misrepresented as being the original software. + +4. If PCRE is embedded in any software that is released under the GNU + General Purpose Licence (GPL), then the terms of that licence shall + supersede any condition above with which it is incompatible. + +---------------------------------------- +profiles/enabled/sbin.syslog-ng: + +Copyright: 2006 Novell, Christian Boltz + +License: + +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. + +---------------------------------------- +profiles/extras/usr.bin.passwd: + +Copyright: 2006 Novell, Volker Kuhlmann + +License: + +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. + +---------------------------------------- +changehat/pam_apparmor: + +Copyright: 2006 Novell + +License: + +Redistribution and use in source and binary forms of Linux-PAM, with +or without modification, are permitted provided that the following +conditions are met: + +1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + +3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU General Public License, in which case the provisions of the GNU +GPL are required INSTEAD OF the above restrictions. (This clause is +necessary due to a potential conflict between the GNU GPL and the +restrictions contained in a BSD-style copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. + +---------------------------------------- +changehat/libapparmor, changehat/mod_apparmor: + +Copyright: 2003-2006 Novell + +License: GNU Lesser General Public License, version 2.1. + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/LGPL-2.1'. + +---------------------------------------- + +The Debian packaging is (C) 2007-2010, Canonical Ltd and is licensed under +the GPL, see above. --- apparmor-2.5.1~pre1393.orig/debian/apparmor.postrm +++ apparmor-2.5.1~pre1393/debian/apparmor.postrm @@ -0,0 +1,79 @@ +#!/bin/sh +# postrm script for apparmor +# +# see: dh_installdeb(1) +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +# Undo removal of a no-longer used conffile +undo_rm_conffile() +{ + CONFFILE="$1" + + if [ ! -e "$CONFFILE" ]; then + if [ -e "$CONFFILE".dpkg-bak ]; then + echo "Restoring modified conffile $CONFFILE" + mv -f "$CONFFILE".dpkg-bak "$CONFFILE" + elif [ -e "$CONFFILE".dpkg-obsolete ]; then + mv -f "$CONFFILE".dpkg-obsolete "$CONFFILE" + fi + fi +} + +# Finish removal of a no-longer used conffile +finish_rm_conffile() +{ + CONFFILE="$1" + + if [ -e "$CONFFILE".dpkg-bak ]; then + rm -f "$CONFFILE".dpkg-bak + fi +} + +case "$1" in + abort-install|abort-upgrade) + + if dpkg --compare-versions "$2" lt-nl 2.3.1+1403-0ubuntu31; then + undo_rm_conffile /etc/apparmor/initramfs + fi + ;; + purge) + if dpkg --compare-versions "$2" lt-nl 2.3.1+1403-0ubuntu31; then + finish_rm_conffile /etc/apparmor/initramfs + fi + + if [ -e /usr/share/debconf/confmodule ]; then + . /usr/share/debconf/confmodule + db_purge + fi + + if [ -e "/etc/apparmor.d/tunables/home.d/ubuntu" ]; then + rm -f /etc/apparmor.d/tunables/home.d/ubuntu + fi + ;; + remove|upgrade|failed-upgrade|disappear) + ;; + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- apparmor-2.5.1~pre1393.orig/debian/aa-update-browser.8 +++ apparmor-2.5.1~pre1393/debian/aa-update-browser.8 @@ -0,0 +1,42 @@ +.IX Title "AA-UPDATE-BROWSER 8" +.TH AA-UPDATE-BROWSER 8 "2010-08-11" "Canonical Ltd" "AppArmor" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +aa-update-browser \- update browser profiles with browser abstractions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBaa-update-browser\fR [option] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fBaa-update-browser\fR will list current browser abstractions in +/etc/apparmor.d/abstractions/ubuntu-browsers.d as well as update browser +profiles to use those abstractions. +.SH "OPTIONS" +.IX Header "OPTIONS" +\&\fBaa-update-browser\fR accepts the following arguments: +.IP "\-d" 4 +.IX Item "-d" +dry-run. Only show what would be done. +.IP "\-u \s-1ABSTRACTIONS\s0" 4 +.IX Item "-u ABSTRACTIONS" +update the specified profile with the comma-separated list of +\s-1ABSTRACTIONS\s0. Specifying '' will remove all \s-1ABSTRACTIONS\s0. +.IP "\-l" 4 +.IX Item "-l" +show supported browser abstractions +.IP "\-h" 4 +.IX Item "-h" +show help +.SH "BUGS" +.IX Header "BUGS" +\&\fBaa-update-browser\fR will always add the plugins-common abstraction if +the list of abstractions \s-1ABSTRACTIONS\s0 is not empty. +.PP +If you find any additional bugs, please report them to Launchpad at +. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIapparmor\fR\|(7) --- apparmor-2.5.1~pre1393.orig/debian/apparmor.preinst +++ apparmor-2.5.1~pre1393/debian/apparmor.preinst @@ -0,0 +1,52 @@ +#!/bin/sh +# preinst script for apparmor +# +# see: dh_installdeb(1) +set -e + +# Prepare to remove a no-longer used conffile +prep_rm_conffile() +{ + PKGNAME="$1" + CONFFILE="$2" + + if [ -e "$CONFFILE" ]; then + md5sum="`md5sum \"$CONFFILE\" | sed -e \"s/ .*//\"`" + old_md5sum="`dpkg-query -W -f='${Conffiles}' $PKGNAME | sed -n -e \"\\\\' $CONFFILE'{s/ obsolete$//;s/.* //p}\"`" + if [ "$md5sum" != "$old_md5sum" ]; then + echo "Obsolete conffile $CONFFILE has been modified by you, renaming to .dpkg-bak" + mv -f "$CONFFILE" "$CONFFILE".dpkg-bak + else + mv -f "$CONFFILE" "$CONFFILE".dpkg-obsolete + fi + fi +} + +case "$1" in + install|upgrade) + # Remove old symlinks in rc[\d].d. + if dpkg --compare-versions "${2}" le-nl "2.0.1+510.dfsg-0ubuntu7" + then + update-rc.d -f apparmor remove + fi + if dpkg --compare-versions "$2" lt-nl 2.3.1+1403-0ubuntu31; then + prep_rm_conffile apparmor /etc/apparmor/initramfs + fi + ;; + + abort-upgrade) + # Nothing to do + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- apparmor-2.5.1~pre1393.orig/debian/apparmor.prerm +++ apparmor-2.5.1~pre1393/debian/apparmor.prerm @@ -0,0 +1,23 @@ +#!/bin/sh +# prerm script for apparmor +# +# see: dh_installdeb(1) +set -e + +# summary of how this script can be called: +# * `remove' +# * `upgrade' +# * `failed-upgrade' +# * `remove' `in-favour' +# * `deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- apparmor-2.5.1~pre1393.orig/debian/libapache2-mod-apparmor.postinst +++ apparmor-2.5.1~pre1393/debian/libapache2-mod-apparmor.postinst @@ -0,0 +1,45 @@ +#!/bin/sh +# postinst script for libapache2-mod-apparmor +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + APP_PROFILE="/etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2" + if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then + apparmor_parser -rTW "$APP_PROFILE" || true + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- apparmor-2.5.1~pre1393.orig/debian/apparmor.functions +++ apparmor-2.5.1~pre1393/debian/apparmor.functions @@ -0,0 +1,82 @@ +#!/bin/sh +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# Copyright (c) 2008-2010 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# Authors: +# Kees Cook +# +# /etc/apparmor/functions + +PROFILES="/etc/apparmor.d" +PARSER="/sbin/apparmor_parser" +SECURITYFS="/sys/kernel/security" +export AA_SFS="$SECURITYFS/apparmor" + +# Suppress warnings when booting in quiet mode +quiet_arg="" +[ "${QUIET:-no}" = yes ] && quiet_arg="-q" +[ "${quiet:-n}" = y ] && quiet_arg="-q" + +foreach_configured_profile() { + (ls -1 "$PROFILES" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ + while read profile; do + if [ -f "$PROFILES"/"$profile" ]; then + echo "$PROFILES"/"$profile" + fi + done) | \ + xargs -n1 -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" -- +} + +load_configured_profiles() { + clear_cache_if_outdated + foreach_configured_profile $quiet_arg --write-cache --replace +} + +load_configured_profiles_without_caching() { + foreach_configured_profile $quiet_arg --replace +} + +recache_profiles() { + clear_cache + foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load +} + +configured_profile_names() { + foreach_configured_profile $quiet_arg -N 2>/dev/null | sort | grep -v '\^' +} + +running_profile_names() { + cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort +} + +unload_profile() { + echo -n "$1" > "$AA_SFS"/.remove +} + +clear_cache() { + find "$PROFILES"/cache -maxdepth 1 -type f -print0 | xargs -0 rm -f -- +} + +clear_cache_if_outdated() { + if [ -r "$PROFILES"/cache/.features ]; then + read CACHE_FEATURES < "$PROFILES"/cache/.features + read KERN_FEATURES < "$AA_SFS"/features + if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then + clear_cache + fi + fi +} --- apparmor-2.5.1~pre1393.orig/debian/apparmor.config +++ apparmor-2.5.1~pre1393/debian/apparmor.config @@ -0,0 +1,9 @@ +#!