-
apparmor (2.13.3-7ubuntu5.4) focal-security; urgency=medium
* SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)
- d/p/CVE-2016-1585/parser-Fix-expansion-of-variables-in-unix-rules-addr.patch:
add calls to filter_slashes() in parser/af_unix.cc, make it external
in parser/parser.h and change it to void in parser/parser_regex.c.
- d/p/CVE-2016-1585/parser-enable-variable-expansion-for-mount-type-and-.patch:
add variable expansion with expand_entry_variables() in
parser/mount.cc.
- d/p/CVE-2016-1585/parser-call-filter-slashes-for-mount-conditionals.patch:
add calls to filter_slashes() in parser/mount.cc.
- d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:
update rule qualifiers in regression tests in
tests/regression/apparmor/mkprofile.pl and
tests/regression/apparmor/capabilities.sh.
- d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount
rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h
and fix multiple test cases in parser/tst/simple_tests/mount/*.
- d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount
regression tests in tests/regression/apparmor/Makefile,
tests/regression/apparmor/mount.c,
tests/regression/apparmor/mount.sh and
tests/regression/apparmor/mkprofile.pl.
- d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:
add missing kernel mount options flag in parser/apparmor.d.pod,
parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh
and parser/tst/simple_tests/mount/*.
- d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update
test profiles in parser/tst/simple_tests/mount/*.
- d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:
update gen_policy_change_mount_type() in parser/mount.cc and also
updated tests on parser/tst/simple_tests/mount/* and
tests/regression/apparmor/mount.sh.
- d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:
add device checks in gen_flag_rules() in parser/mount.cc and tests
in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,
tests/regression/apparmor/mount.sh and
utils/test/test-parser-simple-tests.py.
- d/p/CVE-2016-1585/Fix-build-failure-in-df4ed537e-allow-reading-of-etc-.patch:
remove the WARN_DEPRECATED flag in pwarn call in parser/mount.cc.
- d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:
remove deprecation warning message in parser/mount.cc.
- CVE-2016-1585
-- Rodrigo Figueiredo Zaiden <email address hidden> Tue, 06 Mar 2024 15:40:00 -0300
-
apparmor (2.13.3-7ubuntu5.3) focal; urgency=medium
* apparmor.preinst: recursively remove cache directories during a
upgrade. (LP: #2032851)
-- Georgia Garcia <email address hidden> Tue, 10 Oct 2023 09:20:12 -0300
-
apparmor (2.13.3-7ubuntu5.2) focal; urgency=medium
* Add capability upstream patches to fix LP: #1964636
- u/cap1-Generate-CAPABILITIES-in-a-script-due-to-make-4.3.patch: move
code that generates a list of capabilities to a script in common/
- u/cap2-parser-Move-to-a-pre-generated-cap_names.h.patch: use a
pre-generated list of capabilities so that all capabilities are
supported even when building against older kernels.
- u/cap3-parser-cleanup-capability_table-generation-by-droppi.patch: drop
sys_log static declaration because it's already in the generated list.
- u/cap4-parser-unify-capability-name-handling.patch: drop internal
hardcoded capability table.
- u/cap5-parser-Makefile-use-LC_ALL-C-when-invoking-sed.patch: use
LC_ALL=C when invoking sed.
- u/cap6-parser-Add-warning-to-capability_table-about-the-nee.patch: add
warning to capability_table about the need to update the Makefile.
- u/cap7-Add-CAP_BPF-and-CAP_PERFMON-to-severity.db.patch: add
support for cap_bpf and cap_perfmon
- u/cap8-parser-Makefile-fix-generated-cap-comparison-against.patch: fix
generated cap comparison against known list
* Add upstream patches for abi support. LP: #1728130
- u/abi1-parser-feature-abi-setup-parser-to-intersect-policy-.patch: add
the ability to intersect parser and kernel features in the parser.
- u/abi2-parser-add-basic-support-for-feature-abis.patch: add support
to specify a feature abi.
