-
apparmor (4.0.0~alpha2-0ubuntu5) mantic; urgency=medium
* Add additional AppArmor profiles to support third-party applications
that use unprivileged user namespace restrictions (LP: #2036698)
- Refreshed d/p/u/userns-unconfined-profiles.patch to add additional
profiles and added to debian/apparmor.install
- usr.share.code.bin.code
- opt.microsoft.msedge.msedge
- usr.lib.multiarch.opera.opera
- opt.brave.com.brave.brave
- opt.vivaldi.vivaldi-bin
* Clarify comment in sysctl.d conf file that this feature is not
enabled by default but can be overridden by the user if desired.
-- Alex Murray <email address hidden> Fri, 22 Sep 2023 16:50:22 +0930
-
apparmor (4.0.0~alpha2-0ubuntu4) mantic; urgency=medium
* Remove conflicting profile for usr.bin.lxc-start (LP: #2036302)
- d/p/u/userns-unconfined-profiles.patch: Don't ship a profile for
usr.bin.lxc-start as this is already shipped in liblxc-common
- debian/apparmor.install: Remove usr.bin.lxc-start profile
-- Alex Murray <email address hidden> Mon, 18 Sep 2023 10:59:37 +0930
-
apparmor (4.0.0~alpha2-0ubuntu3) mantic; urgency=medium
* Add remaining AppArmor profiles to support unprivileged user
namespace restrictions (LP: #2035315)
- Refreshed d/p/u/userns-unconfined-profiles.patch to add remaining
profiles and added to debian/apparmor.install
- usr.libexec.multiarch.bazel.linux-sandbox
- usr.bin.busybox
- usr.bin.buildah
- usr.bin.cam
- usr.bin.ipa_verify
- usr.bin.lc-compliance
- usr.bin.libcamerify
- usr.bin.qcam
- usr.bin.podman
- usr.bin.lxc-attach
- usr.bin.lxc-create
- usr.bin.lxc-destroy
- usr.bin.lxc-execute
- usr.bin.lxc-start
- usr.bin.lxc-stop
- usr.bin.lxc-unshare
- usr.bin.lxc-usernsexec
- usr.bin.mmdebstrap
- usr.bin.vpnns
- usr.lib.qt6.libexec.QtWebEngineProcess
- usr.lib.multiarch.qt5.libexec.QtWebEngineProcess
- usr.bin.rootlesskit
- usr.bin.rpm
- usr.sbin.runc
- usr.libexec.virtiofsd
- usr.bin.sbuild
- usr.bin.sbuild-abort
- usr.bin.sbuild-apt
- usr.bin.sbuild-checkpackages
- usr.bin.sbuild-clean
- usr.bin.sbuild-createchroot
- usr.bin.sbuild-distupgrade
- usr.bin.sbuild-hold
- usr.bin.sbuild-shell
- usr.bin.sbuild-unhold
- usr.bin.sbuild-update
- usr.bin.sbuild-upgrade
- usr.sbin.sbuild-adduser
- usr.sbin.sbuild-destroychroot
- usr.bin.slirp4netns
- usr.bin.stress-ng
- usr.bin.thunderbird
- bin.toybox
- usr.bin.trinity
- usr.bin.tup
- usr.bin.userbindmount
- usr.bin.uwsgi-core
- usr.bin.vdens
- opt.google.chrome.chrome
-- Alex Murray <email address hidden> Thu, 14 Sep 2023 15:58:40 +0930
-
apparmor (4.0.0~alpha2-0ubuntu2) mantic; urgency=medium
* Fix invalid JSON output from aa-status --json via upstream patch
(LP: #2032994)
- d/p/u/binutils-aa_status.c-quiet-verbose-outputs-when-json.patch
-- Alex Murray <email address hidden> Fri, 25 Aug 2023 09:48:24 +0930
-
apparmor (4.0.0~alpha2-0ubuntu1) mantic; urgency=medium
[ John Johansen ]
* New upstream release 4.0-alpha2
[ Alex Murray ]
* Infrastructure to enable AppArmor userns restrictions
(LP: #2030353, LP: #2032602)
- debian/usr/lib/sysctl.d/10-apparmor.conf: disable userns restrictions
for now until we have a complete set of profiles for the whole
Ubuntu archive
- debian/apparmor.install: ship sysctl.d file in the apparmor binary
package
- d/p/u/userns-unconfined.patch: add some additional profiles that
specify the userns permission with the unconfined flag for a currently
incomplete list of applications within the Ubuntu archive that use
unprivileged user namespaces
- usr.bin.ch-checkns
- usr.bin.ch-run
- usr.bin.crun
- usr.bin.flatpak
- debian/put-all-profiles-in-complain-mode.sh: don't put unconfined
profiles in complain mode
* Add patches from upstream to fix test failures
- d/p/u/tests-fix-userns-setns-opening-pipe-order.patch
- d/p/u/tests-replace-individual-socket-permissions.patch
- d/p/u/tests-fix-test-specifying-path-on-attach-disconnected.patch
* Add new symbols
apparmor (4.0.0~alpha1-0ubuntu1) mantic; urgency=medium
* New upstream release.
* Drop patches which have now been applied upstream
- d/p/fix-expected-library-version.patch
- d/p/u/enable-pinning-of-pre-AppArmor-3.x-poli.patch
- d/p/u/regression-tests-fix-aa_policy_cache-when-using-syst.patch
- d/p/u/add-mqueue-support.patch
- d/p/u/add-userns-support.patch
- d/p/u/update-snap-browsers-permissions-lp1794064.patch
- d/p/u/add-4.0-abi.patch
* Refresh patches
- d/p/d/etc-writable.patch
- d/p/u/samba-systemd-interaction.patch
* d/apparmor.install: install aa-load
* d/apparmor-profiles.install:
- install new profiles
- usr.lib.dovecot.director
- usr.lib.dovecot.doveadm-server
- usr.lib.dovecot.replicator
- zgrep
- rpcbind
- chromium_browser
- usr.bin.pyzorsocket
- usr.bin.razorsocket
- usr.sbin.clamd
- usr.sbin.haproxy
- rename profiles
- firefox
- firefox.sh
-- Alex Murray <email address hidden> Tue, 22 Aug 2023 12:30:32 +0930
-
apparmor (3.0.8-1ubuntu4) mantic; urgency=medium
* Backport 4.0 ABI from upstream (LP: #2026227)
- d/p/u/add-4.0-abi.patch
-- Alex Murray <email address hidden> Thu, 06 Jul 2023 12:14:15 +0930
-
apparmor (3.0.8-1ubuntu3) mantic; urgency=medium
* Update abstractions/snap-browsers to include lock permissions
(LP: #1794064)
- d/p/u/update-snap-browsers-permissions-lp1794064.patch
-- Georgia Garcia <email address hidden> Tue, 06 Jun 2023 08:52:13 -0300
-
apparmor (3.0.8-1ubuntu2) lunar; urgency=medium
* Rebuild to drop Python 3.10 extension
-- Jeremy Bicha <email address hidden> Tue, 28 Feb 2023 17:18:12 -0500