/bin/sh +set -e + +# debconf +. /usr/share/debconf/confmodule +db_version 2.0 + +db_input medium apparmor/homedirs || true +db_go --- apparmor-2.5.1~pre1393.orig/debian/templates +++ apparmor-2.5.1~pre1393/debian/templates @@ -0,0 +1,9 @@ +Template: apparmor/homedirs +Type: string +_Description: Additional home directory locations: + Please enter a space separated list of any additional locations for user + home directories. These locations are in addition to those specified in + /etc/apparmor.d/tunables/home and must end with a '/'. + . + Example: if user's directories are stored in /srv/nfs/home and /mnt/homes, + you should enter "/srv/nfs/home/ /mnt/homes/". --- apparmor-2.5.1~pre1393.orig/debian/apparmor.init +++ apparmor-2.5.1~pre1393/debian/apparmor.init @@ -0,0 +1,132 @@ +#!/bin/sh +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# Copyright (c) 2008, 2009 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# Authors: +# Steve Beattie +# Kees Cook +# +# /etc/init.d/apparmor +# +### BEGIN INIT INFO +# Provides: apparmor +# Required-Start: mountall +# Required-Stop: umountfs +# Default-Start: S +# Default-Stop: +# Short-Description: AppArmor initialization +# Description: AppArmor init script. This script loads all AppArmor profiles. +### END INIT INFO + +. /etc/apparmor/functions +. /lib/lsb/init-functions + +usage() { + echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" +} + +test -x ${PARSER} || exit 0 # by debian policy +# LSM is built-in, so it is either there or not enabled for this boot +test -d /sys/module/apparmor || exit 0 + +securityfs() { + # Need securityfs for any mode + if [ ! -d "${AA_SFS}" ]; then + if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then + log_action_msg "AppArmor not available as kernel LSM." + log_end_msg 1 + exit 1 + else + log_action_begin_msg "Mounting securityfs on ${SECURITYFS}" + if ! mount -t securityfs none "${SECURITYFS}"; then + log_action_end_msg 1 + log_end_msg 1 + exit 1 + fi + fi + fi + if [ ! -w "$AA_SFS"/.load ]; then + log_action_msg "Insufficient privileges to change profiles." + log_end_msg 1 + exit 1 + fi +} + +# Allow "recache" even when running on the liveCD +if [ "$1" = "recache" ]; then + recache_profiles + exit $? +fi + +# do not perform start/stop/reload actions when running from liveCD +test -d /rofs/etc/apparmor.d && exit 0 + +case "$1" in + start) + log_daemon_msg "Starting AppArmor profiles" + securityfs + load_configured_profiles + rc=$? + log_end_msg "$rc" + ;; + stop) + log_daemon_msg "Unloading AppArmor profiles" + securityfs + running_profile_names | while read profile; do + if ! unload_profile "$profile" ; then + log_end_msg 1 + exit 1 + fi + done + rc=0 + log_end_msg $rc + ;; + restart|reload|force-reload) + log_daemon_msg "Reloading AppArmor profiles" + securityfs + clear_cache + load_configured_profiles + rc=$? + + # Now, we have to find profiles that were removed. Currently + # we must re-parse all the profiles to get policy names. :( + aa_configured=$(mktemp -t aa-XXXXXX) + configured_profile_names > "$aa_configured" || exit 1 + aa_loaded=$(mktemp -t aa-XXXXXX) + running_profile_names > "$aa_loaded" || exit 1 + comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do + unload_profile "$profile" + done + rm -f "$aa_configured" "$aa_loaded" + + log_end_msg "$rc" + ;; + status) + securityfs + if [ -x /usr/bin/aa-status ]; then + /usr/bin/aa-status --verbose + else + cat "$AA_SFS"/profiles + fi + rc=$? + ;; + *) + usage + exit 1 + ;; + esac +exit $rc --- apparmor-2.5.1~pre1393.orig/debian/apparmor-notify.install +++ apparmor-2.5.1~pre1393/debian/apparmor-notify.install @@ -0,0 +1,2 @@ +debian/notify/notify.conf /etc/apparmor/ +debian/notify/90apparmor-notify /etc/X11/Xsession.d/ --- apparmor-2.5.1~pre1393.orig/debian/apparmor.postinst +++ apparmor-2.5.1~pre1393/debian/apparmor.postinst @@ -0,0 +1,109 @@ +#!/bin/sh +# postinst script for apparmor +# +# see: dh_installdeb(1) +set -e + +. /usr/share/debconf/confmodule + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +# Remove a no-longer used conffile +rm_conffile() +{ + CONFFILE="$1" + + if [ -e "$CONFFILE".dpkg-obsolete ]; then + echo "Removing obsolete conffile $CONFFILE" + rm -f "$CONFFILE".dpkg-obsolete + fi +} + +case "$1" in + configure|abort-remove|abort-deconfigure) + if dpkg --compare-versions "$2" lt-nl 2.3.1+1403-0ubuntu31; then + rm_conffile /etc/apparmor/initramfs + fi + + # Try to determine values for apparmor/homedirs if the administrator + # hasn't already. + if dpkg --compare-versions "$2" lt-nl "2.5~pre+bzr1362-0ubuntu2"; then + db_get apparmor/homedirs + if [ -z "$RET" ]; then + # Get unique dirnames for uids between 1000 and 30000, then + # format them appropriately for AppArmor + dirs=`awk -F: '$3 >= 1000 && $3 < 30000 {printf "%s\n", $6}' /etc/passwd | xargs -d '\n' -n 1 dirname | grep -v '^/home$' | sed -e 's#\(.*\)#\\1/#g' | sed -e '/ / { s#\(.*\)#"\\1"#g }' | sort -u | tr '\n' ' '` + if [ -n "$dirs" ]; then + db_set apparmor/homedirs "$dirs" + fi + fi + fi + + db_get apparmor/homedirs + tmp=`mktemp` + cat > "$tmp" <> "$tmp" <> "$tmp" </dev/null || true + mv -f "$tmp" /etc/apparmor.d/tunables/home.d/ubuntu + chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu + ;; + + abort-upgrade) + # Nothing to do + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +# Now that AppArmor is started, attempt to reload profiles in the +# case of upgrades (since dh_installinit has been forced not to unload +# the profiles in the case of an upgrade). +case "$1" in + configure) + if [ -x "/etc/init.d/apparmor" ]; then + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d apparmor reload || true + else + /etc/init.d/apparmor reload || true + fi + fi + if dpkg --compare-versions "$2" lt-nl 2.3.1+1403-0ubuntu31; then + /usr/bin/dpkg-trigger update-initramfs + fi + ;; +esac + +exit 0 --- apparmor-2.5.1~pre1393.orig/debian/aa-update-browser +++ apparmor-2.5.1~pre1393/debian/aa-update-browser @@ -0,0 +1,148 @@ +#!/bin/sh +# +# Copyright (C) 2010 Canonical, Ltd. +# Author: Jamie Strandboge +# License: GPLv2 +# +# Program for updating browser abstractions in Ubuntu. The program will +# search the specified profile for an include directive for a file in +# abstractions/ubuntu-browsers.d and update this file with the specified +# browsers abstractions. + +set -e + +topdir="/etc/apparmor.d" +reldir="abstractions/ubuntu-browsers.d" +dir="$topdir/$reldir" + +if [ ! -d "$dir" ]; then + echo "'$dir' is not a directory" >&2 + exit 1 +fi + +help() { + cat < + -u comma separated list of abstractions for profile to use + -d dry-run. Only show what would be done. + -l list available abstractions + -h this message + +Eg: +$ aa-update-browser -l +# aa-update-browser -u multimedia,productivity /etc/apparmor.d/usr.bin.firefox +EOM +} + +find_browser_include() { + fn="$1" + r=`egrep " *#include <$reldir/.*> *(|#.*)" "$fn" | cut -f 2 -d '<' | cut -f 1 -d '>'` + if [ -z "$r" ]; then + echo "Could not find '#include <$reldir/...>' in" >&2 + echo "$fn" >&2 + return + fi + basename "$r" +} + +existing_abstractions="" +for i in $dir/* ; do + if [ ! -s "$i" ]; then + continue + fi + + if head -1 "$i" | grep -q '^# This file is updated' ; then + continue + fi + + # This has a leading space, which we use below. + existing_abstractions="$existing_abstractions `basename $i`" +done + +updated= +dryrun= +while getopts "dhlu:" opt +do + case "$opt" in + d) dryrun="yes";; + u) updated="$OPTARG";; + l) + echo "$existing_abstractions" + exit 0 + ;; + h) + help + exit 0 + ;; + ?) + help + exit 1 + ;; + esac +done +shift $(($OPTIND - 1)) + +if [ -z "$1" ]; then + help + exit 1 +fi + +for p in $* ; do + if [ ! -s "$p" ]; then + echo "Could not find '$p'" >&2 + exit 1 + fi + + include=`find_browser_include $p` + if [ -z "$include" ]; then + exit 1 + fi + + if echo "$existing_abstractions" | grep -q " $include" ; then + echo "'$reldir/$include' is an existing abstraction" >&2 + exit 1 + fi + + tmp=`mktemp` + plugins_common_path="$dir/plugins-common" + cat > "$tmp" < + +EOM + for a in `echo "$updated" | tr [,] ' '`; do + echo "$existing_abstractions" | egrep -q " $a( |$)" || { + echo "'$a' is not an existing abstraction. Skipping." >&2 + continue + } + if [ -f "$dir/$a" ]; then + # TODO: add $plugins_common_path only for those browser abstractions + # that actually need it. + if [ -n "$plugins_common_path" ] && [ -e "$plugins_common_path" ]; then + echo "#include <$reldir/`basename $plugins_common_path`>" >> "$tmp" + plugins_common_path="" + fi + echo "#include <$reldir/$a>" >> "$tmp" + else + echo "Skipping '$a' (not found in '$dir')" >&2 + continue + fi + done + + if [ "$dryrun" = "yes" ]; then + echo "Skipping commit to '$dir/$include' (dry run)" >&2 + cat "$tmp" + rm -f "$tmp" + continue + fi + mv -f "$tmp" "$dir/$include" || { + rm -f "$tmp" + exit 1 + } + chmod 644 "$dir/$include" +done + --- apparmor-2.5.1~pre1393.orig/debian/put-all-profiles-in-complain-mode.sh +++ apparmor-2.5.1~pre1393/debian/put-all-profiles-in-complain-mode.