- u/abi3-pin-abi-2.13.patch: add and pin a policy abi for 2.13
- u/abi4-parser-fix-abi-rule-and-pinned-feature-file-interact.patch: fix
abi rule and pinned feature file interaction
- apparmor.install: add 2.13 abi file to be installed in /etc/apparmor.d/abi/
* Add mqueue patches. LP: #1993353
- u/mqueue1-parser-add-parser-support-for-message-queue-mediatio.patch:
add parser support for mqueue mediation
- u/mqueue2-tests-add-posix-message-queue-regression-tests.patch: add
posix mqueue regression tests
- u/mqueue3-utils-add-message-queue-rules-parsing-in-python-tool.patch:
add support in python tools to parse mqueue rules
- u/mqueue4-parser-add-parser-simple-tests-for-mqueue-rules.patch: add
parser simple tests for mqueue
- u/mqueue5-parser-place-perm-on-name-as-well-as-name-label-comb.patch:
add permissions on name and also on name + label
- u/mqueue6-libapparmor-add-support-for-requested-and-denied-on-.patch:
add parsing support for "denied" and "requested" from audit logs
- u/mqueue7-libapparmor-add-support-for-class-in-logparsing.patch: add
parsing support for "class" from audit logs
- u/mqueue8-utils-add-logparser-support-for-mqueue.patch: add logparser
support for mqueue rules
- u/mqueue9-tests-add-sysv-message-queue-regression-tests.patch: add
sysv mqueue regression tests
- u/mqueue10-parser-enable-mqueue-rules-when-abi-is-not-set.patch:
override pinned features for mqueue rules when abi is not set in policy.
- debian/rules: create mqueue testcase empty files for libapparmor tests.
* Closes LP: #1994146
-- Georgia Garcia <email address hidden> Mon, 10 Oct 2022 17:52:45 -0300
-
apparmor (2.13.3-7ubuntu5.1) focal-proposed; urgency=medium
* upstream-lp1872564.patch: adjust nameservice abstraction for nss-systemd
- LP: #1872564
-- Jamie Strandboge <email address hidden> Tue, 19 May 2020 16:59:49 +0000
-
apparmor (2.13.3-7ubuntu5) focal; urgency=medium
* snapd 2.44.3+20.04 introduced an apparmor unit of its own to load snap
policy in /var/lib/snapd/apparmor/profiles. As such, don't load snapd
policy twice by not loading it in the apparmor unit (LP: 1871148)
- ubuntu/stop-loading-snapd-profiles.patch: stop loading snapd profiles
- debian/control: add Breaks on snapd < 2.44.3+20.04~ since prior snapd
versions assume that apparmor will load the snapd policy on boot
- debian/apparmor.service: remove the now unneeded RequiresMountsFor on
/var/lib/snapd/apparmor/profiles
* drop ubuntu/parser-conf-no-expr-simplify.patch: Optimize=no-expr-simplify
was added to parser.conf to mitigate slow snap policy compiles on 32bit
ARM. These days, snapd calls apparmor_parser with "-O no-expr-simplify"
and loads its snap policy, so drop this delta with upstream and Debian.
-- Jamie Strandboge <email address hidden> Sun, 12 Apr 2020 16:11:31 +0000
-
apparmor (2.13.3-7ubuntu4) focal; urgency=medium
* debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to
RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it
(LP: #1871148)
* libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets
and DBus APIs. Patch partially based on work by Simon Deziel.
(LP: #1796911, LP: #1869024)
* upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient:
allow reading /etc/krb5.conf.d/
* upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading
per-user themes from $XDG_DATA_HOME (Closes: #930031)
* upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access
to top-level ecryptfs directories (LP: #1848919)
* upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access
to /run/uuidd/request
* upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the
kernel supports the i915 perf interface. Patch from Debian
-- Jamie Strandboge <email address hidden> Mon, 06 Apr 2020 17:47:20 +0000
-
apparmor (2.13.3-7ubuntu3) focal; urgency=medium
* Add upstream-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch
(LP: #1869629)
-- John Johansen <email address hidden> Wed, 01 Apr 2020 01:05:30 -0700
-
apparmor (2.13.3-7ubuntu2) focal; urgency=medium
* No-change rebuild to drop python3.7.