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +PROFILE_DIR="./etc/apparmor.d" + +for f in ${PROFILE_DIR}/* +do + [ ! -f ${f} ] && continue + ! grep -q 'flags=(complain)' $f && sed -i 's/ {$/ flags=(complain) {/' $f +done --- apparmor-2.5.1~pre1393.orig/debian/libpam-apparmor.docs +++ apparmor-2.5.1~pre1393/debian/libpam-apparmor.docs @@ -0,0 +1 @@ +changehat/pam_apparmor/README --- apparmor-2.5.1~pre1393.orig/debian/libapache2-mod-apparmor.preinst +++ apparmor-2.5.1~pre1393/debian/libapache2-mod-apparmor.preinst @@ -0,0 +1,22 @@ +#!/bin/sh +# preinst script for libapache2-mod-apparmor +# +# see: dh_installdeb(1) +set -e + +APP_PROFILE="usr.lib.apache2.mpm-prefork.apache2" +APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE" +APP_DISABLE="/etc/apparmor.d/disable/$APP_PROFILE" +if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then + # Disable AppArmor profile on install or upgrade from earlier than when we + # first shipped the profile if the user does not already have a profile + # defined + if dpkg --compare-versions "$2" lt 2.3.1+1403-0ubuntu20 ; then + if [ ! -e "$APP_CONFFILE" ]; then + mkdir -p `dirname $APP_DISABLE` 2>/dev/null || true + ln -sf $APP_CONFFILE $APP_DISABLE + fi + fi +fi + +exit 0 --- apparmor-2.5.1~pre1393.orig/debian/apparmor-profiles.postrm +++ apparmor-2.5.1~pre1393/debian/apparmor-profiles.postrm @@ -0,0 +1,26 @@ +#!/bin/sh +# postrm script for apparmor-profiles +# +# see: dh_installdeb(1) +set -e + +case "$1" in + purge) + if [ -e /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser ]; then + rm -f /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser + fi + ;; + remove|upgrade|failed-upgrade|disappear) + ;; + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- apparmor-2.5.1~pre1393.orig/debian/apparmor-profiles.postinst +++ apparmor-2.5.1~pre1393/debian/apparmor-profiles.postinst @@ -0,0 +1,49 @@ +#!/bin/sh +# postinst script for apparmor-profiles +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +case "$1" in + configure) + if [ ! -e /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser ]; then + cp /usr/share/apparmor-profiles/abstractions/ubuntu-browsers.d/chromium-browser /etc/apparmor.d/abstractions/ubuntu-browsers.d || true + fi + ;; +esac + +#DEBHELPER# + +case "$1" in + configure) + invoke-rc.d apparmor reload || true + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +exit 0 + + --- apparmor-2.5.1~pre1393.orig/debian/compat +++ apparmor-2.5.1~pre1393/debian/compat @@ -0,0 +1 @@ +5 --- apparmor-2.5.1~pre1393.orig/debian/patches/0008-lp601583.patch +++ apparmor-2.5.1~pre1393/debian/patches/0008-lp601583.patch @@ -0,0 +1,18 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1467 +Description: allow /var/run/gdm/*/database in X abstraction +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/601583 + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/X +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/X 2010-08-11 10:00:17.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/X 2010-08-11 10:00:55.000000000 -0500 +@@ -17,7 +17,8 @@ + @{HOME}/.ICEauthority r, + + # .Xauthority files required for X connections, per user +- @{HOME}/.Xauthority r, ++ @{HOME}/.Xauthority r, ++ owner /var/run/gdm/*/database r, + + # the unix socket to use to connect to the display + /tmp/.X11-unix/* w, --- apparmor-2.5.1~pre1393.orig/debian/patches/0004-ubuntu-pux.patch +++ apparmor-2.5.1~pre1393/debian/patches/0004-ubuntu-pux.patch @@ -0,0 +1,265 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1459 +Description: use 'PUx' instead of 'Ux' in abstractions/ubuntu-* + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients 2010-08-10 14:46:49.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients 2010-08-10 14:47:31.000000000 -0500 +@@ -1,12 +1,12 @@ + # + # abstraction for allowing graphical bittorrent clients in Ubuntu + # +- /usr/bin/azureus Uxr, +- /usr/bin/bitstormlite Uxr, +- /usr/bin/btmaketorrentgui Uxr, +- /usr/bin/deluge Uxr, +- /usr/bin/gnome-btdownload Uxr, +- /usr/bin/kget Uxr, +- /usr/bin/ktorrent Uxr, +- /usr/bin/qbittorrent Uxr, +- /usr/bin/transmission Uxr, ++ /usr/bin/azureus PUxr, ++ /usr/bin/bitstormlite PUxr, ++ /usr/bin/btmaketorrentgui PUxr, ++ /usr/bin/deluge PUxr, ++ /usr/bin/gnome-btdownload PUxr, ++ /usr/bin/kget PUxr, ++ /usr/bin/ktorrent PUxr, ++ /usr/bin/qbittorrent PUxr, ++ /usr/bin/transmission PUxr, +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-08-10 14:46:56.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-08-10 14:47:31.000000000 -0500 +@@ -2,31 +2,31 @@ + # abstraction for allowing access to graphical browsers in Ubuntu + # + +- /usr/bin/arora Ux, +- /usr/bin/conkeror Ux, +- /usr/bin/dillo Ux, +- /usr/bin/Dooble Ux, +- /usr/bin/epiphany Ux, +- /usr/bin/epiphany-browser Ux, +- /usr/bin/epiphany-webkit Ux, +- /usr/lib/fennec-*/fennec Ux, +- /usr/bin/galeon Ux, +- /usr/bin/kazehakase Ux, +- /usr/bin/konqueror Ux, +- /usr/bin/midori Ux, +- /usr/bin/netsurf Ux, +- /usr/bin/prism Ux, +- /usr/bin/rekonq Ux, +- /usr/bin/seamonkey Ux, ++ /usr/bin/arora PUx, ++ /usr/bin/conkeror PUx, ++ /usr/bin/dillo PUx, ++ /usr/bin/Dooble PUx, ++ /usr/bin/epiphany PUx, ++ /usr/bin/epiphany-browser PUx, ++ /usr/bin/epiphany-webkit PUx, ++ /usr/lib/fennec-*/fennec PUx, ++ /usr/bin/galeon PUx, ++ /usr/bin/kazehakase PUx, ++ /usr/bin/konqueror PUx, ++ /usr/bin/midori PUx, ++ /usr/bin/netsurf PUx, ++ /usr/bin/prism PUx, ++ /usr/bin/rekonq PUx, ++ /usr/bin/seamonkey PUx, + +- /usr/bin/chromium-browser Ux, +- /usr/lib/chromium-browser/chromium-browser Ux, ++ /usr/bin/chromium-browser PUx, ++ /usr/lib/chromium-browser/chromium-browser PUx, + + # this should cover all firefox browsers and versions (including shiretoko + # and abrowser) +- /usr/lib/firefox-*/firefox.sh Ux, ++ /usr/lib/firefox-*/firefox.sh PUx, + + # some unpackaged, but popular browsers +- /usr/lib/icecat-*/icecat Ux, +- /usr/bin/opera Ux, +- /opt/google/chrome/google-chrome Ux, ++ /usr/lib/icecat-*/icecat PUx, ++ /usr/bin/opera PUx, ++ /opt/google/chrome/google-chrome PUx, +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-console-browsers +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ubuntu-console-browsers 2010-08-10 14:47:01.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-console-browsers 2010-08-10 14:47:31.000000000 -0500 +@@ -6,9 +6,9 @@ + # #include + # + +- /usr/bin/elinks Ux, +- /usr/bin/links Ux, +- /usr/bin/lynx.cur Ux, +- /usr/bin/netrik Ux, +- /usr/bin/w3m Ux, ++ /usr/bin/elinks PUx, ++ /usr/bin/links PUx, ++ /usr/bin/lynx.cur PUx, ++ /usr/bin/netrik PUx, ++ /usr/bin/w3m PUx, + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-console-email +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ubuntu-console-email 2010-08-10 14:47:08.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-console-email 2010-08-10 14:47:31.000000000 -0500 +@@ -6,9 +6,9 @@ + # #include + # + +- /usr/bin/alpine Ux, +- /usr/bin/citadel Ux, +- /usr/bin/cone Ux, +- /usr/bin/elmo Ux, +- /usr/bin/mutt Ux, ++ /usr/bin/alpine PUx, ++ /usr/bin/citadel PUx, ++ /usr/bin/cone PUx, ++ /usr/bin/elmo PUx, ++ /usr/bin/mutt PUx, + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-email +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ubuntu-email 2010-08-10 14:47:13.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-email 2010-08-10 14:47:31.000000000 -0500 +@@ -2,18 +2,18 @@ + # abstraction for allowing graphical email clients in Ubuntu + # + +- /usr/bin/anjal Ux, +- /usr/bin/balsa Ux, +- /usr/bin/claws-mail Ux, +- /usr/bin/evolution Ux, +- /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Ux, +- /usr/bin/kmail Ux, +- /usr/bin/mailody Ux, +- /usr/bin/modest Ux, +- /usr/bin/seamonkey Ux, +- /usr/bin/sylpheed Ux, +- /usr/bin/tkrat Ux, ++ /usr/bin/anjal PUx, ++ /usr/bin/balsa PUx, ++ /usr/bin/claws-mail PUx, ++ /usr/bin/evolution PUx, ++ /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail PUx, ++ /usr/bin/kmail PUx, ++ /usr/bin/mailody PUx, ++ /usr/bin/modest PUx, ++ /usr/bin/seamonkey PUx, ++ /usr/bin/sylpheed PUx, ++ /usr/bin/tkrat PUx, + +- /usr/lib/thunderbird/thunderbird Ux, +- /usr/lib/thunderbird-3*/thunderbird Ux, ++ /usr/lib/thunderbird/thunderbird PUx, ++ /usr/lib/thunderbird-3*/thunderbird PUx, + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal 2010-08-10 14:47:18.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal 2010-08-10 14:47:31.000000000 -0500 +@@ -4,6 +4,6 @@ + + #include + +- # do not use ux or Ux here. Use at a minimum ix ++ # do not use ux or PUx here. Use at a minimum ix + /usr/bin/gnome-terminal ix, + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-media-players +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ubuntu-media-players 2010-08-10 14:47:23.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-media-players 2010-08-10 14:47:31.000000000 -0500 +@@ -1,48 +1,48 @@ + # + # abstraction for allowing access to media players in Ubuntu + # +- /usr/bin/amarok Uxr, +- /usr/bin/audacious2 Uxr, +- /usr/bin/bangarang Uxr, +- /usr/bin/banshee Uxr, +- /usr/bin/banshee-1 Uxr, +- /usr/bin/decibel Uxr, +- /usr/bin/dragon Uxr, +- /usr/bin/esperanza Uxr, +- /usr/bin/exaile Uxr, +- /usr/bin/freevo Uxr, +- /usr/bin/gmerlin Uxr, ++ /usr/bin/amarok PUxr, ++ /usr/bin/audacious2 PUxr, ++ /usr/bin/bangarang PUxr, ++ /usr/bin/banshee PUxr, ++ /usr/bin/banshee-1 PUxr, ++ /usr/bin/decibel PUxr, ++ /usr/bin/dragon PUxr, ++ /usr/bin/esperanza PUxr, ++ /usr/bin/exaile PUxr, ++ /usr/bin/freevo PUxr, ++ /usr/bin/gmerlin PUxr, + /usr/bin/gtk-gnash ixr, +- /usr/bin/gxmms Uxr, +- /usr/bin/gxmms2 Uxr, +- /usr/bin/hornsey Uxr, +- /usr/bin/jlgui Uxr, +- /usr/bin/juk Uxr, +- /usr/bin/kaffeine Uxr, +- /usr/bin/listen Uxr, +- /usr/share/minirok/minirok.py Uxr, ++ /usr/bin/gxmms PUxr, ++ /usr/bin/gxmms2 PUxr, ++ /usr/bin/hornsey PUxr, ++ /usr/bin/jlgui PUxr, ++ /usr/bin/juk PUxr, ++ /usr/bin/kaffeine PUxr, ++ /usr/bin/listen PUxr, ++ /usr/share/minirok/minirok.py PUxr, + + # mplayer + /etc/mplayerplug-in.conf r, +- /usr/bin/gmplayer Uxr, +- /usr/bin/gnome-mplayer Uxr, +- /usr/bin/kmplayer Uxr, +- /usr/bin/mplayer Uxr, +- /usr/bin/smplayer Uxr, ++ /usr/bin/gmplayer PUxr, ++ /usr/bin/gnome-mplayer PUxr, ++ /usr/bin/kmplayer PUxr, ++ /usr/bin/mplayer PUxr, ++ /usr/bin/smplayer PUxr, + +- /usr/bin/muine Uxr, +- /usr/bin/potamus Uxr, +- /usr/bin/promoe Uxr, +- /usr/bin/qmmp Uxr, +- /usr/bin/quodlibet Uxr, +- /usr/bin/rhythmbox Uxr, +- /usr/bin/strange-quark Uxr, +- /usr/bin/swfdec-player Uxr, +- /usr/bin/timidity Uxr, ++ /usr/bin/muine PUxr, ++ /usr/bin/potamus PUxr, ++ /usr/bin/promoe PUxr, ++ /usr/bin/qmmp PUxr, ++ /usr/bin/quodlibet PUxr, ++ /usr/bin/rhythmbox PUxr, ++ /usr/bin/strange-quark PUxr, ++ /usr/bin/swfdec-player PUxr, ++ /usr/bin/timidity PUxr, + /usr/lib/totem/** ixr, +- /usr/bin/totem-gstreamer Uxr, +- /usr/bin/totem-xine Uxr, +- /usr/bin/totem Uxr, +- /usr/bin/vlc Uxr, +- /usr/bin/xfmedia Uxr, +- /usr/bin/xmms Uxr, ++ /usr/bin/totem-gstreamer PUxr, ++ /usr/bin/totem-xine PUxr, ++ /usr/bin/totem PUxr, ++ /usr/bin/vlc PUxr, ++ /usr/bin/xfmedia PUxr, ++ /usr/bin/xmms PUxr, --- apparmor-2.5.1~pre1393.orig/debian/patches/series +++ apparmor-2.5.1~pre1393/debian/patches/series @@ -0,0 +1,13 @@ +0001-local-includes.patch +0002-lp615177.patch +0003-ubuntu-browsers-d.patch +0004-ubuntu-pux.patch +0005-add-chromium-browser.patch +0006-kde4-config-pux.patch +0007-lp605835.patch +0008-lp601583.patch +0009-lp565753.patch +0010-fix-release.patch +0011-lp514356+573344+593413.patch +0012-lp625041.patch +0013-lp623586.patch --- apparmor-2.5.1~pre1393.orig/debian/patches/0003-ubuntu-browsers-d.patch +++ apparmor-2.5.1~pre1393/debian/patches/0003-ubuntu-browsers-d.patch @@ -0,0 +1,293 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1456 + http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1460 + http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1463 + http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1464 + http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1469 +Description: add profiles/apparmor.d/abstractions/ubuntu-browsers.d/* for use + with profiling browsers in Ubuntu + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java 2010-08-11 14:11:54.000000000 -0500 +@@ -0,0 +1,105 @@ ++ # Java plugin ++ owner @{HOME}/.java/deployment/deployment.properties k, ++ /etc/java-*/ r, ++ /etc/java-*/** r, ++ /usr/lib/jvm/java-6-openjdk/jre/lib/*/IcedTeaPlugin.so mr, ++ /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk, ++ /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java, ++ /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java, ++ /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java, ++ ++ # Profile for the supported OpenJDK in Ubuntu. This doesn't require the ++ # unfortunate workarounds of the proprietary Javas, so have a separate ++ # profile. ++ profile browser_openjdk { ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ ++ network inet stream, ++ network inet6 stream, ++ @{PROC}/[0-9]*/net/if_inet6 r, ++ @{PROC}/[0-9]*/net/ipv6_route r, ++ ++ /etc/java-*/ r, ++ /etc/java-*/** r, ++ /etc/lsb-release r, ++ /etc/ssl/certs/java/* r, ++ /etc/timezone r, ++ ++ @{PROC}/[0-9]*/ r, ++ @{PROC}/[0-9]*/fd/ r, ++ @{PROC}/filesystems r, ++ /sys/devices/system/cpu/ r, ++ /sys/devices/system/cpu/** r, ++ /usr/share/** r, ++ /var/lib/dbus/machine-id r, ++ ++ /usr/bin/env ix, ++ /usr/lib/jvm/java-6-openjdk/jre/bin/java ix, ++ /usr/lib/jvm/java-6-openjdk/jre/lib/i386/client/classes.jsa m, ++ ++ # Why would java need this? ++ deny /usr/bin/gconftool-2 x, ++ ++ owner @{HOME}/ r, ++ owner @{HOME}/** rwk, ++ } ++ ++ # Profile for commercial Javas. These need workarounds to work right (eg ++ # Sun's forcing of an executable stack (LP: #535247)). ++ profile browser_java { ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ ++ network inet stream, ++ network inet6 stream, ++ @{PROC}/[0-9]*/net/if_inet6 r, ++ @{PROC}/[0-9]*/net/ipv6_route r, ++ ++ /etc/java-*/ r, ++ /etc/java-*/** r, ++ /etc/lsb-release r, ++ /etc/ssl/certs/java/* r, ++ /etc/timezone r, ++ ++ @{PROC}/[0-9]*/ r, ++ @{PROC}/[0-9]*/fd/ r, ++ @{PROC}/filesystems r, ++ /sys/devices/system/cpu/ r, ++ /sys/devices/system/cpu/** r, ++ /usr/share/** r, ++ /var/lib/dbus/machine-id r, ++ ++ /usr/bin/env ix, ++ /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix, ++ /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m, ++ /usr/lib/j2*-ibm/jre/bin/java ix, ++ ++ # noisy, can't write here anyway ++ deny /etc/.java/ w, ++ deny /etc/.java/** w, ++ ++ deny /usr/bin/gconftool-2 x, ++ ++ owner @{HOME}/ r, ++ owner @{HOME}/** rwk, ++ ++ # These are seriously unfortunate, but required due to LP: #535247 ++ /etc/passwd m, ++ owner @{HOME}/.java/**/cache/** m, ++ owner /tmp/** m, ++ /usr/lib{,32,64}/jvm/**/*.jar mr, ++ /usr/share/fonts/** m, ++ } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde 2010-08-11 14:11:44.000000000 -0500 +@@ -0,0 +1,2 @@ ++ #include ++ /usr/bin/kde4-config Ux, # TODO: use PUx when apparmor is adjusted +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto 2010-08-11 14:11:44.000000000 -0500 +@@ -0,0 +1,7 @@ ++ # for mailto: ++ #include ++ #include ++ ++ # Terminals for using console applications. These abstractions should ideally ++ # have 'ix' to restrct access to what only firefox is allowed to do ++ #include +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia 2010-08-11 14:11:44.000000000 -0500 +@@ -0,0 +1,33 @@ ++ # Pulseaudio ++ /usr/bin/pulseaudio ixr, ++ ++ # Image viewers ++ /usr/bin/eog PUxr, ++ /usr/bin/gimp* PUxr, ++ ++ #include ++ owner @{HOME}/.macromedia/** rw, ++ /opt/real/RealPlayer/mozilla/nphelix.so rm, ++ ++ # npviewer ++ /usr/lib/nspluginwrapper/i386/linux/npviewer{,.bin} ixr, ++ /var/lib/ r, ++ /var/lib/**/*.so mr, ++ /usr/bin/setarch ixr, ++ ++ # Bittorrent clients ++ #include ++ ++ # Mozplugger ++ /etc/mozpluggerrc r, ++ /usr/bin/mozplugger-helper PUxr, ++ ++ # Archivers ++ /usr/bin/ark PUxr, ++ /usr/bin/file-roller PUxr, ++ /usr/bin/xarchiver PUxr, ++ /usr/local/lib{,32,64}/*.so* mr, ++ ++ # TODO: check this ++ #include ++ /usr/bin/liferea-add-feed PUxr, +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common 2010-08-11 14:11:44.000000000 -0500 +@@ -0,0 +1,10 @@ ++ # ++ # Plugins/helpers ++ # ++ @{PROC}/[0-9]*/fd/ r, ++ /usr/lib/** rm, ++ /bin/bash ixr, ++ /bin/dash ixr, ++ /bin/grep ixr, ++ /bin/sed ixr, ++ /usr/bin/m4 ixr, +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity 2010-08-11 14:11:44.000000000 -0500 +@@ -0,0 +1,15 @@ ++ # Openoffice.org ++ /usr/bin/ooffice PUxr, ++ /usr/bin/oocalc PUxr, ++ /usr/bin/oodraw PUxr, ++ /usr/bin/ooimpress PUxr, ++ /usr/bin/oowriter PUxr, ++ /usr/lib/openoffice/program/soffice PUxr, ++ ++ # PDFs ++ /usr/bin/evince PUxr, ++ /usr/bin/okular PUxr, ++ ++ owner @{HOME}/.adobe/** rw, ++ /opt/Adobe/Reader9/bin/acroread PUxr, ++ /opt/Adobe/Reader9/** r, +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors 2010-08-11 14:11:44.000000000 -0500 +@@ -0,0 +1,7 @@ ++ # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125]) ++ /usr/bin/emacsclient.emacs-snapshot PUxr, ++ /usr/bin/emacsclient.emacs22 PUxr, ++ /usr/bin/gedit PUxr, ++ /usr/bin/vim.gnome PUxr, ++ /usr/bin/leafpad PUxr, ++ /usr/bin/mousepad PUxr, +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2010-08-11 14:11:44.000000000 -0500 +@@ -0,0 +1,15 @@ ++ # Apport ++ /usr/bin/apport-bug PUx, ++ ++ # Package installation ++ /usr/bin/apturl PUxr, ++ /usr/bin/gnome-codec-install PUxr, ++ /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix, ++ ++ # Input Methods ++ /usr/bin/scim PUx, ++ /usr/bin/scim-bridge PUx, ++ ++ # File managers ++ /usr/bin/nautilus PUxr, ++ /usr/bin/thunar PUxr, +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files 2010-08-11 14:11:44.000000000 -0500 +@@ -0,0 +1,23 @@ ++ # Allow read to all files user has DAC access to and write access to all ++ # files owned by the user in $HOME. ++ @{HOME}/ r, ++ @{HOME}/** r, ++ owner @{HOME}/** w, ++ owner @{HOME}/Desktop/** r, ++ ++ # Do not allow read and/or write to particularly sensitive/problematic files ++ #include ++ audit deny @{HOME}/.ssh/** mrwkl, ++ audit deny @{HOME}/.gnome2_private/** mrwkl, ++ ++ # Comment this out if using gpg plugin/addons ++ audit deny @{HOME}/.gnupg/** mrwkl, ++ ++ # Allow read to all files user has DAC access to and write for files the user ++ # owns on removable media and filesystems. ++ /media/** r, ++ /mnt/** r, ++ /srv/** r, ++ owner /media/** w, ++ owner /mnt/** w, ++ owner /srv/** w, +Index: apparmor-2.5.1~pre1393/profiles/Makefile +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/Makefile 2010-08-11 14:11:44.