-- Matthias Klose <email address hidden> Tue, 18 Feb 2020 10:42:36 +0100
-
apparmor (2.13.3-7ubuntu1) focal; urgency=medium
* Merge from Debian. Remaining changes:
- Ubuntu-specific patches:
+ ubuntu/add-chromium-browser.patch
+ ubuntu/communitheme-snap-support.patch
+ ubuntu/mimeinfo-snap-support.patch
+ ubuntu/parser-conf-no-expr-simplify.patch
+ ubuntu/profiles-grant-access-to-systemd-resolved.patch
+ upstream-dont-allow-fontconfig-cache-write.patch
+ upstream-tests-mult-mount-bump-size-of-created-disk.patch
- debian/apparmor.{install,maintscript}: feature pinning is not used in
Ubuntu
- debian/apparmor.preinst: remove cache files on upgrade to 2.13
- debian/apparmor-profiles.install: install Ubuntu chromium-browser
profile and abstraction
- debian/apparmor-profiles.lintian-overrides: update for chromium-browser
profile having read access to dpkg database for lsb-release
- debian/apparmor-profiles.postinst: ubuntu-browsers.d/chromium-browser
abstraction if it doesn't exist
- debian/control: adjust the Vcs-{Browser,Git} control fields to reflect
the branch where the Ubuntu packaging is maintained.
- debian/gbp.conf: use ubuntu/master as the debian-branch
- debian/patches/series: comment out debian-only patches
- debian/tests/control and debian/tests/compile-policy: don't test
thunderbird since the Ubuntu packaging doesn't ship a profile
* Drop the following patches, no longer needed:
- python3.8-ac.diff
* debian/control: drop Breaks on media-hub, mediascanner2.0, messaging-app,
and webbrowser-app which was needed for upgrades to bionic (LP: #1797242)
* upstream-adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus
1.5.22
* upstream-adjust-gnome-for-mimeapps.patch: abstractions/gnome: also allow
/etc/xdg/mimeapps.list (LP: #1792027)
apparmor (2.13.3-7) unstable; urgency=medium
* Add explicit build dependency on dh-python, so that this package
can built with python3-defaults 3.7.5-3.
apparmor (2.13.3-6) unstable; urgency=medium
[ Matthias Klose ]
* debian/rules: ensure "set -e" is honored (Closes: #943649).
* Add upstream-mr-430-Fix-a-Python-3.8-autoconf-check.patch (Closes: #943657).
-- Jamie Strandboge <email address hidden> Tue, 17 Dec 2019 15:50:00 +0000
-
apparmor (2.13.3-5ubuntu5) focal; urgency=medium
* Don't ignore exit status in debian/rules.
* Fix a Python 3.8 autoconf check.
-- Matthias Klose <email address hidden> Sun, 27 Oct 2019 16:38:00 +0200
-
apparmor (2.13.3-5ubuntu4) focal; urgency=medium
* Don't ignore exit status in debian/rules.
* Fix a Python 3.8 autoconf check.
-- Matthias Klose <email address hidden> Sun, 27 Oct 2019 16:38:00 +0200
-
apparmor (2.13.3-5ubuntu3) focal; urgency=medium
* Don't ignore exit status in debian/rules.
* Fix a Python 3.8 autoconf check.
-- Matthias Klose <email address hidden> Sun, 27 Oct 2019 16:38:00 +0200
-
apparmor (2.13.3-5ubuntu2) focal; urgency=medium
* No-change rebuild for the perl update.
-- Matthias Klose <email address hidden> Fri, 18 Oct 2019 19:26:58 +0000
-
apparmor (2.13.3-5ubuntu1) eoan; urgency=medium
* Merge new upstream release from Debian. Remaining changes:
- Ubuntu-specific patches:
+ ubuntu/add-chromium-browser.patch
+ ubuntu/communitheme-snap-support.patch
+ ubuntu/mimeinfo-snap-support.patch
+ ubuntu/parser-conf-no-expr-simplify.patch
+ ubuntu/profiles-grant-access-to-systemd-resolved.patch
- debian/apparmor.{install,maintscript}: feature pinning is not used in
Ubuntu
- debian/apparmor.preinst: remove cache files on upgrade to 2.13
- debian/apparmor-profiles.install: install Ubuntu chromium-browser
profile and abstraction
- debian/apparmor-profiles.lintian-overrides: update for chromium-browser
profile having read access to dpkg database for lsb-release
- debian/apparmor-profiles.postinst: ubuntu-browsers.d/chromium-browser
abstraction if it doesn't exist
- debian/control: adjust the Vcs-{Browser,Git} control fields to reflect
the branch where the Ubuntu packaging is maintained.