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/Makefile 2010-08-11 14:11:44.000000000 -0500 +@@ -39,6 +39,7 @@ + SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables ${PROFILES_SOURCE}/local + PROFILES_TO_COPY=$(filter-out ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*)) + TUNABLES_TO_COPY=$(filter-out ${PROFILES_SOURCE}/tunables/home.d, $(wildcard ${PROFILES_SOURCE}/tunables/*)) ++ABSTRACTIONS_TO_COPY=$(filter-out ${PROFILES_SOURCE}/abstractions/ubuntu-browsers.d, $(wildcard ${PROFILES_SOURCE}/abstractions/*)) + + local: + for profile in ${PROFILES_TO_COPY}; do \ +@@ -56,7 +57,9 @@ + ${PROFILES_DEST}/tunables/home.d \ + ${PROFILES_DEST}/local + install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST} +- install -m 644 ${PROFILES_SOURCE}/abstractions/* ${PROFILES_DEST}/abstractions ++ install -m 644 ${ABSTRACTIONS_TO_COPY} ${PROFILES_DEST}/abstractions ++ install -m 755 -d ${PROFILES_DEST}/abstractions/ubuntu-browsers.d ++ install -m 644 ${PROFILES_SOURCE}/abstractions/ubuntu-browsers.d/* ${PROFILES_DEST}/abstractions/ubuntu-browsers.d + install -m 644 ${PROFILES_SOURCE}/apache2.d/* ${PROFILES_DEST}/apache2.d + install -m 644 ${PROFILES_SOURCE}/program-chunks/* ${PROFILES_DEST}/program-chunks + install -m 644 ${TUNABLES_TO_COPY} ${PROFILES_DEST}/tunables --- apparmor-2.5.1~pre1393.orig/debian/patches/0013-lp623586.patch +++ apparmor-2.5.1~pre1393/debian/patches/0013-lp623586.patch @@ -0,0 +1,17 @@ +Author: Till Kamppeter +Description: allow access to ghostscript fonts when not using defoma +Bug-Ubuntu: https://launchpad.net/bugs/623586 +Forwarded: Yes + +Index: apparmor-ubuntu-trunk/profiles/apparmor.d/abstractions/fonts +=================================================================== +--- apparmor-ubuntu-trunk.orig/profiles/apparmor.d/abstractions/fonts 2010-09-03 07:32:29.000000000 -0500 ++++ apparmor-ubuntu-trunk/profiles/apparmor.d/abstractions/fonts 2010-09-03 07:32:35.000000000 -0500 +@@ -32,6 +32,7 @@ + /usr/share/xfce/fonts/** r, + /usr/share/ghostscript/fonts/** r, + /usr/share/texmf/*/fonts/** r, ++ /var/lib/ghostscript/** r, + + @{HOME}/.fonts.conf r, + @{HOME}/.fonts/ r, --- apparmor-2.5.1~pre1393.orig/debian/patches/0009-lp565753.patch +++ apparmor-2.5.1~pre1393/debian/patches/0009-lp565753.patch @@ -0,0 +1,34 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1468 +Description: add ubuntu-feed-readers abstraction and have + ubuntu-browsers.d/multimedia use it +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/565753 + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia 2010-08-11 10:04:42.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia 2010-08-11 10:06:30.000000000 -0500 +@@ -1,3 +1,5 @@ ++ #include ++ + # Pulseaudio + /usr/bin/pulseaudio ixr, + +@@ -28,6 +30,5 @@ + /usr/bin/xarchiver PUxr, + /usr/local/lib{,32,64}/*.so* mr, + +- # TODO: check this +- #include +- /usr/bin/liferea-add-feed PUxr, ++ # News feed readers ++ #include +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-feed-readers +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-feed-readers 2010-08-11 10:06:30.000000000 -0500 +@@ -0,0 +1,5 @@ ++# ++# abstraction for allowing graphical news feed readers in Ubuntu ++# ++ /usr/bin/akregator PUxr, ++ /usr/bin/liferea-add-feed PUxr, --- apparmor-2.5.1~pre1393.orig/debian/patches/0011-lp514356+573344+593413.patch +++ apparmor-2.5.1~pre1393/debian/patches/0011-lp514356+573344+593413.patch @@ -0,0 +1,35 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1472 +Description: ubuntu-browsers.d/user-files: ubuntu-integration: update for + kmozillahelper and gnome-appearance-properties. ubuntu-browsers.d/user-files: + update for /net +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/514356 + https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/573344 + https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/593413 + +Index: apparmor-ubuntu-trunk/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration +=================================================================== +--- apparmor-ubuntu-trunk.orig/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2010-08-18 10:38:37.000000000 -0500 ++++ apparmor-ubuntu-trunk/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration 2010-08-18 10:38:49.000000000 -0500 +@@ -13,3 +13,9 @@ + # File managers + /usr/bin/nautilus PUxr, + /usr/bin/thunar PUxr, ++ ++ # Themes ++ /usr/bin/gnome-appearance-properties PUxr, ++ ++ # Kubuntu ++ /usr/lib/mozilla/kmozillahelper PUxr, +Index: apparmor-ubuntu-trunk/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files +=================================================================== +--- apparmor-ubuntu-trunk.orig/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files 2010-08-18 10:38:40.000000000 -0500 ++++ apparmor-ubuntu-trunk/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files 2010-08-18 10:38:49.000000000 -0500 +@@ -18,6 +18,8 @@ + /media/** r, + /mnt/** r, + /srv/** r, ++ /net/** r, + owner /media/** w, + owner /mnt/** w, + owner /srv/** w, ++ owner /net/** w, --- apparmor-2.5.1~pre1393.orig/debian/patches/0010-fix-release.patch +++ apparmor-2.5.1~pre1393/debian/patches/0010-fix-release.patch @@ -0,0 +1,48 @@ +Author: Jamie Strandboge +Description: define MAN_RELEASE and use it +Forwarded: no + +Index: apparmor-2.5.1~pre1393/common/Make.rules +=================================================================== +--- apparmor-2.5.1~pre1393.orig/common/Make.rules 2010-08-11 15:23:02.000000000 -0500 ++++ apparmor-2.5.1~pre1393/common/Make.rules 2010-08-11 15:30:00.000000000 -0500 +@@ -194,29 +194,31 @@ + $(foreach aa_page, $(filter %.${dir}, ${AA_MANPAGES}), \ + ln -sf $(aa_page) ${DESTDIR}/${MANDIR}/man${dir}/${aa_page:%=aa-%};)) + ++MAN_RELEASE="Canonical, Ltd." ++ + %.1: %.pod +- $(POD2MAN) $< --release=NOVELL/SUSE --center=AppArmor --section=1 > $@ ++ $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=1 > $@ + + %.2: %.pod +- $(POD2MAN) $< --release=NOVELL/SUSE --center=AppArmor --section=2 > $@ ++ $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=2 > $@ + + %.3: %.pod +- $(POD2MAN) $< --release=NOVELL/SUSE --center=AppArmor --section=3 > $@ ++ $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=3 > $@ + + %.4: %.pod +- $(POD2MAN) $< --release=NOVELL/SUSE --center=AppArmor --section=4 > $@ ++ $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=4 > $@ + + %.5: %.pod +- $(POD2MAN) $< --release=NOVELL/SUSE --center=AppArmor --section=5 > $@ ++ $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=5 > $@ + + %.6: %.pod +- $(POD2MAN) $< --release=NOVELL/SUSE --center=AppArmor --section=6 > $@ ++ $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=6 > $@ + + %.7: %.pod +- $(POD2MAN) $< --release=NOVELL/SUSE --center=AppArmor --section=7 > $@ ++ $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=7 > $@ + + %.8: %.pod +- $(POD2MAN) $< --release=NOVELL/SUSE --center=AppArmor --section=8 > $@ ++ $(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=8 > $@ + + %.1.html: %.pod + $(POD2HTML) --header --css apparmor.css --infile=$< --outfile=$@ --- apparmor-2.5.1~pre1393.orig/debian/patches/0007-lp605835.patch +++ apparmor-2.5.1~pre1393/debian/patches/0007-lp605835.patch @@ -0,0 +1,22 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1466 +Description: allow ca-certificates in ssl_certs abstraction +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/605835 + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ssl_certs +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ssl_certs 2010-08-11 09:22:54.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ssl_certs 2010-08-11 09:23:16.000000000 -0500 +@@ -2,6 +2,7 @@ + # ------------------------------------------------------------------ + # + # Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -12,3 +13,5 @@ + /etc/ssl/ r, + /etc/ssl/certs/ r, + /etc/ssl/certs/* r, ++ /usr/share/ca-certificates/ r, ++ /usr/share/ca-certificates/** r, --- apparmor-2.5.1~pre1393.orig/debian/patches/0002-lp615177.patch +++ apparmor-2.5.1~pre1393/debian/patches/0002-lp615177.patch @@ -0,0 +1,17 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1457 +Description: 'owner' match in commit 1406 too strict for /tmp/ and /var/tmp/ +Bug-Ubuntu: https://launchpad.net/bugs/615177 + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/user-tmp +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/user-tmp 2010-08-09 10:13:55.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/user-tmp 2010-08-09 10:14:34.000000000 -0500 +@@ -16,6 +16,6 @@ + + # global tmp directories + owner /var/tmp/** rwkl, +- owner /var/tmp/ rw, ++ /var/tmp/ rw, + owner /tmp/** rwkl, +- owner /tmp/ rw, ++ /tmp/ rw, --- apparmor-2.5.1~pre1393.orig/debian/patches/0012-lp625041.patch +++ apparmor-2.5.1~pre1393/debian/patches/0012-lp625041.patch @@ -0,0 +1,16 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1479 +Description: ubuntu-browsers: add sensible-browser +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/625041 + +Index: apparmor-ubuntu-trunk/profiles/apparmor.d/abstractions/ubuntu-browsers +=================================================================== +--- apparmor-ubuntu-trunk.orig/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-08-30 07:54:38.000000000 -0500 ++++ apparmor-ubuntu-trunk/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-08-30 07:55:14.000000000 -0500 +@@ -18,6 +18,7 @@ + /usr/bin/prism PUx, + /usr/bin/rekonq PUx, + /usr/bin/seamonkey PUx, ++ /usr/bin/sensible-browser PUxr, + + /usr/bin/chromium-browser PUx, + /usr/lib/chromium-browser/chromium-browser PUx, --- apparmor-2.5.1~pre1393.orig/debian/patches/0005-add-chromium-browser.patch +++ apparmor-2.5.1~pre1393/debian/patches/0005-add-chromium-browser.patch @@ -0,0 +1,157 @@ +Author: Jamie Strandboge +Description: chromium-browser profile +Forwared: no + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.bin.chromium-browser +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.bin.chromium-browser 2010-08-10 17:26:12.000000000 -0500 +@@ -0,0 +1,148 @@ ++# Author: Jamie Strandboge ++#include ++ ++/usr/lib/chromium-browser/chromium-browser { ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ #include ++ ++ # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if ++ # you want access to productivity applications, adjust the following file ++ # accordingly. ++ #include ++ ++ # Networking ++ network inet stream, ++ network inet6 stream, ++ @{PROC}/[0-9]*/net/if_inet6 r, ++ @{PROC}/[0-9]*/net/ipv6_route r, ++ ++ # Should maybe be in abstractions ++ /etc/mime.types r, ++ /etc/mailcap r, ++ /etc/xdg/xubuntu/applications/defaults.list r, ++ owner @{HOME}/.local/share/applications/defaults.list r, ++ owner @{HOME}/.local/share/applications/mimeinfo.cache r, ++ ++ @{PROC}/[0-9]*/fd/ r, ++ @{PROC}/filesystems r, ++ @{PROC}/ r, ++ @{PROC}/[0-9]*/cmdline r, ++ @{PROC}/[0-9]*/stat r, ++ @{PROC}/[0-9]*/status r, ++ ++ # chromium mmaps all kinds of things for speed. ++ /etc/passwd m, ++ /usr/share/fonts/truetype/**/*.tt[cf] m, ++ /usr/share/fonts/**/*.pfb m, ++ /usr/share/mime/mime.cache m, ++ /usr/share/icons/**/*.cache m, ++ owner /dev/shm/pulse-shm* m, ++ owner @{HOME}/.local/share/mime/mime.cache m, ++ owner /tmp/** m, ++ ++ @{PROC}/sys/kernel/shmmax r, ++ owner /dev/shm/org.chromium.* mrw, ++ ++ /usr/lib/chromium-browser/*.pak mr, ++ /usr/lib/chromium-browser/locales/* mr, ++ ++ # Noisy ++ deny /usr/lib/chromium-browser/** w, ++ ++ # Make browsing directories work ++ / r, ++ /**/ r, ++ ++ # Allow access to documentation and other files the user may want to look ++ # at in /usr ++ /usr/{include,share,src}** r, ++ ++ # Default profile allows downloads to ~/Downloads and uploads from ~/Public ++ owner @{HOME}/ r, ++ owner @{HOME}/Public/ r, ++ owner @{HOME}/Public/* r, ++ owner @{HOME}/Downloads/ r, ++ owner @{HOME}/Downloads/* rw, ++ ++ # Helpers ++ /usr/bin/xdg-open ixr, ++ /usr/bin/gnome-open ixr, ++ /usr/bin/gvfs-open ixr, ++ # TODO: kde, xfce ++ ++ # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** ++ # which is provided by abstractions/ubuntu-browsers.d/user-files). ++ @{PROC}/[0-9]*/oom_adj w, ++ /etc/firefox/profile/bookmarks.html r, ++ owner @{HOME}/.mozilla/** k, ++ ++ # Chromium configuration ++ owner @{HOME}/.pki/nssdb/* rwk, ++ owner @{HOME}/.cache/chromium/ rw, ++ owner @{HOME}/.cache/chromium/** rw, ++ owner @{HOME}/.cache/chromium/Cache/* mr, ++ owner @{HOME}/.config/chromium/ rw, ++ owner @{HOME}/.config/chromium/** rwk, ++ owner @{HOME}/.config/chromium/**/Cache/* mr, ++ owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, ++ owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, ++ ++ # Allow transitions to ourself and our sandbox ++ /usr/lib/chromium-browser/chromium-browser ix, ++ /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox, ++ ++ # TODO: child profile ++ /bin/ps Uxr, ++ /usr/lib/chromium-browser/xdg-settings Ux, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include ++ ++ profile chromium_browser_sandbox { ++ # Be fanatical since it is setuid root and don't use an abstraction ++ /lib/libgcc_s.so* mr, ++ /lib{,32,64}/libm-*.so* mr, ++ /lib{,32,64}/libpthread-*.so* mr, ++ /lib{,32,64}/libc-*.so* mr, ++ /lib{,32,64}/libld-*.so* mr, ++ /lib{,32,64}/ld-*.so* mr, ++ /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, ++ /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, ++ /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, ++ /usr/lib/libstdc++.so* mr, ++ /etc/ld.so.cache r, ++ ++ # Required for dropping into PID namespace. Keep in mind that until the ++ # process drops this capability it can escape confinement, but once it ++ # drops CAP_SYS_ADMIN we are ok. ++ capability sys_admin, ++ ++ # All of these are for sanely dropping from root and chrooting ++ capability chown, ++ capability fsetid, ++ capability setgid, ++ capability setuid, ++ capability dac_override, ++ capability sys_chroot, ++ ++ # *Sigh* ++ capability sys_ptrace, ++ ++ @{PROC}/ r, ++ @{PROC}/[0-9]*/fd/ r, ++ @{PROC}/[0-9]*/oom_adj w, ++ ++ /usr/bin/chromium-browser r, ++ /usr/lib/chromium-browser/chromium-browser Px, ++ /usr/lib/chromium-browser/chromium-browser-sandbox r, ++ ++ owner /tmp/** rw, ++ } ++} --- apparmor-2.5.1~pre1393.orig/debian/patches/0001-local-includes.patch +++ apparmor-2.5.1~pre1393/debian/patches/0001-local-includes.patch @@ -0,0 +1,554 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1453 + http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1454 + http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1455 + http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1461 +Description: implement /etc/apparmor.d/local functionality + +Index: apparmor-2.5.1~pre1393/profiles/Makefile +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/Makefile 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/Makefile 2010-08-10 14:30:42.000000000 -0500 +@@ -1,8 +1,7 @@ + # ------------------------------------------------------------------ + # +-# $Id$ +-# +-# Copyright (C) 2002-2006 Novell/SUSE ++# Copyright (C) 2002-2009 Novell/SUSE ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -18,7 +17,7 @@ + # + # ------------------------------------------------------------------ + +-# Makefile for LSM-based AppArmor SuSE profiles ++# Makefile for LSM-based AppArmor profiles + + NAME=apparmor-profiles + ALL: +@@ -37,18 +36,25 @@ + EXTRAS_DEST=${DESTDIR}/etc/apparmor/profiles/extras/ + PROFILES_SOURCE=./apparmor.d + EXTRAS_SOURCE=./apparmor/profiles/extras/ +-SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables ++SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables ${PROFILES_SOURCE}/local + PROFILES_TO_COPY=$(filter-out ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*)) + TUNABLES_TO_COPY=$(filter-out ${PROFILES_SOURCE}/tunables/home.d, $(wildcard ${PROFILES_SOURCE}/tunables/*)) + ++local: ++ for profile in ${PROFILES_TO_COPY}; do \ ++ fn=$$(basename $$profile); \ ++ echo "# Site-specific additions and overrides for '$$fn'" > ${PROFILES_SOURCE}/local/$$fn; \ ++ done; \ ++ + .PHONY: install +-install: ++install: local + install -m 755 -d ${PROFILES_DEST} + install -m 755 -d ${PROFILES_DEST}/abstractions \ + ${PROFILES_DEST}/apache2.d \ + ${PROFILES_DEST}/program-chunks \ + ${PROFILES_DEST}/tunables \ +- ${PROFILES_DEST}/tunables/home.d ++ ${PROFILES_DEST}/tunables/home.d \ ++ ${PROFILES_DEST}/local + install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST} + install -m 644 ${PROFILES_SOURCE}/abstractions/* ${PROFILES_DEST}/abstractions + install -m 644 ${PROFILES_SOURCE}/apache2.d/* ${PROFILES_DEST}/apache2.d +@@ -57,10 +63,12 @@ + install -m 644 ${PROFILES_SOURCE}/tunables/home.d/* ${PROFILES_DEST}/tunables/home.d + install -m 755 -d ${EXTRAS_DEST} + install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST} ++ install -m 644 ${PROFILES_SOURCE}/local/* ${PROFILES_DEST}/local + ++LOCAL_ADDITIONS=$(filter-out ${PROFILES_SOURCE}/local/README, $(wildcard ${PROFILES_SOURCE}/local/*)) + .PHONY: clean + clean: +- -rm -f $(NAME)-$(VERSION)*.tar.gz Make.rules ++ -rm -f $(NAME)-$(VERSION)*.tar.gz