- debian/gbp.conf: use ubuntu/master as the debian-branch
- debian/patches/series: comment out debian-only patches
- debian/tests/control and debian/tests/compile-policy: don't test
thunderbird since the Ubuntu packaging doesn't ship a profile
* Drop the following patches, no longer needed:
- ubuntu/dont-include-site-local-with-dovecot.patch
- lp1820068.patch
- upstream-commit-fix-segfault-in-overlaydirat_for_each.patch
- upstream-commit-add-option-to-dump-policy-cache-with-libapparmor.patch
- upstream-commit-teach-aa_policy_cache_sh-about-the-new-cache.patch
- upstream-commit-fix-segfault-when-loading-policy-cache-files.patch
- upstream-commit-fix-variable-name-overlap-in-merge-macro.patch
* upstream-dont-allow-fontconfig-cache-write.patch: don't allow write of
fontconfig cache files
* upstream-tests-mult-mount-bump-size-of-created-disk.patch: regression
tests/mult_mount: bump size of created disk image
apparmor (2.13.3-5) unstable; urgency=medium
* upstream-mr-419-Xwayland-vs-recent-mutter.patch: new patch (Closes: #935058)
apparmor (2.13.3-4) unstable; urgency=medium
* New patch, cherry-picked and adapted from Ubuntu: don't include local/
snippets in the Dovecot profiles. These inclusions of non-existing files
break aa-genprof (Closes: #928160).
* Merge ubuntu/2.13.2-9ubuntu7, which turns out to be a no-op, because
we essentially revert all changes brought by this merge:
- Drop lp1820068.patch, introduced in 2.13.2-9ubuntu7: it's included
in the 2.13.3 upstream release already.
- Don't enable ubuntu/parser-conf-no-expr-simplify.patch, that Ubuntu just
re-enabled: in Debian we don't disable expression tree simplification,
because we've cherry-picked an upstream patch that improves its
performance sufficiently.
apparmor (2.13.3-3) unstable; urgency=medium
[ Michael Biebl ]
* Move libraries back to /usr/lib
[ intrigeri ]
* Remove Lintian override made obsolete by the move to /usr/lib/apparmor/
* Avoid-blhc-CPPFLAGS-missing-false-positive.patch: new patch.
* Revert "debian/control: Breaks on snapd < 2.38~"
Jamie Strandboge explained in details on #932815 the rationale behind this
Breaks relationship. The user impact seems non-critical and the risk of the
problem happening in practice is very low, so for now let's remove this
Breaks, that prevents apparmor from migrating to testing (we don't have
snapd 2.38+ in Debian yet).
apparmor (2.13.3-2) unstable; urgency=medium
* Install the lsb_release profile.
apparmor (2.13.3-1) unstable; urgency=medium
* Import new 2.13.3 upstream release and accordingly:
- Update dev-pkg-without-shlib-symlink Lintian override: soname
was bumped to 1.6.1.
- Drop patches that were applied upstream.
* Merge ubuntu/2.13.2-9ubuntu6, dropping the Ubuntu delta (Closes: #926015):
- lp1824812.patch: set SFS_MOUNTPOINT in is_container_with_internal_policy()
since it is sometimes called independently of is_apparmor_loaded()
(LP: #1824812)
- debian/apparmor.postrm: remove parser-created subdirs
- debian/tests/control: try Ubuntu kernel but mark skip-not-installable
- regression testsuite fixes:
upstream-commit-add-option-to-dump-policy-cache-with-libapparmor.patch,
upstream-commit-teach-aa_policy_cache_sh-about-the-new-cache.patch,
upstream-commit-fix-variable-name-overlap-in-merge-macro.patch
- debian/debhelper/postrm-apparmor: also remove cache files
- debian/control: Breaks on snapd < 2.38~ (the cache forest breaks snap
remove)
* Declare compatibility with Debian Policy 4.4.0.
* Bump debhelper compatibility level to 12. Accordingly:
- dh_installinit: replace --no-restart-on-upgrade with its new
--no-stop-on-upgrade name
- Add override_dh_installsystemd that mimics our override_dh_installinit
* tests/compile-policy: check syntax of kopano profiles (implements
#923313 except kopano-search, until giraffe-team/kopanocore!4 is merged
and uploaded)
-- Jamie Strandboge <email address hidden> Mon, 09 Sep 2019 19:13:22 +0000