Make.rules ${LOCAL_ADDITIONS} + + ifndef VERBOSE + Q=@ +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/bin.ping +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/bin.ping 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/bin.ping 2010-08-10 14:30:42.000000000 -0500 +@@ -1,8 +1,7 @@ +-# Last Modified: Thu Aug 2 14:28:48 2007 +-# $Id$ + # ------------------------------------------------------------------ + # +-# Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2002-2009 Novell/SUSE ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -22,4 +21,7 @@ + + /bin/ping mixr, + /etc/modules.conf r, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/local/README +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/local/README 2010-08-10 14:31:13.000000000 -0500 +@@ -0,0 +1,24 @@ ++This directory is intended to contain profile additions and overrides for ++inclusion by distributed profiles to aid in packaging AppArmor for ++distributions. ++ ++The shipped profiles in /etc/apparmor.d can still be modified by an ++administrator and people should modify the shipped profile when making ++large policy changes, rather than trying to make those adjustments here. ++ ++For simple access additions or the occasional deny override, adjusting them ++here can prevent the package manager of the distribution from interfering ++with local modifications. As always, new policy should be reviewed to ensure ++it is appropriate for your site. ++ ++For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has: ++ #include ++ ++then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to ++contain any additional paths to be allowed, such as: ++ ++ /var/exports/** lrw, ++ ++Keep in mind that 'deny' rules are evaluated after allow rules, so you won't be ++able to allow access to files that are explicitly denied by the shipped profile ++using this mechanism. +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/sbin.klogd +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/sbin.klogd 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/sbin.klogd 2010-08-10 14:30:42.000000000 -0500 +@@ -1,7 +1,7 @@ +-# $Id$ + # ------------------------------------------------------------------ + # +-# Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2002-2009 Novell/SUSE ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -29,4 +29,6 @@ + /var/run/klogd/klogd.pid krwl, + /var/run/klogd/kmsg r, + ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/sbin.syslog-ng +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/sbin.syslog-ng 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/sbin.syslog-ng 2010-08-10 14:30:42.000000000 -0500 +@@ -1,8 +1,8 @@ +-# $Id$ + # ------------------------------------------------------------------ + # +-# Copyright (C) 2006 Novell/SUSE ++# Copyright (C) 2006-2009 Novell/SUSE + # Copyright (C) 2006 Christian Boltz ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -41,5 +41,6 @@ + @{CHROOT_BASE}/var/log/** w, + @{CHROOT_BASE}/var/run/syslog-ng.pid krw, + ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +- +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/sbin.syslogd +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/sbin.syslogd 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/sbin.syslogd 2010-08-10 14:30:42.000000000 -0500 +@@ -1,7 +1,7 @@ +-# $Id$ + # ------------------------------------------------------------------ + # +-# Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2002-2009 Novell/SUSE ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -33,4 +33,7 @@ + /var/run/syslogd.pid krwl, + /var/run/utmp rw, + /var/spool/compaq/nic/messages_fifo rw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 2010-08-10 14:30:42.000000000 -0500 +@@ -1,10 +1,9 @@ +-# Last Modified: Wed Sep 16 11:58:00 2009 + # Author: Marc Deslauriers +-#include + ++#include + /usr/lib/apache2/mpm-prefork/apache2 { + +- # This is profile is completely permissive. ++ # This profile is completely permissive. + # It is designed to target specific applications using mod_apparmor, + # hats, and the apache2.d directory. + # +@@ -75,4 +74,6 @@ + + #include + ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.deliver +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.lib.dovecot.deliver 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.deliver 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,5 @@ +-# Last Modified: Wed Jun 10 00:20:56 2009 + # Author: Dulmandakh Sukhbaatar ++ + #include + /usr/lib/dovecot/deliver { + #include +@@ -17,4 +17,7 @@ + @{HOME}/mail/.imap/** klrw, + /usr/lib/dovecot/deliver mr, + /var/mail/* klrw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,5 @@ +-# Last Modified: Fri Oct 10 17:19:26 2008 + # Author: Kees Cook ++ + #include + /usr/lib/dovecot/dovecot-auth { + #include +@@ -17,4 +17,7 @@ + /var/run/dovecot/** rw, + # required for postfix+dovecot integration + /var/spool/postfix/private/dovecot-auth w, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.imap +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.lib.dovecot.imap 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.imap 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,5 @@ +-# Last Modified: Sat Oct 11 09:17:38 2008 + # Author: Kees Cook ++ + #include + /usr/lib/dovecot/imap { + #include +@@ -16,4 +16,7 @@ + @{HOME}/mail/.imap/** klrw, + /usr/lib/dovecot/imap mr, + /var/mail/* klrw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.imap-login +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.lib.dovecot.imap-login 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.imap-login 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,5 @@ +-# Last Modified: Wed Oct 8 00:20:56 2008 + # Author: Kees Cook ++ + #include + /usr/lib/dovecot/imap-login { + #include +@@ -15,4 +15,7 @@ + /usr/lib/dovecot/imap-login mr, + /var/run/dovecot/login/ r, + /var/run/dovecot/login/* rw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.managesieve-login +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,5 @@ +-# Last Modified: Wed Jun 10 00:20:56 2009 + # Author: Dulmandakh Sukhbaatar ++ + #include + /usr/lib/dovecot/managesieve-login { + #include +@@ -15,4 +15,7 @@ + /usr/lib/dovecot/managesieve-login mr, + /var/run/dovecot/login/ r, + /var/run/dovecot/login/* rw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.pop3 +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.lib.dovecot.pop3 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.pop3 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,5 @@ +-# Last Modified: Wed Oct 8 00:21:56 2008 + # Author: Kees Cook ++ + #include + /usr/lib/dovecot/pop3 { + #include +@@ -15,4 +15,7 @@ + @{HOME}/Maildir/ rw, + @{HOME}/Maildir/** klrw, + /usr/lib/dovecot/pop3 mr, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.pop3-login +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.lib.dovecot.pop3-login 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.lib.dovecot.pop3-login 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,5 @@ +-# Last Modified: Wed Oct 8 00:20:57 2008 + # Author: Kees Cook ++ + #include + /usr/lib/dovecot/pop3-login { + #include +@@ -14,4 +14,7 @@ + /usr/lib/dovecot/pop3-login mr, + /var/run/dovecot/login/ r, + /var/run/dovecot/login/* rw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.avahi-daemon +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.avahi-daemon 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.avahi-daemon 2010-08-10 14:30:42.000000000 -0500 +@@ -1,4 +1,3 @@ +-# Last Modified: Wed Aug 15 10:55:46 2007 + #include + /usr/sbin/avahi-daemon { + #include +@@ -24,4 +23,7 @@ + /var/run/avahi-daemon/pid krw, + /var/run/avahi-daemon/socket w, + /var/run/dbus/system_bus_socket w, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.dnsmasq +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.dnsmasq 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.dnsmasq 2010-08-10 14:30:42.000000000 -0500 +@@ -1,4 +1,5 @@ + # Author: John Dong ++ + #include + /usr/sbin/dnsmasq { + #include +@@ -20,4 +21,7 @@ + /var/run/dnsmasq/* rw, + + /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.dovecot +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.dovecot 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.dovecot 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,5 @@ +-# Last Modified: Fri Oct 10 17:20:34 2008 + # Author: Kees Cook ++ + #include + /usr/sbin/dovecot { + #include +@@ -30,4 +30,7 @@ + /var/lib/dovecot/* krw, + /var/run/dovecot/ rw, + /var/run/dovecot/** rw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.identd +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.identd 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.identd 2010-08-10 14:30:42.000000000 -0500 +@@ -1,7 +1,7 @@ +-# $Id$ + # ------------------------------------------------------------------ + # +-# Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2002-2009 Novell/SUSE ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -24,4 +24,7 @@ + @{PROC}/net/tcp r, + @{PROC}/net/tcp6 r, + /var/run/identd.pid w, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.mdnsd +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.mdnsd 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.mdnsd 2010-08-10 14:30:42.000000000 -0500 +@@ -1,8 +1,7 @@ +-# $Id$ +-# vim:syntax=apparmor + # ------------------------------------------------------------------ + # +-# Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2002-2009 Novell/SUSE ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -29,4 +28,7 @@ + @{PROC}/net/unix r, + /var/run/mdnsd lw, + /var/run/mdnsd.pid w, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.nmbd +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.nmbd 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.nmbd 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,3 @@ +-# vim:syntax=apparmor +-# Last Modified: Wed Jun 20 13:22:50 2007 + #include + + /usr/sbin/nmbd { +@@ -16,4 +14,7 @@ + /var/run/samba/nmbd.pid rw, + /var/log/samba/cores/nmbd/ rw, + /var/log/samba/cores/nmbd/** rw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.nscd +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.nscd 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.nscd 2010-08-10 14:30:42.000000000 -0500 +@@ -1,8 +1,7 @@ +-# $Id# + # ------------------------------------------------------------------ + # + # Copyright (C) 2002-2005 Novell/SUSE +-# Copyright (C) 2009 Canonical Ltd. ++# Copyright (C) 2009-2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -40,4 +39,7 @@ + @{PROC}/[0-9]*/maps r, + @{PROC}/[0-9]*/mounts r, + @{PROC}/filesystems r, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.ntpd +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.ntpd 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.ntpd 2010-08-10 14:30:42.000000000 -0500 +@@ -1,8 +1,7 @@ +-# Last Modified: Thu Aug 2 14:37:03 2007 +-# $Id$ + # ------------------------------------------------------------------ + # +-# Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2002-2009 Novell/SUSE ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -64,6 +63,9 @@ + # allow access for when chrooted + /var/lib/ntp/@{PROC}/*/net/if_inet6 r, + /var/lib/ntp/@{PROC}/*/sys/kernel/ngroups_max r, +- ++ + @{NTPD_DEVICE} rw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.smbd +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.smbd 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.smbd 2010-08-10 14:30:42.000000000 -0500 +@@ -1,5 +1,3 @@ +-# vim:syntax=apparmor +-# Last Modified: Wed Jun 20 13:34:25 2007 + #include + + /usr/sbin/smbd { +@@ -35,4 +33,7 @@ + /var/spool/samba/** rw, + + @{HOMEDIRS}/** lrw, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.traceroute +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/usr.sbin.traceroute 2010-08-05 16:09:51.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/usr.sbin.traceroute 2010-08-10 14:30:42.000000000 -0500 +@@ -1,8 +1,7 @@ +-# Last Modified: Thu Aug 2 13:33:43 2007 +-# $Id$ + # ------------------------------------------------------------------ + # +-# Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2002-2009 Novell/SUSE ++# Copyright (C) 2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -20,4 +19,7 @@ + + /usr/sbin/traceroute rmix, + @{PROC}/net/route r, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include + } --- apparmor-2.5.1~pre1393.orig/debian/patches/0006-kde4-config-pux.patch +++ apparmor-2.5.1~pre1393/debian/patches/0006-kde4-config-pux.patch @@ -0,0 +1,30 @@ +Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1462 + http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/1465 +Description: chromium-browser profile + +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/kde +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/kde 2010-08-10 18:00:02.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/kde 2010-08-10 18:00:17.000000000 -0500 +@@ -2,7 +2,7 @@ + # ------------------------------------------------------------------ + # + # Copyright (C) 2002-2006 Novell/SUSE +-# Copyright (C) 2009 Canonical Ltd. ++# Copyright (C) 2009-2010 Canonical Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -53,4 +53,3 @@ + /usr/lib*/qt4/lib*/lib*so* mr, + /usr/lib*/qt4/plugins/** mr, + /usr/share/qt4/** r, +-/usr/bin/kde4-config Ux, +Index: apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde +=================================================================== +--- apparmor-2.5.1~pre1393.orig/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde 2010-08-10 18:00:09.000000000 -0500 ++++ apparmor-2.5.1~pre1393/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde 2010-08-10 18:00:20.000000000 -0500 +@@ -1,2 +1,2 @@ + #include +- /usr/bin/kde4-config Ux, # TODO: use PUx when apparmor is adjusted ++ /usr/bin/kde4-config PUx, --- apparmor-2.5.1~pre1393.orig/debian/profiles/chromium-browser +++ apparmor-2.5.1~pre1393/debian/profiles/chromium-browser @@ -0,0 +1,15 @@ +# This file is updated currently not managed by the package but in the future +# will be overwritten on upgrades. +# +# For site-specific adjustments, please see: +# /etc/apparmor.d/local/usr.bin.chromium-browser + +#include +#include +#include +#include +#include +#include +#include +#include +#include --- apparmor-2.5.1~pre1393.orig/debian/notify/notify.conf +++ apparmor-2.5.1~pre1393/debian/notify/notify.conf @@ -0,0 +1,15 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Set to 'yes' to enable AppArmor DENIED notifications globally +show_notifications="no" + +# Only people in use_group can use apparmor-notify +use_group="admin" --- apparmor-2.5.1~pre1393.orig/debian/notify/90apparmor-notify +++ apparmor-2.5.1~pre1393/debian/notify/90apparmor-notify @@ -0,0 +1,15 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Start up apparmor notify. It will read /etc/apparmor/notify.conf and +# $HOME/.apparmor/notify.conf for configuration. +if [ -x /usr/bin/apparmor_notify ]; then + /usr/bin/apparmor_notify -p -s 1 -w 60 +fi --- apparmor-2.5.1~pre1393.orig/debian/po/templates.pot +++ apparmor-2.5.1~pre1393/debian/po/templates.pot @@ -0,0 +1,40 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: ubuntu-devel-discuss@lists.ubuntu.com\n" +"POT-Creation-Date: 2010-01-05 17:45-0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "Additional home directory locations:" +msgstr "" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"Please enter a space separated list of any additional locations for user " +"home directories. These locations are in addition to those specified in /etc/" +"apparmor.d/tunables/home and must end with a '/'." +msgstr "" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"Example: if user's directories are stored in /srv/nfs/home and /mnt/homes, " +"you should enter \"/srv/nfs/home/ /mnt/homes/\"." +msgstr "" --- apparmor-2.5.1~pre1393.orig/debian/po/POTFILES.in +++ apparmor-2.5.1~pre1393/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] templates --- apparmor-2.5.1~pre1393.orig/debian/apport/source_apparmor.py +++ apparmor-2.5.1~pre1393/debian/apport/source_apparmor.py @@ -0,0 +1,54 @@ +'''apport package hook for apparmor + +(c) 2009 Canonical Ltd. +Author: Steve Beattie +''' + +from apport.hookutils import * +from os import path +import re + +def recent_kernlog(pattern): + '''Extract recent messages from kern.log or message which match a regex. + + pattern should be a "re" object. ''' + lines = '' + if os.path.exists('/var/log/kern.log'): + file = '/var/log/kern.log' + elif os.path.exists('/var/log/messages'): + file = '/var/log/messages' + else: + return lines + + for line in open(file): + if pattern.search(line): + lines += line + return lines + +def add_info(report): + attach_file(report, '/proc/version_signature', 'ProcVersionSignature') + attach_file(report, '/proc/cmdline', 'ProcCmdline') + + sec_re = re.compile('audit\(|apparmor|selinux|security', re.IGNORECASE) + report['KernLog'] = recent_kernlog(sec_re) + + packages=['apparmor', 'apparmor-utils', 'libapparmor1', + 'libapparmor-dev', 'libapparmor-perl', 'apparmor-utils', + 'apparmor-docs', 'apparmor-profiles', 'libapache2-mod-apparmor', + 'libpam-apparmor', 'auditd', 'libaudit0'] + + versions = '' + for package in packages: + try: + version = packaging.get_version(package) + except ValueError: + version = 'N/A' + if version is None: + version = 'N/A' + versions += '%s %s\n' % (package, version) + report['ApparmorPackages'] = versions + + # These need to be run as root + report['ApparmorStatusOutput'] = command_output('/usr/sbin/apparmor_status') + report['PstreeP'] = command_output(['/usr/bin/pstree', '-p']) + attach_file_if_exists(report, '/var/log/audit/audit.log', 'audit.log')